[Webkit-unassigned] [Bug 67763] Crashes in WebCore::InsertNodeBeforeCommand constructor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 8 13:07:32 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67763
--- Comment #2 from Ryosuke Niwa <rniwa at webkit.org> 2011-09-08 13:07:31 PST ---
(In reply to comment #1)
> I took a quick look at this in the debugger and it's a pretty weird case with a <span> inside a contenteditable <meter> tag, which has shadow DOM.
HTMLMeterElement::canContainRangeEndPoint returns false, so we shouldn't be inserting a node inside a meter element.
> When InsertParagraphSeparatorCommand::doApply() gets called, startingSelection() and endingSelection() both look like this:
We should bail out in that case because we're outside of the contenteditable area.
> BODY 0x10931ce80
> #text 0x10930e380 ">"
> SE METER 0x10931d9d0
> #shadow-root 0x10931db80
> DIV 0x10931da80
> DIV 0x10931db00 STYLE=width: 0%;
> SPAN 0x10931e670
> #text 0x10931e4e0 ">"
> SCRIPT 0x10931e700
> #text 0x10931e900 "\nvar sel = window.getSelection();\nsel.setPosition(document.getElementById("wrapper"), 1);\ndocument.execCommand("InsertParagraph", false, null);\n"
> start: before, offset:0
> end: before, offset:0
Notice, it's before the meter element (i.e. at (body, 1)). We shouldn't be inserting any node here.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list