Reviewed by Tony Chang.
[chromium] Crash in WebViewImpl::caretOrSelectionBounds
https://bugs.webkit.org/show_bug.cgi?id=58269
The bug was caused by caretOrSelectionBounds's incorrectly assuming
SelectionController::toNormalizedRange to always return a non-null Range.
Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
by containerNode() and calls to SelectionController::start() and SelectionController::end()
by calls to SelectionController::base() and SelectionController::extent() because
selection extends from base to extent, not from start to end.
Test: editing/selection/extend-over-file-input-by-drag-crash.html
* src/WebViewImpl.cpp:
(WebKit::WebViewImpl::caretOrSelectionBounds):
2011-04-11 Ryosuke Niwa <rniwa@webkit.org>
Reviewed by Tony Chang.
[chromium] Crash in WebViewImpl::caretOrSelectionBounds
https://bugs.webkit.org/show_bug.cgi?id=58269
Added a test to ensure WebKit does not crash when selecting over a file input element.
While the bug was specific to Chromium port, the test will be run on all ports because
all other ports should not crash either.
* editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
* editing/selection/extend-over-file-input-by-drag-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83548
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-04-11 Ryosuke Niwa <rniwa@webkit.org>
+
+ Reviewed by Tony Chang.
+
+ [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+ https://bugs.webkit.org/show_bug.cgi?id=58269
+
+ Added a test to ensure WebKit does not crash when selecting over a file input element.
+ While the bug was specific to Chromium port, the test will be run on all ports because
+ all other ports should not crash either.
+
+ * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
+ * editing/selection/extend-over-file-input-by-drag-crash.html: Added.
+
2011-04-11 Brady Eidson <beidson@apple.com>
Reviewed by Maciej Stachowiak.
--- /dev/null
+This test ensures WebKit does not crash when selecting text across an element with type=file. To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element. WebKit should not crash.
+
+PASS
--- /dev/null
+<!DOCTYPE>\r
+<html>\r
+<body>\r
+<p>This test ensures WebKit does not crash when selecting text across an element with type=file.\r
+To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element.\r
+WebKit should not crash.</p>\r
+<span id="test">start<input type=file>end</span>\r
+<script>\r
+\r
+if (window.layoutTestController && window.eventSender) {\r
+ layoutTestController.dumpAsText();\r
+\r
+ var test = document.getElementById('test');\r
+ var input = test.getElementsByTagName('input')[0];\r
+\r
+ var y = test.offsetTop + test.offsetHeight / 2;\r
+ eventSender.mouseMoveTo(test.offsetLeft + 5, y);\r
+ eventSender.mouseDown();\r
+\r
+ eventSender.leapForward(200);\r
+ eventSender.mouseMoveTo(input.offsetLeft + input.offsetWidth / 2, y);\r
+ eventSender.leapForward(200);\r
+\r
+ eventSender.mouseMoveTo(test.offsetLeft + test.offsetWidth - 5, y);\r
+ eventSender.mouseDown();\r
+\r
+ test.parentNode.removeChild(test);\r
+\r
+ document.write('PASS');\r
+}\r
+\r
+</script>\r
+</body>\r
+</html>\r
B0149E7E11A4B21500196A7B /* AsyncImageResizer.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */; };
B0149E7F11A4B21500196A7B /* ImageResizerThread.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */; };
B0149E8011A4B21500196A7B /* ImageResizerThread.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7C11A4B21500196A7B /* ImageResizerThread.h */; };
- B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */ = {isa = PBXBuildFile; fileRef = B164F82D1345779E00BC777F /* HTMLTrackElement.idl */; };
B1827493134CA4C100B98C2D /* CallbackFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B1827492134CA4C100B98C2D /* CallbackFunction.cpp */; };
B1D5ECB5134B58DA0087C78F /* CallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */; };
B1E54599134629C10092A545 /* NavigatorUserMediaError.h in Headers */ = {isa = PBXBuildFile; fileRef = B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */; };
B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncImageResizer.h; sourceTree = "<group>"; };
B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ImageResizerThread.cpp; sourceTree = "<group>"; };
B0149E7C11A4B21500196A7B /* ImageResizerThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ImageResizerThread.h; sourceTree = "<group>"; };
- B164F82D1345779E00BC777F /* HTMLTrackElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = HTMLTrackElement.idl; path = html/HTMLTrackElement.idl; sourceTree = "<group>"; };
B1827492134CA4C100B98C2D /* CallbackFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallbackFunction.cpp; sourceTree = "<group>"; };
B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallbackFunction.h; sourceTree = "<group>"; };
B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NavigatorUserMediaError.h; sourceTree = "<group>"; };
85136CA80AED665900F90A3D /* westResizeCursor.png in Resources */,
1AB1AE7A0C051FDE00139F4F /* zoomInCursor.png in Resources */,
1AB1AE7B0C051FDE00139F4F /* zoomOutCursor.png in Resources */,
- B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
+2011-04-11 Ryosuke Niwa <rniwa@webkit.org>
+
+ Reviewed by Tony Chang.
+
+ [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+ https://bugs.webkit.org/show_bug.cgi?id=58269
+
+ The bug was caused by caretOrSelectionBounds's incorrectly assuming
+ SelectionController::toNormalizedRange to always return a non-null Range.
+
+ Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
+ by containerNode() and calls to SelectionController::start() and SelectionController::end()
+ by calls to SelectionController::base() and SelectionController::extent() because
+ selection extends from base to extent, not from start to end.
+
+ Test: editing/selection/extend-over-file-input-by-drag-crash.html
+
+ * src/WebViewImpl.cpp:
+ (WebKit::WebViewImpl::caretOrSelectionBounds):
+
2011-04-11 Dimitri Glazkov <dglazkov@chromium.org>
Reviewed by Eric Carlson.
if (!view)
return rect;
- const Node* node = controller->start().deprecatedNode();
+ const Node* node = controller->base().containerNode();
if (!node || !node->renderer())
return rect;
if (controller->isCaret())
rect = view->contentsToWindow(controller->absoluteCaretBounds());
else if (controller->isRange()) {
- node = controller->end().deprecatedNode();
- if (!node || !node->renderer())
- return rect;
+ node = controller->extent().containerNode();
RefPtr<Range> range = controller->toNormalizedRange();
+ if (!node || !node->renderer() || !range)
+ return rect;
rect = view->contentsToWindow(focused->editor()->firstRectForRange(range.get()));
}
return rect;
git://git.webkit.org / WebKit-https.git / commitdiff