DCHECK crash in selection code when double clicking
Reported by
land...@opera.com,
Oct 11 2016
|
|||
Issue descriptionVersion: master OS: Linux What steps will reproduce the problem? (1) Load test case: ./content_shell 'data:text/html,<body bgcolor=blue><form><input></form>' (2) Double click, just above the input box. DCHECK in EphemeralRangeTemplate triggers a renderer crash with the following stack trace: [1:1:1010/152923:369766035069:FATAL:EphemeralRange.cpp(33)] Check failed: m_startPosition <= m_endPosition (INPUT@afterAnchor vs. DIV id="inner-editor" (editable)@offsetInAnchor[) #0 0x000001a32e0e base::debug::StackTrace::StackTrace() #1 0x000001a46c37 logging::LogMessage::~LogMessage() #2 0x0000035c49c6 blink::EphemeralRangeTemplate<>::EphemeralRangeTemplate() #3 0x0000035f5852 blink::VisibleSelectionTemplate<>::toNormalizedEphemeralRange() #4 0x0000035c5827 blink::extractSelectedText() #5 0x0000035c6ce9 blink::FrameSelection::selectedText() #6 0x000002e92a0b blink::WebLocalFrameImpl::selectionAsText() #7 0x000002a99a08 content::RenderFrameImpl::SyncSelectionIfRequired() #8 0x0000035bd796 blink::Editor::notifyComponentsOnChangedSelection() #9 0x0000035c9265 blink::FrameSelection::setSelectionAlgorithm<>() #10 0x0000035c9865 blink::FrameSelection::setNonDirectionalSelectionIfNeeded() #11 0x0000035eb3b3 blink::SelectionController::updateSelectionForMouseDownDispatchingSelectStart() #12 0x0000035eba3c blink::SelectionController::selectClosestWordFromHitTestResult() #13 0x0000035ebcf0 blink::SelectionController::selectClosestWordFromMouseEvent() #14 0x0000035ebe23 blink::SelectionController::handleMousePressEventDoubleClick() #15 0x00000397e945 blink::EventHandler::handleMousePressEvent() #16 0x000003982967 blink::EventHandler::handleMousePressEvent() #17 0x000002f06c5c blink::PageWidgetEventHandler::handleMouseDown() #18 0x000002eceaa3 blink::WebViewImpl::handleMouseDown() #19 0x000002f070c7 blink::PageWidgetDelegate::handleInputEvent() #20 0x000002ed2e50 blink::WebViewImpl::handleInputEvent() #21 0x000002bcb7f9 content::RenderWidgetInputHandler::HandleInputEvent() #22 0x000002ad3f33 IPC::MessageT<>::Dispatch<>() #23 0x000002ad653a content::RenderWidget::OnMessageReceived() #24 0x000002acba22 content::RenderViewImpl::OnMessageReceived() #25 0x000002a1362d content::ChildThreadImpl::OnMessageReceived() #26 0x000002bc72d1 content::InputEventFilter::HandleEventOnMainThread() #27 0x000002bc98ea content::MainThreadEventQueue::DispatchInFlightEvent() #28 0x000002bc9f95 content::MainThreadEventQueue::DispatchSingleEvent() #29 0x000001ab3ddb base::debug::TaskAnnotator::RunTask() #30 0x000002e00c62 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() #31 0x000002e015b7 blink::scheduler::TaskQueueManager::DoWork() #32 0x000001ab3ddb base::debug::TaskAnnotator::RunTask() #33 0x000001a4fa8a base::MessageLoop::RunTask() #34 0x000001a50ddd base::MessageLoop::DeferOrRunPendingTask() #35 0x000001a51d26 base::MessageLoop::DoWork() #36 0x000001a53152 base::MessagePumpDefault::Run() #37 0x000001a52acf base::MessageLoop::RunHandler() #38 0x000001a6e0c8 base::RunLoop::Run() #39 0x000002ae19b9 content::RendererMain() #40 0x00000147b9c1 content::RunZygote() #41 0x00000147bd6b content::RunNamedProcessTypeMain() #42 0x00000147be0d content::ContentMainRunnerImpl::Run() #43 0x0000014751e1 content::ContentMain() #44 0x000000504ef8 main #45 0x7ffa6e661f45 __libc_start_main #46 0x000000508e47 <unknown>
,
Oct 12 2016
SelectionEditor::m_selecitonInFlatTree m_start = AfterAnchor, INPUT m_end = DIV, 0 SelectionEditor::m_seleciton (in DOM Tree) m_start = BeforeAnchor, INPUT m_end = BeforeAnchor, INPUT extractSelectedText() visibleSelection (in Flat Tree) m_start = AfterAnchor, INPUT m_end = DIV, 0 It seems mostBackwardCaretPositon() call in VisibleSelection::validate() cause this. mostBackwardCaretPositon(AfterAnchor, DIV) => DIV, 0 It should be AfterAnchor, DIV
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/97263d0bef05d9dfe570d49516d916bba9ca95cc commit 97263d0bef05d9dfe570d49516d916bba9ca95cc Author: yosin <yosin@chromium.org> Date: Thu Oct 13 03:36:12 2016 Convert set{End,Start}RespectingGranularity() in VisibleSlection as pure functions This patch converts |set{End,Start}RespectingGranularity()| in |VisibleSlection| to pure functions for improving readability. This patch is intended to help debugging http://crbug.com/654710, e.g. checking positions before/after expanding selection by granularity in selection. BUG=654710 TEST=n/a; no behavior changes Review-Url: https://codereview.chromium.org/2416553002 Cr-Commit-Position: refs/heads/master@{#424947} [modify] https://crrev.com/97263d0bef05d9dfe570d49516d916bba9ca95cc/third_party/WebKit/Source/core/editing/VisibleSelection.cpp [modify] https://crrev.com/97263d0bef05d9dfe570d49516d916bba9ca95cc/third_party/WebKit/Source/core/editing/VisibleSelection.h
,
Aug 24 2017
,
Aug 24
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 24
|
|||
►
Sign in to add a comment |
|||
Comment 1 by yosin@chromium.org
, Oct 12 2016