[Webkit-unassigned] [Bug 188722] New: fast/forms/textarea-paste-newline.html abandons a document

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 18 12:56:54 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=188722

            Bug ID: 188722
           Summary: fast/forms/textarea-paste-newline.html abandons a
                    document
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: simon.fraser at apple.com
                CC: wenson_hsieh at apple.com

Various textarea tests cause abandoned documents. I looked at fast/forms/textarea-paste-newline.html.

Under this stack:

  * frame #0: 0x000000061788cc74 WebCore`WebCore::Document::removeFocusNavigationNodeOfSubtree(this=0x0000000632f01200, node=0x0000000632f01200, amongChildrenOnly=true) at Document.cpp:4230
    frame #1: 0x000000061788c82a WebCore`WebCore::Document::nodeChildrenWillBeRemoved(this=0x0000000632f01200, container=0x0000000632f01200) at Document.cpp:4164
    frame #2: 0x00000006178252de WebCore`WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(this=0x0000000632f01200, source=API, deferChildrenChanged=No) at ContainerNode.cpp:107
    frame #3: 0x0000000617828d49 WebCore`WebCore::ContainerNode::removeChildren(this=0x0000000632f01200) at ContainerNode.cpp:658
    frame #4: 0x0000000617882aef WebCore`WebCore::Document::implicitOpen(this=0x0000000632f01200) at Document.cpp:2691
    frame #5: 0x0000000617878043 WebCore`WebCore::Document::open(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200) at Document.cpp:2660
    frame #6: 0x0000000617884062 WebCore`WebCore::Document::write(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200, text=0x00007ffee6a2fbb8) at Document.cpp:2984
    frame #7: 0x000000061788432b WebCore`WebCore::Document::write(this=0x0000000632f01200, responsibleDocument=0x0000000632f01200, strings={ size = 1, capacity = 1 }) at Document.cpp:2999
    frame #8: 0x000000061609d242 WebCore`WebCore::jsDocumentPrototypeFunctionWriteBody(state=0x00007ffee6a2fe30, castedThis=0x000000062d063ea0, throwScope=0x00007ffee6a2fdb8) at JSDocument.cpp:4890

removeFocusNavigationNodeOfSubtree() is called with node == |this|, so the document stores a pointer to itself in a RefPtr, and this is never cleared.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180818/43e204f3/attachment.html>

More information about the webkit-unassigned mailing list