2011-04-11 Ryosuke Niwa <rniwa@webkit.org>

author rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)

committer rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
author rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
committer rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog

index fc1cf0dc786785f794806fa01e79298d257d5f04..b9ff912bd9555e62a3a19d6c7b98698da9498373 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+        https://bugs.webkit.org/show_bug.cgi?id=58269
+
+        Added a test to ensure WebKit does not crash when selecting over a file input element.
+        While the bug was specific to Chromium port, the test will be run on all ports because
+        all other ports should not crash either.
+
+        * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
+        * editing/selection/extend-over-file-input-by-drag-crash.html: Added.
+
  2011-04-11  Brady Eidson  <beidson@apple.com>
  
          Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt

new file mode 100644 (file)

index 0000000..8590a9f
--- /dev/null
+++ b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt
@@ -0,0 +1,3 @@
+This test ensures WebKit does not crash when selecting text across an element with type=file. To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element. WebKit should not crash.
+
+PASS
diff --git a/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html

new file mode 100644 (file)

index 0000000..6e8fd7a
--- /dev/null
+++ b/LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html
@@ -0,0 +1,34 @@
+<!DOCTYPE>\r
+<html>\r
+<body>\r
+<p>This test ensures WebKit does not crash when selecting text across an element with type=file.\r
+To manually test, start selection in "start" and extend the selection by dragging to "end" moving across the input element.\r
+WebKit should not crash.</p>\r
+<span id="test">start<input type=file>end</span>\r
+<script>\r
+\r
+if (window.layoutTestController && window.eventSender) {\r
+    layoutTestController.dumpAsText();\r
+\r
+    var test = document.getElementById('test');\r
+    var input = test.getElementsByTagName('input')[0];\r
+\r
+    var y = test.offsetTop + test.offsetHeight / 2;\r
+    eventSender.mouseMoveTo(test.offsetLeft + 5, y);\r
+    eventSender.mouseDown();\r
+\r
+    eventSender.leapForward(200);\r
+    eventSender.mouseMoveTo(input.offsetLeft + input.offsetWidth / 2, y);\r
+    eventSender.leapForward(200);\r
+\r
+    eventSender.mouseMoveTo(test.offsetLeft + test.offsetWidth - 5, y);\r
+    eventSender.mouseDown();\r
+\r
+    test.parentNode.removeChild(test);\r
+\r
+    document.write('PASS');\r
+}\r
+\r
+</script>\r
+</body>\r
+</html>\r
diff --git a/Source/WebCore/WebCore.xcodeproj/project.pbxproj b/Source/WebCore/WebCore.xcodeproj/project.pbxproj

index 2553b521742de6673b5a87729ed00f75f3938594..ac5ef9d0c8be0f82f3aa54e35436f45b5d9dc6c6 100644 (file)
--- a/Source/WebCore/WebCore.xcodeproj/project.pbxproj
+++ b/Source/WebCore/WebCore.xcodeproj/project.pbxproj
@@ -4101,7 +4101,6 @@
                 B0149E7E11A4B21500196A7B /* AsyncImageResizer.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */; };
                 B0149E7F11A4B21500196A7B /* ImageResizerThread.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */; };
                 B0149E8011A4B21500196A7B /* ImageResizerThread.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7C11A4B21500196A7B /* ImageResizerThread.h */; };
-               B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */ = {isa = PBXBuildFile; fileRef = B164F82D1345779E00BC777F /* HTMLTrackElement.idl */; };
                 B1827493134CA4C100B98C2D /* CallbackFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B1827492134CA4C100B98C2D /* CallbackFunction.cpp */; };
                 B1D5ECB5134B58DA0087C78F /* CallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */; };
                 B1E54599134629C10092A545 /* NavigatorUserMediaError.h in Headers */ = {isa = PBXBuildFile; fileRef = B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */; };
@@ -10394,7 +10393,6 @@
                 B0149E7A11A4B21500196A7B /* AsyncImageResizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncImageResizer.h; sourceTree = "<group>"; };
                 B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ImageResizerThread.cpp; sourceTree = "<group>"; };
                 B0149E7C11A4B21500196A7B /* ImageResizerThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ImageResizerThread.h; sourceTree = "<group>"; };
-               B164F82D1345779E00BC777F /* HTMLTrackElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = HTMLTrackElement.idl; path = html/HTMLTrackElement.idl; sourceTree = "<group>"; };
                 B1827492134CA4C100B98C2D /* CallbackFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallbackFunction.cpp; sourceTree = "<group>"; };
                 B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallbackFunction.h; sourceTree = "<group>"; };
                 B1E5458D134629C10092A545 /* NavigatorUserMediaError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NavigatorUserMediaError.h; sourceTree = "<group>"; };
@@ -23019,7 +23017,6 @@
                                 85136CA80AED665900F90A3D /* westResizeCursor.png in Resources */,
                                 1AB1AE7A0C051FDE00139F4F /* zoomInCursor.png in Resources */,
                                 1AB1AE7B0C051FDE00139F4F /* zoomOutCursor.png in Resources */,
-                               B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;
                 };
diff --git a/Source/WebKit/chromium/ChangeLog b/Source/WebKit/chromium/ChangeLog

