Selection that starts outside of contenteditable crashes Chrome when contenteditable contains an input.
Reported by
jus...@doolynoted.com,
Oct 17 2017
|
|||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Steps to reproduce the problem:
Start a selection from outside a contenteditable div to inside a contenteditable div that includes an input.
Super minimal test case:
<!DOCTYPE html>
<html>
<body>
<div contenteditable="true">
<p>
Step 2. End your selection here.
</p>
<input type="text" value="123" />
</div>
Step 1. Start your selection here.
</body>
</html>
What is the expected behavior?
It shouldn't crash.
What went wrong?
It crashes Chrome. Every. Single. Time.
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? No
Did this work before? N/A
Chrome version: 61.0.3163.100 Channel: n/a
OS Version: OS X 10.12.6
Flash Version:
We have a note-taking app that relies on contenteditable, and this is causing users to get frustrated with our app, and with Chrome.
,
Oct 18 2017
,
Oct 18 2017
I could reproduce. Investigating...
,
Oct 18 2017
ToT hangs up when showing INPUT element.
,
Oct 18 2017
yoichio@, could you take look? ToT can't show this page.
,
Oct 18 2017
It caused infinite loop in AdjustSelectionStartToAvoidCrossingEditingBoundaries():
> blink_core.dll!blink::AdjustSelectionStartToAvoidCrossingEditingBoundaries<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & start, blink::ContainerNode * start_root, blink::Element * base_editable_ancestor) Line 709 C++ Symbols loaded.
blink_core.dll!blink::AdjustSelectionToAvoidCrossingEditingBoundaries<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & range, const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & base) Line 785 C++ Symbols loaded.
blink_core.dll!blink::ComputeVisibleSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & passed_selection, blink::TextGranularity granularity) Line 540 C++ Symbols loaded.
blink_core.dll!blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::CreateWithGranularity(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection, blink::TextGranularity granularity) Line 88 C++ Symbols loaded.
blink_core.dll!blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Create(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 64 C++ Symbols loaded.
blink_core.dll!blink::CreateVisibleSelection(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 73 C++ Symbols loaded.
blink_core.dll!blink::SelectionController::SetNonDirectionalSelectionIfNeeded(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & passed_selection, blink::TextGranularity granularity, blink::SelectionController::EndPointsAdjustmentMode endpoints_adjustment_mode, blink::HandleVisibility handle_visibility) Line 810 C++ Symbols loaded.
blink_core.dll!blink::SelectionController::UpdateSelectionForMouseDrag(const blink::HitTestResult & hit_test_result, const blink::LayoutPoint & drag_start_pos, const blink::IntPoint & last_known_mouse_position) Line 510 C++ Symbols loaded.
blink_core.dll!blink::SelectionController::HandleMouseDraggedEvent(const blink::EventWithHitTestResults<blink::WebMouseEvent> & event, const blink::IntPoint & mouse_down_pos, const blink::LayoutPoint & drag_start_pos, const blink::IntPoint & last_known_mouse_position) Line 1026 C++ Symbols loaded.
blink_core.dll!blink::MouseEventManager::HandleMouseDraggedEvent(const blink::EventWithHitTestResults<blink::WebMouseEvent> & event) Line 827 C++ Symbols loaded.
blink_core.dll!blink::EventHandler::HandleMouseMoveOrLeaveEvent(const blink::WebMouseEvent & mouse_event, const WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> & coalesced_events, blink::HitTestResult * hovered_node, bool only_update_scrollbars, bool force_leave) Line 936 C++ Symbols loaded.
blink_core.dll!blink::EventHandler::HandleMouseMoveEvent(const blink::WebMouseEvent & event, const WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> & coalesced_events) Line 749 C++ Symbols loaded.
blink_core.dll!blink::PageWidgetEventHandler::HandleMouseMove(blink::LocalFrame & main_frame, const blink::WebMouseEvent & event, const std::vector<blink::WebInputEvent const *,std::allocator<blink::WebInputEvent const *> > & coalesced_events) Line 238 C++ Symbols loaded.
