[Webkit-unassigned] [Bug 67763] Crashes in WebCore::InsertNodeBeforeCommand constructor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 8 13:03:12 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67763
Annie Sullivan <sullivan at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dglazkov at chromium.org,
| |dominicc at chromium.org,
| |morrita at google.com,
| |rniwa at webkit.org,
| |rolandsteiner at chromium.org,
| |sullivan at chromium.org
--- Comment #1 from Annie Sullivan <sullivan at chromium.org> 2011-09-08 13:03:12 PST ---
I took a quick look at this in the debugger and it's a pretty weird case with a <span> inside a contenteditable <meter> tag, which has shadow DOM.
When InsertParagraphSeparatorCommand::doApply() gets called, startingSelection() and endingSelection() both look like this:
BODY 0x10931ce80
#text 0x10930e380 ">"
SE METER 0x10931d9d0
#shadow-root 0x10931db80
DIV 0x10931da80
DIV 0x10931db00 STYLE=width: 0%;
SPAN 0x10931e670
#text 0x10931e4e0 ">"
SCRIPT 0x10931e700
#text 0x10931e900 "\nvar sel = window.getSelection();\nsel.setPosition(document.getElementById("wrapper"), 1);\ndocument.execCommand("InsertParagraph", false, null);\n"
start: before, offset:0
end: before, offset:0
So the code tries to insert a <br> before the <meter>. This causes the assertion to fail in InsertNodeBeforeCommand::InsertNodeBeforeCommand(). m_refChild is <meter> and m_refChild->parentNode() is <body>. <body> is not editable and it is attached.
Should <meter> be allowed to be contenteditable? If so, should the selection have been set to inside the <span> as the JavaScript says? If not, how should this case be handled?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list