Crash in SpellingCorrectionController::respondToChangedSelection.
authorenrica@apple.com <enrica@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 May 2011 23:40:46 +0000 (23:40 +0000)
committerenrica@apple.com <enrica@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 May 2011 23:40:46 +0000 (23:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=60071
<rdar://problem/9358190>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Creating a Visible position could trigger a layout and there is no
guarantee that the selection is still valid after that.

Tests: editing/selection/undo-crash.html

* editing/SpellingCorrectionController.cpp:
(WebCore::SpellingCorrectionController::respondToChangedSelection):

LayoutTests:

* editing/selection/undo-crash-expected.txt: Added.
* editing/selection/undo-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@85687 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/selection/undo-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/selection/undo-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/SpellingCorrectionController.cpp

index 16e28ca..6462bb2 100644 (file)
@@ -1,3 +1,14 @@
+2011-05-03  Enrica Casucci  <enrica@apple.com>
+
+        Reviewed by Ryosuke Niwa.
+
+        Crash in SpellingCorrectionController::respondToChangedSelection.
+        https://bugs.webkit.org/show_bug.cgi?id=60071
+        <rdar://problem/9358190>
+
+        * editing/selection/undo-crash-expected.txt: Added.
+        * editing/selection/undo-crash.html: Added.
+
 2011-05-03  Csaba Osztrogon√°c  <ossy@webkit.org>
 
         [Qt][WK2] Incorrect line number dumping
diff --git a/LayoutTests/editing/selection/undo-crash-expected.txt b/LayoutTests/editing/selection/undo-crash-expected.txt
new file mode 100644 (file)
index 0000000..e0d4da8
--- /dev/null
@@ -0,0 +1,2 @@
+To run this test manually, type some text in the input field, then click the "Crash me" button.  
+SUCCEEDED
diff --git a/LayoutTests/editing/selection/undo-crash.html b/LayoutTests/editing/selection/undo-crash.html
new file mode 100644 (file)
index 0000000..e68b8d3
--- /dev/null
@@ -0,0 +1,44 @@
+<html><head>
+<title>Undo crash</title>
+</head>
+<body onload="load()">
+To run this test manually, type some text in the input field, then click the "Crash me" button.
+<input id="testinput" type="text"></input>
+<input id='testbutton' type="button" value="Crash me" onclick="crash()">
+<ul id="console"></ul>
+<script>
+
+function load()
+{
+    document.getElementById('testinput').focus();
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    document.execCommand('InsertText', false, 'b');
+    document.execCommand('InsertText', false, 'l');
+    document.execCommand('InsertText', false, 'a');
+    document.execCommand('InsertText', false, 'h');
+    if (eventSender) {
+        var button = document.getElementById('testbutton');
+        eventSender.mouseMoveTo(button.offsetLeft + 10, button.offsetTop + 5)
+        eventSender.mouseDown();
+        eventSender.mouseUp();
+    }
+}
+
+function crash()
+{
+    var elem = document.getElementById('testinput');
+    elem.style.display = 'none';
+    document.execCommand('undo');
+    log("SUCCEEDED");
+}
+
+function log(str) {
+    var li = document.createElement("li");
+    li.appendChild(document.createTextNode(str));
+    var console = document.getElementById("console");
+    console.appendChild(li);
+}
+</script>
+</body>
+</html>
index d9e5407..eea6008 100644 (file)
@@ -1,3 +1,19 @@
+2011-05-03  Enrica Casucci  <enrica@apple.com>
+
+        Reviewed by Ryosuke Niwa.
+
+        Crash in SpellingCorrectionController::respondToChangedSelection.
+        https://bugs.webkit.org/show_bug.cgi?id=60071
+        <rdar://problem/9358190>
+
+        Creating a Visible position could trigger a layout and there is no
+        guarantee that the selection is still valid after that.
+
+        Tests: editing/selection/undo-crash.html
+
+        * editing/SpellingCorrectionController.cpp:
+        (WebCore::SpellingCorrectionController::respondToChangedSelection):
+
 2011-05-03  Levi Weintraub  <leviw@chromium.org>
 
         Reviewed by Eric Seidel.
index 5580bfe..8467f88 100644 (file)
@@ -385,6 +385,12 @@ void SpellingCorrectionController::respondToChangedSelection(const VisibleSelect
         return;
 
     VisiblePosition selectionPosition = currentSelection.start();
+    
+    // Creating a Visible position triggers a layout and there is no
+    // guarantee that the selection is still valid.
+    if (selectionPosition.isNull())
+        return;
+    
     VisiblePosition endPositionOfWord = endOfWord(selectionPosition, LeftWordIfOnBoundary);
     if (selectionPosition != endPositionOfWord)
         return;