blink_core.dll!blink::PageWidgetDelegate::HandleInputEvent(blink::PageWidgetEventHandler & handler, const blink::WebCoalescedInputEvent & coalesced_event, blink::LocalFrame * root) Line 157 C++ Symbols loaded.
blink_core.dll!blink::WebViewImpl::HandleInputEvent(const blink::WebCoalescedInputEvent & coalesced_event) Line 2067 C++ Symbols loaded.
blink_core.dll!blink::WebViewFrameWidget::HandleInputEvent(const blink::WebCoalescedInputEvent & event) Line 97 C++ Symbols loaded.
content.dll!content::RenderWidgetInputHandler::HandleInputEvent(const blink::WebCoalescedInputEvent & coalesced_event, const ui::LatencyInfo & latency_info, base::OnceCallback<void __cdecl(enum content::InputEventAckState,ui::LatencyInfo const &,std::unique_ptr<ui::DidOverscrollParams,std::default_delete<ui::DidOverscrollParams> >,base::Optional<enum cc::TouchAction>)> callback) Line 265 C++ Symbols loaded.
,,,
I guess while(ShouldContinueSearchEditingBoundary(position, base_editable_ancestor)) { blah;blah;blah;} are returning true.
,
Oct 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e1d074f67e9f1dce555501b102def965527e8945 commit e1d074f67e9f1dce555501b102def965527e8945 Author: Yoichi Osato <yoichio@chromium.org> Date: Fri Oct 27 07:11:45 2017 Simplify formatBlock layouttest format-block-contenteditable-false.html tests italic and formatBlock commands on contenteditable. Since its main purpose is formatBlock command, style italic in input content. Bug: 775701 Change-Id: I4aac30f8a858c602aa64b9bd9ad33771fb28f8a9 Reviewed-on: https://chromium-review.googlesource.com/729617 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#512111} [modify] https://crrev.com/e1d074f67e9f1dce555501b102def965527e8945/third_party/WebKit/LayoutTests/editing/execCommand/format-block-contenteditable-false.html
,
Oct 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f5ba8f2f0060c20ae67eba2169da30ef6dc7456 commit 7f5ba8f2f0060c20ae67eba2169da30ef6dc7456 Author: Yoichi Osato <yoichio@chromium.org> Date: Fri Oct 27 08:31:23 2017 Use selection marker instead of SelectAll This patch simplifies the layout test to use only one execCommand("Indent"). Bug: 775701 Change-Id: I85f89332f866c8e63b03fe3b5d57f09f1d5657d4 Reviewed-on: https://chromium-review.googlesource.com/741422 Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#512125} [modify] https://crrev.com/7f5ba8f2f0060c20ae67eba2169da30ef6dc7456/third_party/WebKit/LayoutTests/editing/execCommand/delete-non-editable-range-crash.html
,
Oct 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6245a0f4143290dc5d83d5a65acad0b194c94425 commit 6245a0f4143290dc5d83d5a65acad0b194c94425 Author: Yoichi Osato <yoichio@chromium.org> Date: Fri Oct 27 09:54:15 2017 Utilize assert_selection to mixed-editability-10.html The test confirms where caret is put when user click on mixed contenteditable tree. This patch utilizes that for code health. Bug: 679977, 775701 Change-Id: I8298ca9d8cdc49c1de3f086ec9a2f32bcdce7aa0 Reviewed-on: https://chromium-review.googlesource.com/740582 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#512136} [modify] https://crrev.com/6245a0f4143290dc5d83d5a65acad0b194c94425/third_party/WebKit/LayoutTests/editing/selection/mixed-editability-10.html [delete] https://crrev.com/38a4ff1cb46eff1725fce602a1f512574ef64f35/third_party/WebKit/LayoutTests/platform/linux/editing/selection/mixed-editability-10-expected.txt [delete] https://crrev.com/38a4ff1cb46eff1725fce602a1f512574ef64f35/third_party/WebKit/LayoutTests/platform/mac/editing/selection/mixed-editability-10-expected.txt [delete] https://crrev.com/38a4ff1cb46eff1725fce602a1f512574ef64f35/third_party/WebKit/LayoutTests/platform/win/editing/selection/mixed-editability-10-expected.txt
,
