Crash on OS X when shift clicking outside of input
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Apr 2013 17:56:22 +0000 (17:56 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Apr 2013 17:56:22 +0000 (17:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=104058

Patch by Yi Shen <max.hong.shen@gmail.com> on 2013-04-22
Reviewed by Chang Shu.

Source/WebCore:

Shift clicking outside of a focused div while removing the focused div from
the dom tree at the same time may hit a null visible position, which should
not be used to calculate the text distance with the new selection's start and
end position. Otherwise, the browser may crash.

Test: editing/selection/crash-on-shift-click.html

* page/EventHandler.cpp:
(WebCore::EventHandler::handleMousePressEventSingleClick):

LayoutTests:

Add test for shift click crash issue.

* editing/selection/crash-on-shift-click-expected.txt: Added.
* editing/selection/crash-on-shift-click.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@148894 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/selection/crash-on-shift-click-expected.txt [new file with mode: 0644]
LayoutTests/editing/selection/crash-on-shift-click.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/EventHandler.cpp

index 9442ef4..fe749c5 100644 (file)
@@ -1,3 +1,15 @@
+2013-04-22  Yi Shen  <max.hong.shen@gmail.com>
+
+        Crash on OS X when shift clicking outside of input
+        https://bugs.webkit.org/show_bug.cgi?id=104058
+
+        Reviewed by Chang Shu.
+
+        Add test for shift click crash issue.
+
+        * editing/selection/crash-on-shift-click-expected.txt: Added.
+        * editing/selection/crash-on-shift-click.html: Added.
+
 2013-04-22  Jessie Berlin  <jberlin@apple.com>
 
         Fix an incorrect rebaseline done in r148830.
diff --git a/LayoutTests/editing/selection/crash-on-shift-click-expected.txt b/LayoutTests/editing/selection/crash-on-shift-click-expected.txt
new file mode 100644 (file)
index 0000000..e073e2d
--- /dev/null
@@ -0,0 +1,2 @@
+This test shift clicks outside of a focused div with removing the focused div from the dom tree at the same time. If this doesn't crash, then the test passes.
+
diff --git a/LayoutTests/editing/selection/crash-on-shift-click.html b/LayoutTests/editing/selection/crash-on-shift-click.html
new file mode 100644 (file)
index 0000000..fabf86d
--- /dev/null
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="parentDiv">
+<div id="firstChildDiv" contenteditable>first child div</div>
+<div id="secondChildDiv" contenteditable>second child div</div>
+<div/>
+<script>
+
+function clickOnTestPage(x, y, keys) {
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseDown(0, keys);
+    eventSender.mouseUp(0, keys);
+}
+
+function runTest() {
+    var parentDivElement = document.getElementById('parentDiv');
+    clickOnTestPage(parentDivElement.offsetLeft + 10, parentDivElement.offsetTop + 10);
+    eventSender.leapForward(300);
+    window.onmousedown = removeFirstChildDiv;
+    clickOnTestPage(100, 100, ['shiftKey']);
+    document.getElementById('secondChildDiv').innerHTML = "This test shift clicks outside of a focused div with removing the focused div from the dom tree at the same time. If this doesn't crash, then the test passes.";
+}
+
+function removeFirstChildDiv() {
+    var parentDivElement = document.getElementById('parentDiv');
+    var childDivElement = document.getElementById('firstChildDiv');
+    parentDivElement.removeChild(childDivElement);
+}
+
+if (window.eventSender)
+    runTest();
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+</script>
+</body>
+</html>
index fc9e849..1f71145 100644 (file)
@@ -1,3 +1,20 @@
+2013-04-22  Yi Shen  <max.hong.shen@gmail.com>
+
+        Crash on OS X when shift clicking outside of input
+        https://bugs.webkit.org/show_bug.cgi?id=104058
+
+        Reviewed by Chang Shu.
+
+        Shift clicking outside of a focused div while removing the focused div from
+        the dom tree at the same time may hit a null visible position, which should
+        not be used to calculate the text distance with the new selection's start and
+        end position. Otherwise, the browser may crash.
+
+        Test: editing/selection/crash-on-shift-click.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleMousePressEventSingleClick):
+
 2013-04-22  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         Scrollbar should not depend on EventHandler, Frame and FrameView
index 963604b..89b4b9e 100644 (file)
@@ -605,7 +605,7 @@ bool EventHandler::handleMousePressEventSingleClick(const MouseEventWithHitTestR
                 pos = selectionInUserSelectAll.end();
         }
 
-        if (!m_frame->editor()->behavior().shouldConsiderSelectionAsDirectional()) {
+        if (!m_frame->editor()->behavior().shouldConsiderSelectionAsDirectional() && pos.isNotNull()) {
             // See <rdar://problem/3668157> REGRESSION (Mail): shift-click deselects when selection
             // was created right-to-left
             Position start = newSelection.start();