[Webkit-unassigned] [Bug 22634] Safari crashes when I try to do a drag-and-drop of selected text in Presently or Writely,
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 2 11:21:32 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=22634
------- Comment #2 from sky at google.com 2009-03-02 11:21 PDT -------
Things seem to get confused in ReplaceSelectionCommand::doApply. Specifically
the second time through we end up here:
if (shouldMergeStart(selectionStartWasStartOfParagraph,
fragment.hasInterchangeNewlineAtStart())) {
....
if (startOfParagraph(endOfInsertedContent) == startOfParagraphToMove)
insertNodeAt(createBreakElement(document()).get(),
endOfInsertedContent.deepEquivalent());
The problem is with insertNodeAt. The page has some javascript such that when
insertNodeAt is invoked the script ends up calling back with the command
"delete" to delete the text we're trying to insert at. Here's the trace showing
the remove being invoked:
chrome.dll!WebCore::ContainerNode::removeChild(WebCore::Node *
oldChild=0x064cc4c8, int & ec=-858993460) Line 308 C++
chrome.dll!WebCore::Node::remove(int & ec=-858993460) Line 521 + 0x17
bytes C++
chrome.dll!WebCore::RemoveNodeCommand::doApply() Line 53 C++
chrome.dll!WebCore::EditCommand::apply() Line 92 + 0xf bytes C++
chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>
cmd={...}) Line 99 C++
chrome.dll!WebCore::CompositeEditCommand::removeNode(WTF::PassRefPtr<WebCore::Node>
node={...}) Line 199 + 0x28 bytes C++
chrome.dll!WebCore::DeleteSelectionCommand::removeNode(WTF::PassRefPtr<WebCore::Node>
node={...}) Line 377 C++
chrome.dll!WebCore::DeleteSelectionCommand::handleGeneralDelete() Line
472 C++
chrome.dll!WebCore::DeleteSelectionCommand::doApply() Line 766 C++
chrome.dll!WebCore::EditCommand::apply() Line 92 + 0xf bytes C++
chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>
cmd={...}) Line 99 C++
chrome.dll!WebCore::CompositeEditCommand::deleteSelection(const
WebCore::VisibleSelection & selection={...}, bool smartDelete=false, bool
mergeBlocksAfterDelete=true, bool replace=false, bool
expandForSpecialElements=true) Line 351 + 0x30 bytes C++
chrome.dll!WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity
granularity=CharacterGranularity, bool killRing=false) Line 448 C++
chrome.dll!WebCore::TypingCommand::doApply() Line 256 C++
chrome.dll!WebCore::EditCommand::apply() Line 92 + 0xf bytes C++
chrome.dll!WebCore::TypingCommand::deleteKeyPressed(WebCore::Document *
document=0x07f9a378, bool smartDelete=false, WebCore::TextGranularity
granularity=CharacterGranularity, bool killRing=false) Line 97 C++
chrome.dll!WebCore::executeDelete(WebCore::Frame * frame=0x07f99ce0,
WebCore::Event * __formal=0x00000000, WebCore::EditorCommandSource
source=CommandFromDOM, WebCore::Event * __formal=0x00000000) Line 289 + 0x21
bytes C++
chrome.dll!WebCore::Editor::Command::execute(const WebCore::String &
parameter={...}, WebCore::Event * triggeringEvent=0x00000000) Line 1450 + 0x24
bytes C++
> chrome.dll!WebCore::Document::execCommand(const WebCore::String & commandName={...}, bool userInterface=false, const WebCore::String & value={...}) Line 3386 + 0x25 bytes C++
chrome.dll!WebCore::DocumentInternal::execCommandCallback(const
v8::Arguments & args={...}) Line 657 + 0x14 bytes C++
chrome.dll!v8::internal::Builtin_HandleApiCall(int __argc__=4,
v8::internal::Object * * __argv__=0x052fe740) Line 380 + 0xe bytes C++
0598016c()
chrome.dll!v8::internal::Invoke(bool construct=false,
v8::internal::Handle<v8::internal::JSFunction> func={...},
v8::internal::Handle<v8::internal::Object> receiver={...}, int argc=1,
v8::internal::Object * * * args=0x052fe9dc, bool *
has_pending_exception=0x052fe96b) Line 90 + 0x34 bytes C++
chrome.dll!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction>
func={...}, v8::internal::Handle<v8::internal::Object> receiver={...}, int
argc=1, v8::internal::Object * * * args=0x052fe9dc, bool *
pending_exception=0x052fe96b) Line 116 + 0x1f bytes C++
chrome.dll!v8::Function::Call(v8::Handle<v8::Object> recv={...}, int
argc=1, v8::Handle<v8::Value> * argv=0x052fe9dc) Line 1939 + 0x1d bytes C++
chrome.dll!WebCore::V8Proxy::CallFunction(v8::Handle<v8::Function>
function={...}, v8::Handle<v8::Object> receiver={...}, int argc=1,
v8::Handle<v8::Value> * args=0x052fe9dc) Line 1460 + 0x1f bytes C++
chrome.dll!WebCore::V8EventListener::CallListenerFunction(v8::Handle<v8::Value>
jsevent={...}, WebCore::Event * event=0x07ccea80, bool isWindowEvent=false)
Line 225 + 0x26 bytes C++
chrome.dll!WebCore::V8AbstractEventListener::handleEvent(WebCore::Event
* event=0x07ccea80, bool isWindowEvent=false) Line 111 + 0x22 bytes C++
chrome.dll!WebCore::Node::handleLocalEvents(WebCore::Event *
