[Webkit-unassigned] [Bug 66241] Crash when inserting text with a trailing newline into a textarea via JS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 28 09:44:55 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66241
Ryosuke Niwa <rniwa at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |HasReduction,
| |HitListCandidate,
| |InChromiumBugs, NeedsRadar
Severity|Normal |Major
--- Comment #10 from Ryosuke Niwa <rniwa at webkit.org> 2011-08-28 09:44:54 PST ---
Apparently, this is the top renderer crasher in Chromium.
The problem is that the innerTextElement()'s children are re-created via RenderTextControlMultiLine::updateFromElement when the text node is split around line 140 in InsertLineBreakCommand::doApply:
Text* textNode = static_cast<Text*>(pos.deprecatedNode());
splitTextNode(textNode, pos.deprecatedEditingOffset());
insertNodeBefore(nodeToInsert, textNode);
because it triggers layout.
I don't think we should be marking the shadow host dirty when the text nodes in the shadow DOM changes but I'm not an expert in style recalculation and style resolution.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list