2011-04-11 Ryosuke Niwa <rniwa@webkit.org>
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
        Reviewed by Tony Chang.

        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
        https://bugs.webkit.org/show_bug.cgi?id=58269

        The bug was caused by caretOrSelectionBounds's incorrectly assuming
        SelectionController::toNormalizedRange to always return a non-null Range.

        Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
        by containerNode() and calls to SelectionController::start() and SelectionController::end()
        by calls to SelectionController::base() and SelectionController::extent() because
        selection extends from base to extent, not from start to end.

        Test: editing/selection/extend-over-file-input-by-drag-crash.html

        * src/WebViewImpl.cpp:
        (WebKit::WebViewImpl::caretOrSelectionBounds):
2011-04-11  Ryosuke Niwa  <rniwa@webkit.org>

        Reviewed by Tony Chang.

        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
        https://bugs.webkit.org/show_bug.cgi?id=58269

        Added a test to ensure WebKit does not crash when selecting over a file input element.
        While the bug was specific to Chromium port, the test will be run on all ports because
        all other ports should not crash either.

        * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
        * editing/selection/extend-over-file-input-by-drag-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83548 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html [new file with mode: 0644]
Source/WebCore/WebCore.xcodeproj/project.pbxproj
Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/src/WebViewImpl.cpp

index fc1cf0d..b9ff912 100644 (file)
@@ -1,3 +1,17 @@
+2011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+        https://bugs.webkit.org/show_bug.cgi?id=58269
+
+        Added a test to ensure WebKit does not crash when selecting over a file input element.
+        While the bug was specific to Chromium port, the test will be run on all ports because
+        all other ports should not crash either.
+
+        * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
+        * editing/selection/extend-over-file-input-by-drag-crash.html: Added.
+
 2011-04-11  Brady Eidson  <beidson@apple.com>
 
         Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt
new file mode 100644 (file)
index 0000000..8590a9f
--- /dev/null
@@ -0,0 +1,3 @@
+This test ensures WebKit does not crash when selecting text across an element with type=file. To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element. WebKit should not crash.
+
+PASS
diff --git a/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html
new file mode 100644 (file)
index 0000000..6e8fd7a
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE>\r
+<html>\r
+<body>\r
+<p>This test ensures WebKit does not crash when selecting text across an element with type=file.\r
+To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element.\r
+WebKit should not crash.</p>\r
+<span id="test">start<input type=file>end</span>\r
+<script>\r
+\r
+if (window.layoutTestController && window.eventSender) {\r
+    layoutTestController.dumpAsText();\r
+\r
+    var test = document.getElementById('test');\r
+    var input = test.getElementsByTagName('input')[0];\r
+\r
+    var y = test.offsetTop + test.offsetHeight / 2;\r
+    eventSender.mouseMoveTo(test.offsetLeft + 5, y);\r
+    eventSender.mouseDown();\r
+\r
+    eventSender.leapForward(200);\r
+    eventSender.mouseMoveTo(input.offsetLeft + input.offsetWidth / 2, y);\r
+    eventSender.leapForward(200);\r
+\r
+    eventSender.mouseMoveTo(test.offsetLeft + test.offsetWidth - 5, y);\r
+    eventSender.mouseDown();\r
+\r
+    test.parentNode.removeChild(test);\r
+\r
+    document.write('PASS');\r
+}\r
+\r
+</script>\r
+</body>\r
+</html>\r
index 2553b52..ac5ef9d 100644 (file)
                B0149E7E11A4B21500196A7B /* AsyncImageResizer.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */; };
                B0149E7F11A4B21500196A7B /* ImageResizerThread.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */; };
                B0149E8011A4B21500196A7B /* ImageResizerThread.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7C11A4B21500196A7B /* ImageResizerThread.h */; };
-               B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */ = {isa = PBXBuildFile; fileRef = B164F82D1345779E00BC777F /* HTMLTrackElement.idl */; };
                B1827493134CA4C100B98C2D /* CallbackFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B1827492134CA4C100B98C2D /* CallbackFunction.cpp */; };
                B1D5ECB5134B58DA0087C78F /* CallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */; };
                B1E54599134629C10092A545 /* NavigatorUserMediaError.h in Headers */ = {isa = PBXBuildFile; fileRef = B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */; };
                B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncImageResizer.h; sourceTree = "<group>"; };
                B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ImageResizerThread.cpp; sourceTree = "<group>"; };
                B0149E7C11A4B21500196A7B /* ImageResizerThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ImageResizerThread.h; sourceTree = "<group>"; };
-               B164F82D1345779E00BC777F /* HTMLTrackElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = HTMLTrackElement.idl; path = html/HTMLTrackElement.idl; sourceTree = "<group>"; };
                B1827492134CA4C100B98C2D /* CallbackFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallbackFunction.cpp; sourceTree = "<group>"; };
                B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallbackFunction.h; sourceTree = "<group>"; };
                B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NavigatorUserMediaError.h; sourceTree = "<group>"; };
                                85136CA80AED665900F90A3D /* westResizeCursor.png in Resources */,
                                1AB1AE7A0C051FDE00139F4F /* zoomInCursor.png in Resources */,
                                1AB1AE7B0C051FDE00139F4F /* zoomOutCursor.png in Resources */,
-                               B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */,
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                };
index 5b6f049..194be76 100644 (file)
@@ -1,3 +1,23 @@
+2011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+        https://bugs.webkit.org/show_bug.cgi?id=58269
+
+        The bug was caused by caretOrSelectionBounds's incorrectly assuming
+        SelectionController::toNormalizedRange to always return a non-null Range.
+
+        Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
+        by containerNode() and calls to SelectionController::start() and SelectionController::end()
+        by calls to SelectionController::base() and SelectionController::extent() because
+        selection extends from base to extent, not from start to end.
+
+        Test: editing/selection/extend-over-file-input-by-drag-crash.html
+
+        * src/WebViewImpl.cpp:
+        (WebKit::WebViewImpl::caretOrSelectionBounds):
+
 2011-04-11  Dimitri Glazkov  <dglazkov@chromium.org>
 
         Reviewed by Eric Carlson.
index 407a8dc..36f21af 100644 (file)
@@ -1438,17 +1438,17 @@ WebRect WebViewImpl::caretOrSelectionBounds()
     if (!view)
         return rect;
 
-    const Node* node = controller->start().deprecatedNode();
+    const Node* node = controller->base().containerNode();
     if (!node || !node->renderer())
         return rect;
 
     if (controller->isCaret())
         rect = view->contentsToWindow(controller->absoluteCaretBounds());
     else if (controller->isRange()) {
-        node = controller->end().deprecatedNode();
-        if (!node || !node->renderer())
-            return rect;
+        node = controller->extent().containerNode();
         RefPtr<Range> range = controller->toNormalizedRange();
+        if (!node || !node->renderer() || !range)
+            return rect;
         rect = view->contentsToWindow(focused->editor()->firstRectForRange(range.get()));
     }
     return rect;