[Webkit-unassigned] [Bug 67764] Crash in WebCore::CompositeEditCommand::insertNodeAt
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 9 08:31:17 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67764
Annie Sullivan <sullivan at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|webkit-unassigned at lists.web |sullivan at chromium.org
|kit.org |
CC| |rniwa at webkit.org,
| |sullivan at chromium.org
--- Comment #1 from Annie Sullivan <sullivan at chromium.org> 2011-09-09 08:31:17 PST ---
I'm going to look into this today. A quick glance in the debugger shows that mergeParagraphs() gets called with the following selections (S for startParagraph, E for endParagraph, and D for destination):
BODY 0x131d05cb0
SE DIV 0x131d05ff0
D HKERN 0x131d064b0
SPAN 0x131d066a0
DL 0x131d06980
#text 0x131d07230 "000A0"
SCRIPT 0x131d07310
#text 0x131d07550 "\nvar sel = window.getSelection();\nsel.setPosition(div, 2000000000);\ndocument.execCommand("Delete");\n"
afterChildren, offset:0
It seems weird to merge paragraphs that aren't adjacent. What ends up happening is that cleanupAfterDeletion removes the DIV from the document entirely and then the ASSERT fires. The comments indicate that cleanupAfterDeletion is meant to help with list/table problems, so it seems like the codepath is getting called for something it wasn't intended to handle.
I am also going to try and reduce this test case; I think it was generated by a fuzzer, and hopefully we don't need an svg element, a contenteditable=false span, a block tag within a span, and an invalid position to reproduce the problem.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list