Oct 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/88e765de5730dc61c5e63fdeb0b39aaf3ac07d5e commit 88e765de5730dc61c5e63fdeb0b39aaf3ac07d5e Author: Yoichi Osato <yoichio@chromium.org> Date: Tue Oct 31 05:58:23 2017 Convert editing/pasteboard/5144139.html with assert_selection This patch converts editing/pasteboard/5144139.html with assert_selection to promote the use of w3c testharness and improve code health. Bug: 679977, 775701 Change-Id: I18182b39fdcb756ae26333f7b074b343a8f968b7 Reviewed-on: https://chromium-review.googlesource.com/746223 Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#512756} [modify] https://crrev.com/88e765de5730dc61c5e63fdeb0b39aaf3ac07d5e/third_party/WebKit/LayoutTests/editing/deleting/5144139-2.html [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/linux/editing/deleting/5144139-2-expected.png [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/linux/editing/deleting/5144139-2-expected.txt [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/mac-mac10.10/editing/deleting/5144139-2-expected.png [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/mac/editing/deleting/5144139-2-expected.png [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/mac/editing/deleting/5144139-2-expected.txt [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/win/editing/deleting/5144139-2-expected.png [delete] https://crrev.com/aff39ea0cd42cdf61e3f82322956c7ce56517ca7/third_party/WebKit/LayoutTests/platform/win/editing/deleting/5144139-2-expected.txt
,
Nov 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/30a024937a458f12226fd292972c9666d568b087 commit 30a024937a458f12226fd292972c9666d568b087 Author: Yoichi Osato <yoichio@chromium.org> Date: Wed Nov 01 02:37:00 2017 Convert editing/pasteboard/copy-null-characters.html with assert_selection This patch converts editing/pasteboard/copy-null-characters.html with assert_selection to promote the use of w3c testharness and improve code health. Bug: 679977, 775701 Change-Id: Ib89e9f246b7c7ef559b0d67ac2a4937405524145 Reviewed-on: https://chromium-review.googlesource.com/746341 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#513048} [delete] https://crrev.com/686faa29744c72562dd016a7960856138bceaa91/third_party/WebKit/LayoutTests/editing/pasteboard/copy-null-characters-expected.txt [modify] https://crrev.com/30a024937a458f12226fd292972c9666d568b087/third_party/WebKit/LayoutTests/editing/pasteboard/copy-null-characters.html
,
Nov 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8c1417717e04e73ce1433b890e68fe92fa01d259 commit 8c1417717e04e73ce1433b890e68fe92fa01d259 Author: Yoichi Osato <yoichio@chromium.org> Date: Wed Nov 01 05:02:47 2017 Convert editing/selection/mouse/drag_focus_node.html with assert_selection This patch converts editing/selection/mouse/drag_focus_node.html with assert_selection to promote the use of w3c testharness and improve code health. Bug: 679977, 775701 Bug: Change-Id: Icde9911081d459ce53ac9155bedf98702b78b66c Reviewed-on: https://chromium-review.googlesource.com/746481 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#513077} [modify] https://crrev.com/8c1417717e04e73ce1433b890e68fe92fa01d259/third_party/WebKit/LayoutTests/editing/selection/mouse/drag_focus_node.html
,
