[Webkit-unassigned] [Bug 37950] New: REGRESSION: Crash in WebCore::TextIterator::handleTextNode() encountered in Google rich-text products

Wed Apr 21 14:08:30 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=37950

           Summary: REGRESSION: Crash in
                    WebCore::TextIterator::handleTextNode() encountered in
                    Google rich-text products
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ojan at chromium.org

Crashes in a WebKit nightly and in Chrome dev channel. Does not crash in Safari
4. I'm guessing this is a recent regression since the repro steps are so
simple.

You can see the crash in gmail doing the following steps:
1. Click to compose a new message
2. Type multiple words in a RTL language, e.g. Hebrew: "אחת שתיים שלוש"
4. Select one of the words
5. Click the Link button

A JS snippet that reproduces the crash (thanks Julie!):

var div = document.createElement('div');
div.contentEditable = 'true';
div.innerHTML = "אחת ש<a id='bar'>תיים </a>שלוש";
document.body.appendChild(div);
div.focus();

var sel = window.getSelection();
sel.selectAllChildren(bar);
var range = sel.getRangeAt(0);
range.insertNode(document.createElement('span'));
range.detach();

// This part can be any number of actions, e.g., clicking anywhere on the page
also crashes.
sel.selectAllChildren(bar);

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.