[Webkit-unassigned] [Bug 66241] Crash when inserting text with a trailing newline into a textarea via JS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 25 23:46:26 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66241
--- Comment #9 from Kent Tamura <tkent at chromium.org> 2011-08-25 23:46:25 PST ---
ok, I understand.
> FrameSelection::textWillBeReplaced is triggering layout and renewing the shadow DOM
m_frame->document()->updateLayout() in FrameSelection::textWillBeReplaced()
...
HTMLFormControlElement::recalcStyle()
...
updateFromElementCallback() in HTMLFormControlElement.cpp
RenderTextControlMultiLine::updateFromElement()
setInnerTextValeu(...) resets the content of innerTextElement().
(Note that innerTextElement() itself is not re-created.)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list