[Webkit-unassigned] [Bug 61012] New: REGRESSION (r83322): Many crashes in Mail.app in WebCore::Node::nodeIndex

Tue May 17 18:29:51 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=61012

           Summary: REGRESSION (r83322): Many crashes in Mail.app in
                    WebCore::Node::nodeIndex
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: adele at apple.com

Created an attachment (id=93856)
 --> (https://bugs.webkit.org/attachment.cgi?id=93856&action=review)
testcase

>  1 com.apple.WebCore              0x7fff8918f738 WebCore::Node::nodeIndex() const + 0x4
   2 com.apple.WebCore              0x7fff8951b939 WebCore::positionInParentBeforeNode(WebCore::Node const*) + 0x19
   3 com.apple.WebCore              0x7fff8939fa97 WebCore::ReplaceSelectionCommand::positionAtStartOfInsertedContent() + 0x21
   4 com.apple.WebCore              0x7fff8939946a WebCore::ReplaceSelectionCommand::doApply() + 0x331c
   5 com.apple.WebCore              0x7fff8932695a WebCore::EditCommand::apply() + 0x94

I verified this was caused by the fix for the recent SplitElement crasher - http://trac.webkit.org/changeset/81887

Attaching a reproducible case that can be run in a browser.  The markup includes a Mail-style blockquote, so my guess is we need some kind of special case for those.  

<rdar://problem/9236427>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.