event=0x07ccea80, bool useCapture=false) Line 2312 + 0x20 bytes C++
chrome.dll!WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>
prpEvent={...}) Line 2445 + 0x1d bytes C++
chrome.dll!WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>
e={...}, int & ec=0) Line 2366 + 0x12 bytes C++
chrome.dll!WebCore::dispatchChildInsertionEvents(WebCore::Node *
child=0x063ce8b0, int & ec=0) Line 890 + 0x74 bytes C++
chrome.dll!WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>
newChild={...}, int & ec=0, bool shouldLazyAttach=false) Line 490 + 0x12 bytes
C++
chrome.dll!WebCore::AppendNodeCommand::doApply() Line 49 C++
chrome.dll!WebCore::EditCommand::apply() Line 92 + 0xf bytes C++
chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>
cmd={...}) Line 99 C++
chrome.dll!WebCore::CompositeEditCommand::appendNode(WTF::PassRefPtr<WebCore::Node>
node={...}, WTF::PassRefPtr<WebCore::Element> parent={...}) Line 182 + 0x34
bytes C++
chrome.dll!WebCore::CompositeEditCommand::insertNodeAfter(WTF::PassRefPtr<WebCore::Node>
insertChild={...}, WTF::PassRefPtr<WebCore::Node> refChild={...}) Line 147
C++
chrome.dll!WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>
insertChild={...}, const WebCore::Position & editingPosition={...}) Line 177
C++
chrome.dll!WebCore::ReplaceSelectionCommand::doApply() Line 900 + 0x43
bytes C++
chrome.dll!WebCore::EditCommand::apply() Line 92 + 0xf bytes C++
chrome.dll!WebCore::applyCommand(WTF::PassRefPtr<WebCore::EditCommand>
command={...}) Line 228 C++
chrome.dll!WebCore::DragController::concludeEditDrag(WebCore::DragData
* dragData=0x052ff6b4) Line 410 + 0x4a bytes C++
chrome.dll!WebCore::DragController::performDrag(WebCore::DragData *
dragData=0x052ff6b4) Line 192 + 0x17 bytes C++
chrome.dll!WebViewImpl::DragTargetDrop(int client_x=353, int
client_y=526, int screen_x=1789, int screen_y=1093) Line 1522 C++
chrome.dll!RenderView::OnDragTargetDrop(const gfx::Point &
client_pt={...}, const gfx::Point & screen_pt={...}) Line 2631 + 0x41 bytes
C++
chrome.dll!DispatchToMethod<RenderView,void (__thiscall
RenderView::*)(gfx::Point const &,gfx::Point const
&),gfx::Point,gfx::Point>(RenderView * obj=0x06365198, void (const gfx::Point
&, const gfx::Point &)* method=0x010513f0, const Tuple2<gfx::Point,gfx::Point>
& arg={...}) Line 398 + 0x26 bytes C++
chrome.dll!IPC::MessageWithTuple<Tuple2<gfx::Point,gfx::Point>
>::Dispatch<RenderView,void (__thiscall RenderView::*)(gfx::Point const
&,gfx::Point const &)>(const IPC::Message * msg=0x07ccfdb0, RenderView *
obj=0x06365198, void (const gfx::Point &, const gfx::Point &)* func=0x010513f0)
Line 1157 + 0x23 bytes C++
chrome.dll!RenderView::OnMessageReceived(const IPC::Message &
message={...}) Line 383 + 0x4a bytes C++
chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...})
Line 39 + 0x13 bytes C++
chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message &
msg={...}) Line 30 + 0x13 bytes C++
chrome.dll!ChildThread::OnMessageReceived(const IPC::Message &
msg={...}) Line 64 + 0x17 bytes C++
chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const
IPC::Message & message={...}) Line 174 + 0x1b bytes C++
chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall
IPC::ChannelProxy::Context::*)(IPC::Message const
&),IPC::Message>(IPC::ChannelProxy::Context * obj=0x04d75e18, void (const
IPC::Message &)* method=0x010d5930, const Tuple1<IPC::Message> & arg={...})
Line 393 + 0xf bytes C++
chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall
IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message>
>::Run() Line 308 + 0x1e bytes C++
chrome.dll!MessageLoop::RunTask(Task * task=0x07ccfd88) Line 308 + 0xf
bytes C++
chrome.dll!MessageLoop::DeferOrRunPendingTask(const
MessageLoop::PendingTask & pending_task={...}) Line 319 C++
chrome.dll!MessageLoop::DoWork() Line 408 + 0xc bytes C++
chrome.dll!base::MessagePumpForUI::DoRunLoop() Line 208 + 0x1d bytes
C++
chrome.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate
* delegate=0x052ffeb4, base::MessagePumpWin::Dispatcher *
dispatcher=0x00000000) Line 52 + 0xf bytes C++
chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate *
delegate=0x052ffeb4) Line 78 + 0x1c bytes C++
chrome.dll!MessageLoop::RunInternal() Line 197 + 0x2a bytes C++
chrome.dll!MessageLoop::RunHandler() Line 181 C++
chrome.dll!MessageLoop::Run() Line 155 C++
chrome.dll!base::Thread::ThreadMain() Line 159 C++
chrome.dll!`anonymous namespace'::ThreadFunc(void * closure=0x04d7582c)
Line 26 + 0xf bytes C++
kernel32.dll!7c80b713()
[Frames below may be incorrect and/or missing, no symbols loaded for
kernel32.dll]
Once the node has been deleted everything gets confused.
Perhaps we should bail after insertNodeAt if the parent is null.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list