[Webkit-unassigned] [Bug 41485] New: Crash in replaceSelectionCommand with RTL text
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 1 14:29:18 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=41485
Summary: Crash in replaceSelectionCommand with RTL text
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: HTML Editing
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jparent at google.com
Created an attachment (id=60288)
--> (https://bugs.webkit.org/attachment.cgi?id=60288)
Test case for crash
Repro steps:
1. Text that is followed by a space, in RTL text, in white-space:pre contentEditable/text input/textarea (Example: <div id='foo' style='white-space:pre' contentEditable >text </div>)
1. Select the word (example: "text", not the space after it)
2. Do anything that calls replaceSelection.
Result: Crash.
Crash seems to happens because in DeleteSelectionCommand, deleteInsignificantTextDownstream deletes the whitespace, but then fixupWhitespace still expects the space to be there, and crashes because there is no longer a text node (the text has been deleted, and the whitespace, so there is no longer a text node).
The core bug seems to be in CompositeEditCommand::deleteInsignificantText, where it determines that it should remove the space. I *think* the issue is that it needs to iterate through the text boxes in reverse order for RTL case, but I'm not positive. Testing that out now.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list