Fixes <http://bugzilla.opendarwin.org/show_bug.cgi?id=3359> Crash on hover with certain styles on the text applied
If a zero length render object (such as a text node that has been set to "") occured at the
end of a line, it was previously given a non-zero sized run. Iteration over such a node would cause
a crash.
Test cases added:
* layout-tests/traversal/size-zero-run-expected.txt: Added.
* layout-tests/traversal/size-zero-run.html: Added.
* khtml/rendering/bidi.cpp:
(khtml::appendRun):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@9989
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
--- /dev/null
+If a zero lengthed render object (such as a text node that has been set to "") occured at the end of a line, it was previously given a non-zero sized run.
+
+A crash would occur on iteration over a node containing such a run. NodeIterators, the innerText property, and hovering over a link all use iteration.
+
+This tests iteration using both the innerText property and NodeIterators. It is successful if it doesn't crash Safari.
+
+hel
--- /dev/null
+<html>
+
+<head>
+<script>
+function test() {
+ if(window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var textnode1 = document.getElementById("node").firstChild;
+ var textnode2 = textnode1.splitText(3);
+ textnode2.nodeValue = "";
+
+ var root = document.body;
+ var it = document.createNodeIterator(root, NodeFilter.SHOW_ELEMENT, NodeFilter.FILTER_ACCEPT, false);
+
+ var n = it.nextNode();
+ while(n) {
+ n = it.nextNode();
+ }
+
+ var text = document.getElementById("node").innerText;
+}
+</script>
+</head>
+
+<body onload="test();">
+<p>If a zero lengthed render object (such as a text node that has been set to "") occured at the end of a line, it was previously given a non-zero sized run.</p>
+<p>A crash would occur on iteration over a node containing such a run. NodeIterators, the innerText property, and hovering over a link all use iteration.</p>
+<p>This tests iteration using both the innerText property and NodeIterators. It is successful if it doesn't crash Safari.</p>
+<hr>
+<a href="#" id="node">hello</a></body></html>
\ No newline at end of file
+2005-07-31 Justin Garcia <justin.garcia@apple.com>
+
+ Reviewed by mjs
+
+ Fixes <http://bugzilla.opendarwin.org/show_bug.cgi?id=3359> Crash on hover with certain styles on the text applied
+
+ If a zero length render object (such as a text node that has been set to "") occured at the
+ end of a line, it was previously given a non-zero sized run. Iteration over such a node would cause
+ a crash.
+
+ Test cases added:
+ * layout-tests/traversal/size-zero-run-expected.txt: Added.
+ * layout-tests/traversal/size-zero-run.html: Added.
+
+ * khtml/rendering/bidi.cpp:
+ (khtml::appendRun):
+
2005-07-31 Eric Seidel <eseidel@apple.com>
Reviewed by hyatt.
start = 0;
obj = Bidinext( bidi.sor.par, obj, bidi );
}
- if (obj)
- appendRunsForObject(start, bidi.eor.pos+1, obj, bidi);
+ if (obj) {
+ // It's OK to add runs for zero-length RenderObjects, just don't make the run larger than it should be
+ int end = obj->length() ? bidi.eor.pos+1 : 0;
+ appendRunsForObject(start, end, obj, bidi);
+ }
bidi.eor.increment( bidi );
bidi.sor = bidi.eor;
git://git.webkit.org / WebKit-https.git / commitdiff