[Webkit-unassigned] [Bug 184884] Crash in WebCore::Node::lastChild while running ReplaceSelectionCommand::doApply
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 23 21:41:39 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184884
Fujii Hironori <Hironori.Fujii at sony.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Hironori.Fujii at sony.com
--- Comment #1 from Fujii Hironori <Hironori.Fujii at sony.com> ---
According to the bt,
> insertedNodes = {m_firstNodeInserted = {static isRefPtr = <optimized out>, m_ptr = 0x7fa803ef2ae0}, m_lastNodeInserted = {static isRefPtr = <optimized out>, m_ptr = 0x0}}
m_firstNodeInserted is not null, but m_lastNodeInserted is null.
This must not happen. Both should be null or non-null.
There is an unresolved bug in InsertedNodes::willRemoveNodePreservingChildren (Bug 182784) which can cause such inconsistency.
I'm not confident it is relevant.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180424/4d49ad4b/attachment.html>
More information about the webkit-unassigned
mailing list