New issue
Advanced search Search tips

Issue 836008 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
kkaluri@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Right clicking nested contenteditable table causes tab crash

Reported by jhch...@gmail.com, Apr 23 2018 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Steps to reproduce the problem:
1. Visit https://jsfiddle.net/p402fg8p/13/
2. In the rendered HTML pane in the bottom right, right click one of the table cells
3. May have to repeat #2 several times
4. May have to refresh the page and try again if nothing goes wrong after ~10 right clicks

What is the expected behavior?
Context menu opens

What went wrong?
The tab crashes

Crashed report ID: 3e7c0b0ff71b4369

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 66.0.3359.117  Channel: stable
OS Version: OS X 10.13.4
Flash Version: 

Also occurs on https://codepen.io/anon/pen/jxWQab
table.gif
1.0 MB View Download

Comment 1 by jhch...@gmail.com, Apr 23 2018 

The crash report and recording is using Canary but it was discovered in Chrome 66 (where I have more extensions installed).

Comment 2 by kkaluri@chromium.org, Apr 26 2018

Cc: kkaluri@chromium.org
Components: UI>Browser
Labels: hasbisect-per-revision M-68 FoundIn-66 RegressedIn-66 Target-68
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Mac 10.13.3 with stable #66.0.3359.117, Canary #68.0.3409.0 
Issue broken in M64

Bisect Info:
===========
Good build : 64.0.3261.0,  Revision Range -514329
Bad build  : 64.0.3262.0,  Revision Range -514703

Executed per-revision bisect script for above range, but it given suspected CL(https://chromium-review.googlesource.com/720270) which is related to Android OS only

Hence Untriaging this issue and requesting dev team to look into below manual CL: https://chromium.googlesource.com/chromium/src/+log/64.0.3261.0..64.0.3262.0?pretty=fuller&n=10000 and assign it to concern owners.

Note : Issue is not seen on Debian Rodete & Windows 10

Thank You...
836008-Good.mp4
2.1 MB View Download
836008-Bad.mp4
827 KB View Download

Comment 3 by lgrey@chromium.org, Apr 26 2018

Components: -UI>Browser Blink>Editing>Content

Comment 4 by xiaoche...@chromium.org, Apr 26 2018

Components: -Blink>Editing>Content Blink>Editing>Selection
Browser received a bad IPC message here:

https://chromium.googlesource.com/chromium/src/+/68.0.3409.0/content/browser/frame_host/render_frame_host_impl.cc#2005

if (validated_params.selection_start_offset < 0) {
  bad_message::ReceivedBadMessage(
      GetProcess(), bad_message::RFH_NEGATIVE_SELECTION_START_OFFSET);
}

Comment 5 by xiaoche...@chromium.org, Apr 26 2018

Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
The issue repros on Mac only, when right-clicking on the right edge of the text in a cell.

Root cause: when right clicking (e.g., at "A1|"), Blink should extend selection to word boundary ("^A1|"), but actually creates selection <td contenteditable>A1^</td><td contenteditable>|B1</td>. Then Blink fails to calculate the selection offsets since the selection base and extent are not in the same editable element.

The issue reproduces on Mac only, due to the Mac-only editing behavior that right-clicking on the edge of a word selects the word. To reproduce on other platforms, open the test case in content_shell with --expose-internals-for-testing flag, and run internals.settings.setEditingBehavior('mac') in the page.

Assign to yosin@ who is working on selection expansion by granularity.

Comment 6 by yosin@chromium.org, May 9 2018

Status: Started (was: Assigned)

Comment 7 by yosin@chromium.org, May 10 2018

Owner: ----
Status: Available (was: Started)

Sign in to add a comment