WebCore:
authorsullivan@apple.com <sullivan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 May 2008 21:32:18 +0000 (21:32 +0000)
committersullivan@apple.com <sullivan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 May 2008 21:32:18 +0000 (21:32 +0000)
2008-05-13  John Sullivan  <sullivan@apple.com>

        Reviewed by Dan Bernstein and Kevin Decker

        - fixed <rdar://problem/5879597> reproducible crash in HTMLSelectElement::typeAheadFind

        Test: fast/forms/select-type-ahead-list-box-no-selection.html

        * html/HTMLSelectElement.cpp:
        (WebCore::HTMLSelectElement::typeAheadFind):
        When there's no initially-selected element, we were accessing index -1. Check for this
        case and start at 0.

LayoutTests:

2008-05-13  John Sullivan  <sullivan@apple.com>

        Reviewed by Justin Garcia and Tim Hatcher

        <rdar://problem/5879597> reproducible crash in HTMLSelectElement::typeAheadFind

        * fast/forms/select-type-ahead-list-box-no-selection-expected.txt: Added.
        * fast/forms/select-type-ahead-list-box-no-selection.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@33392 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/select-type-ahead-list-box-no-selection-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/select-type-ahead-list-box-no-selection.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/HTMLSelectElement.cpp

index ecbdb06..8af58fd 100644 (file)
@@ -1,3 +1,12 @@
+2008-05-13  John Sullivan  <sullivan@apple.com>
+
+        Reviewed by Justin Garcia and Tim Hatcher
+        
+        <rdar://problem/5879597> reproducible crash in HTMLSelectElement::typeAheadFind
+
+        * fast/forms/select-type-ahead-list-box-no-selection-expected.txt: Added.
+        * fast/forms/select-type-ahead-list-box-no-selection.html: Added.
+
 2008-05-13  Alexey Proskuryakov  <ap@webkit.org>
 
         Reviewed by John Sullivan.
diff --git a/LayoutTests/fast/forms/select-type-ahead-list-box-no-selection-expected.txt b/LayoutTests/fast/forms/select-type-ahead-list-box-no-selection-expected.txt
new file mode 100644 (file)
index 0000000..e215581
--- /dev/null
@@ -0,0 +1,4 @@
+Test for rdar://problem/5879597 Type-to-select in lists with no initial selection can crash.
+
+
+SUCCESS
diff --git a/LayoutTests/fast/forms/select-type-ahead-list-box-no-selection.html b/LayoutTests/fast/forms/select-type-ahead-list-box-no-selection.html
new file mode 100644 (file)
index 0000000..db171eb
--- /dev/null
@@ -0,0 +1,23 @@
+<p>
+    Test for <i><a href="rdar://problem/5879597">rdar://problem/5879597</a>
+    Type-to-select in lists with no initial selection can crash</i>.
+</p>
+<select size="3" id="list">
+<option>One</option>
+<option>Two</option>
+<option>Three</option>
+<option>Four</option>
+<option>Five</option>
+</select>
+<div id="result">To run interactively, tab to list and type "12" quickly. If it doesn't crash, the test passed.</div>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        var menu = document.getElementById("list");
+        menu.focus();
+        eventSender.keyDown("1");
+        eventSender.keyDown("2");
+        var result = document.getElementById("result");
+        result.innerText = "SUCCESS";
+    }
+</script>
index 82d28d8..f8d5a50 100644 (file)
@@ -1,3 +1,16 @@
+2008-05-13  John Sullivan  <sullivan@apple.com>
+
+        Reviewed by Dan Bernstein and Kevin Decker
+        
+        - fixed <rdar://problem/5879597> reproducible crash in HTMLSelectElement::typeAheadFind
+
+        Test: fast/forms/select-type-ahead-list-box-no-selection.html
+
+        * html/HTMLSelectElement.cpp:
+        (WebCore::HTMLSelectElement::typeAheadFind):
+        When there's no initially-selected element, we were accessing index -1. Check for this
+        case and start at 0.
+
 2008-05-13  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Dan Bernstein.
index f1aa658..6a29b94 100644 (file)
@@ -978,7 +978,9 @@ void HTMLSelectElement::typeAheadFind(KeyboardEvent* event)
     if (itemCount < 1)
         return;
 
-    int index = (optionToListIndex(selectedIndex()) + searchStartOffset) % itemCount;
+    int selected = selectedIndex();
+    int index = (optionToListIndex(selected >= 0 ? selected : 0) + searchStartOffset) % itemCount;
+    ASSERT(index >= 0);
     for (int i = 0; i < itemCount; i++, index = (index + 1) % itemCount) {
         if (!items[index]->hasTagName(optionTag) || items[index]->disabled())
             continue;