Bug 37115 - REGRESSION(r56989): Crash in Mail in WebCore::Position::isCandidate when deleting block using block deletion UI
Summary: REGRESSION(r56989): Crash in Mail in WebCore::Position::isCandidate when dele...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.6
: P2 Normal
Assignee: Mark Rowe (bdash)
URL:
Keywords: Regression
: 37119 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-04-05 14:33 PDT by Mark Rowe (bdash)
Modified: 2010-04-05 19:21 PDT (History)
7 users (show)

See Also:


Attachments
Roll out r56989 (3.55 KB, patch)
2010-04-05 18:38 PDT, Mark Rowe (bdash)
adele: review+
Details | Formatted Diff | Diff
Test case (22.50 KB, patch)
2010-04-05 18:38 PDT, Mark Rowe (bdash)
adele: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2010-04-05 14:33:08 PDT
When Mail is run against WebKit r56989 or newer attempting to delete a block level element via the block deletion UI will crash.  This can be reproduced by doing the following:
1) Run Mail against ToT WebKit.
2) Reply to a webkit-changes email message.
3) Place the caret in a diff hunk so that the block deletion UI appears.
4) Click on the delete button.

You’ll see a crash like so:

Thread 0 Crashed:
0   com.apple.WebCore             	0x00000001008f9118 WebCore::Position::isCandidate() const + 16 (PositionIterator.h:49)
1   com.apple.WebCore             	0x0000000100901728 WebCore::Frame::styleForSelectionStart(WebCore::Node*&) const + 196 (Frame.cpp:1305)
2   com.apple.WebCore             	0x0000000100901542 WebCore::Editor::fontForSelection(bool&) const + 52 (Editor.cpp:411)
3   com.apple.WebKit              	0x0000000100461f6a -[WebHTMLView(WebInternal) _updateFontPanel] + 170 (WebHTMLView.mm:5042)
4   com.apple.WebKit              	0x00000001004649aa -[WebHTMLView(WebInternal) _selectionChanged] + 42 (WebHTMLView.mm:5022)
5   com.apple.WebKit              	0x000000010046475e WebEditorClient::respondToChangedSelection() + 28 (WebEditorClient.mm:284)
6   com.apple.WebCore             	0x00000001009014f1 WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&) + 69 (OwnPtr.h:63)
7   com.apple.WebCore             	0x00000001008fe05d WebCore::Frame::respondToChangedSelection(WebCore::VisibleSelection const&, bool) + 1525 (Frame.cpp:1745)
8   com.apple.WebCore             	0x0000000100f58c23 WebCore::SelectionController::setSelection(WebCore::VisibleSelection const&, bool, bool, bool, WebCore::TextGranularity) + 395 (SelectionController.cpp:162)
Comment 1 Mark Rowe (bdash) 2010-04-05 14:34:10 PDT
r56989 was a change related to bug 36741.
Comment 2 Mark Rowe (bdash) 2010-04-05 16:21:43 PDT
*** Bug 37119 has been marked as a duplicate of this bug. ***
Comment 3 Mark Rowe (bdash) 2010-04-05 18:38:25 PDT
Created attachment 52596 [details]
Roll out r56989
Comment 4 Mark Rowe (bdash) 2010-04-05 18:38:50 PDT
Created attachment 52597 [details]
Test case
Comment 5 Mark Rowe (bdash) 2010-04-05 18:45:59 PDT
Landed in r57110 and r57111.
Comment 6 WebKit Review Bot 2010-04-05 19:21:30 PDT
http://trac.webkit.org/changeset/57110 might have broken SnowLeopard Intel Release (Tests)
Comment 7 WebKit Review Bot 2010-04-05 19:21:50 PDT
http://trac.webkit.org/changeset/57111 might have broken SnowLeopard Intel Release (Tests)