Nov 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b8348e2d2c652ef58418bbf32188d29ee75f987c commit b8348e2d2c652ef58418bbf32188d29ee75f987c Author: Yoichi Osato <yoichio@chromium.org> Date: Wed Nov 01 09:01:30 2017 Refactor granularity adjustment at ComputeVisibleSelection(). This patch excludes text granularity adjustment part from ComputeVisibleSelection() to a function which returns SelectionTemplate<Strategy> for code health. We will have ComputeVisibleSelection(passed_selection) { const SelectionTemplate<Strategy>& xxx_adjusted_selection = AdjustSelectionXXX(passed_selection); const SelectionTemplate<Strategy>& yyy_adjusted_selection = AdjustSelectionYYY(xxx_selection); const SelectionTemplate<Strategy>& zzz_adjusted_selection = AdjustSelectionZZZ(yyy_selection); return zzz_adjusted_selection. } Bug: 775701 Change-Id: I34fefb47fe7b82916a41f0f876030561fc21f1d4 Reviewed-on: https://chromium-review.googlesource.com/748842 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#513100} [modify] https://crrev.com/b8348e2d2c652ef58418bbf32188d29ee75f987c/third_party/WebKit/Source/core/editing/VisibleSelection.cpp
,
Nov 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/655efaaef4ae274260d4c473e3229420d2a38926 commit 655efaaef4ae274260d4c473e3229420d2a38926 Author: Yoichi Osato <yoichio@chromium.org> Date: Thu Nov 02 02:04:05 2017 Refactor shadow adjustment at ComputeVisibleSelection(). This patch excludes shadow adjustment part from ComputeVisibleSelection() to a function which returns SelectionTemplate<Strategy> for code health. We will have ComputeVisibleSelection(passed_selection) { const SelectionTemplate<Strategy>& xxx_adjusted_selection = AdjustSelectionXXX(passed_selection); const SelectionTemplate<Strategy>& yyy_adjusted_selection = AdjustSelectionYYY(xxx_selection); const SelectionTemplate<Strategy>& zzz_adjusted_selection = AdjustSelectionZZZ(yyy_selection); return zzz_adjusted_selection. } Bug: 775701 Change-Id: I9c8c99ddbf585074322b467fae63459783bfb272 Reviewed-on: https://chromium-review.googlesource.com/748922 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#513368} [modify] https://crrev.com/655efaaef4ae274260d4c473e3229420d2a38926/third_party/WebKit/Source/core/editing/VisibleSelection.cpp
,
Nov 3 2017
yoichio@ Tested this issue on Mac OS 10.12.6 using the latest Chrome version 64.0.3257.0 following the steps mentioned in the original comment. No crash is seen on the page when selecting outside the div and switching to inside the div. Attached is the screen cast for reference. Tested the same on the reported version 61.0.3163.100 and can see the same behavior. Can you pease check and confirm if the fix is working as intended or no?
,
Nov 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27b69bb27b7a785a6d0a3d3e5738575e0a08c300 commit 27b69bb27b7a785a6d0a3d3e5738575e0a08c300 Author: Yoichi Osato <yoichio@chromium.org> Date: Mon Nov 20 09:31:07 2017 Refactor editing adjustment at ComputeVisibleSelection(). This patch excludes editing adjustment part from ComputeVisibleSelection() to a function which returns SelectionTemplate<Strategy> for code health. We will have ComputeVisibleSelection(passed_selection) { const SelectionTemplate<Strategy>& xxx_adjusted_selection = AdjustSelectionXXX(passed_selection); const SelectionTemplate<Strategy>& yyy_adjusted_selection = AdjustSelectionYYY(xxx_selection); const SelectionTemplate<Strategy>& zzz_adjusted_selection = AdjustSelectionZZZ(yyy_selection); return zzz_adjusted_selection. } Bug: 775701 Change-Id: I0cb1e34156f3792a1ca67443370f862c2cf268ba Reviewed-on: https://chromium-review.googlesource.com/749567 Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Yoichi Osato <yoichio@chromium.org> Cr-Commit-Position: refs/heads/master@{#517785} [modify] https://crrev.com/27b69bb27b7a785a6d0a3d3e5738575e0a08c300/third_party/WebKit/Source/core/editing/VisibleSelection.cpp
,
Nov 21 2017
,
Dec 6 2017
Lower to Pri-3 since we don't have time to work this.
,
Sep 25
Not repro on Version 71.0.3557.0 (Official Build) canary (64-bit). https://chromium.googlesource.com/chromium/src/+/7bd29404a6ab8d36bdff4123ae522fcd9068344b fixed this. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ligim...@chromium.org
, Oct 17 2017