index 5b6f0491eadc624dd129840932f1c3a2da8cc51d..194be76fe3ee80750d68a726e0307778418466d6 100644 (file)
--- a/Source/WebKit/chromium/ChangeLog
+++ b/Source/WebKit/chromium/ChangeLog
@@ -1,3 +1,23 @@
+2011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
+        https://bugs.webkit.org/show_bug.cgi?id=58269
+
+        The bug was caused by caretOrSelectionBounds's incorrectly assuming
+        SelectionController::toNormalizedRange to always return a non-null Range.
+
+        Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
+        by containerNode() and calls to SelectionController::start() and SelectionController::end()
+        by calls to SelectionController::base() and SelectionController::extent() because
+        selection extends from base to extent, not from start to end.
+
+        Test: editing/selection/extend-over-file-input-by-drag-crash.html
+
+        * src/WebViewImpl.cpp:
+        (WebKit::WebViewImpl::caretOrSelectionBounds):
+
  2011-04-11  Dimitri Glazkov  <dglazkov@chromium.org>
  
          Reviewed by Eric Carlson.
diff --git a/Source/WebKit/chromium/src/WebViewImpl.cpp b/Source/WebKit/chromium/src/WebViewImpl.cpp

index 407a8dc150c802909670e50af4dd449bc7984b75..36f21af9166fb5a6fb3f4e9c69924109700ad415 100644 (file)
--- a/Source/WebKit/chromium/src/WebViewImpl.cpp
+++ b/Source/WebKit/chromium/src/WebViewImpl.cpp
@@ -1438,17 +1438,17 @@ WebRect WebViewImpl::caretOrSelectionBounds()
      if (!view)
          return rect;
  
-    const Node* node = controller->start().deprecatedNode();
+    const Node* node = controller->base().containerNode();
      if (!node || !node->renderer())
          return rect;
  
      if (controller->isCaret())
          rect = view->contentsToWindow(controller->absoluteCaretBounds());
      else if (controller->isRange()) {
-        node = controller->end().deprecatedNode();
-        if (!node || !node->renderer())
-            return rect;
+        node = controller->extent().containerNode();
          RefPtr<Range> range = controller->toNormalizedRange();
+        if (!node || !node->renderer() || !range)
+            return rect;
          rect = view->contentsToWindow(focused->editor()->firstRectForRange(range.get()));
      }
      return rect;
author	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
committer	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 12 Apr 2011 01:33:48 +0000 (01:33 +0000)
LayoutTests/ChangeLog		patch \| blob \| history
LayoutTests/editing/selection/extend-over-file-input-by-drag-crash-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/editing/selection/extend-over-file-input-by-drag-crash.html	[new file with mode: 0644]	patch \| blob
Source/WebCore/WebCore.xcodeproj/project.pbxproj		patch \| blob \| history
Source/WebKit/chromium/ChangeLog		patch \| blob \| history
Source/WebKit/chromium/src/WebViewImpl.cpp		patch \| blob \| history