[Webkit-unassigned] [Bug 66241] Crash when inserting text with a trailing newline into a textarea via JS

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 15 17:51:32 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=66241


Ryosuke Niwa <rniwa at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1




--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org>  2011-08-15 17:51:32 PST ---
The problem is that FrameSelection::textWillBeReplaced is triggering layout and renewing the shadow DOM when we split the text node in line 141 of InsertLineBreakCommand.cpp::doApply in InsertLineBreakCommand.cpp:
    } else if (pos.deprecatedNode()->isTextNode()) {
        // Split a text node
        Text* textNode = static_cast<Text*>(pos.deprecatedNode());
        splitTextNode(textNode, pos.deprecatedEditingOffset());
        insertNodeBefore(nodeToInsert, textNode);
        Position endingPosition = firstPositionInNode(textNode);

stack trace:
#0    0x102ab3a2a in WebCore::CharacterData::setDataAndUpdate at CharacterData.cpp:177
#1    0x102ab3c90 in WebCore::CharacterData::deleteData at CharacterData.cpp:130
#2    0x103739103 in WebCore::SplitTextNodeCommand::insertText1AndTrimText2 at SplitTextNodeCommand.cpp:104
#3    0x103739502 in WebCore::SplitTextNodeCommand::doApply at SplitTextNodeCommand.cpp:66
#4    0x102d82967 in WebCore::EditCommand::apply at EditCommand.cpp:92
#5    0x102add980 in WebCore::CompositeEditCommand::applyCommandToComposite at CompositeEditCommand.cpp:102
#6    0x102adf83d in WebCore::CompositeEditCommand::splitTextNode at CompositeEditCommand.cpp:279
#7    0x102fc899f in WebCore::InsertLineBreakCommand::doApply at InsertLineBreakCommand.cpp:141
#8    0x102d82967 in WebCore::EditCommand::apply at EditCommand.cpp:92

This is a quite serious design flaw.  On one hand, we have to update selection when CharacterData is modified but on the other hand, we can't lose the shadow DOM while we're in the middle of modifying DOM nodes in editing.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list