Triggers assertion if dragging from outside of <meter> in a shadow tree to inside...
authorshinyak@chromium.org <shinyak@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2012 02:42:48 +0000 (02:42 +0000)
committershinyak@chromium.org <shinyak@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2012 02:42:48 +0000 (02:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=82177

Reviewed by Dimitri Glazkov.

Source/WebCore:

VisibleSelection::adjustSelectionToAvoidCrossingShadowBoundaries has moved the start position or
the end position to the invalid position, i.e. position after (before) the non-existing node.

This patch fixes the problem, and adds assertion that the selection does not cross shadow boundaries.

Test: fast/dom/shadow/drag-to-meter-in-shadow-crash.html

* editing/VisibleSelection.cpp:
(WebCore::VisibleSelection::adjustSelectionToAvoidCrossingShadowBoundaries):

LayoutTests:

* fast/dom/shadow/drag-to-meter-in-shadow-crash-expected.txt: Added.
* fast/dom/shadow/drag-to-meter-in-shadow-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112197 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/VisibleSelection.cpp

index 124acee5be88d238f92e16fe32d8af89b0eeb046..247f0b4802f9a22ab41c8c61eea1db2ae42def3a 100644 (file)
@@ -1,3 +1,13 @@
+2012-03-26  Shinya Kawanaka  <shinyak@chromium.org>
+
+        Triggers assertion if dragging from outside of <meter> in a shadow tree to inside of it.
+        https://bugs.webkit.org/show_bug.cgi?id=82177
+
+        Reviewed by Dimitri Glazkov.
+
+        * fast/dom/shadow/drag-to-meter-in-shadow-crash-expected.txt: Added.
+        * fast/dom/shadow/drag-to-meter-in-shadow-crash.html: Added.
+
 2012-03-26  Adam Barth  <abarth@webkit.org>
 
         When <img crossorigin> fails the CORS check, we should fire the error event
diff --git a/LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash-expected.txt b/LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash-expected.txt
new file mode 100644 (file)
index 0000000..e3293d6
--- /dev/null
@@ -0,0 +1,3 @@
+This test checks selecting from outside of a shadow tree and to inside of a shadow tree won't crash.
+
+PASS
diff --git a/LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash.html b/LayoutTests/fast/dom/shadow/drag-to-meter-in-shadow-crash.html
new file mode 100644 (file)
index 0000000..db6800d
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test checks selecting from outside of a shadow tree and to inside of a shadow tree won't crash.</p>
+<div id='container' style="width:100px; height: 100px"></div>
+<div>PASS</div>
+<script src="resources/polyfill.js"></script>
+<script src="../../../editing/editing.js"></script>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var container = document.getElementById('container');
+var shadowRoot = new WebKitShadowRoot(container);
+var meter = document.createElement('meter');
+shadowRoot.appendChild(meter);
+
+var midX = meter.offsetLeft + (meter.offsetWidth / 2);
+var midY = meter.offsetTop + (meter.offsetHeight / 2);
+var delta = 40;
+
+eventSender.mouseMoveTo(midX, midY + delta);
+eventSender.mouseDown();
+eventSender.mouseMoveTo(midX, midY);
+eventSender.mouseUp();
+</script>
+</body>
+</html>
index 86a7b8cda34f34d6d0f3f84a0dbafe89c8bbe91a..e8e6f4a69b6fca262a11c163de8d5ea53a461e2e 100644 (file)
@@ -1,3 +1,20 @@
+2012-03-26  Shinya Kawanaka  <shinyak@chromium.org>
+
+        Triggers assertion if dragging from outside of <meter> in a shadow tree to inside of it.
+        https://bugs.webkit.org/show_bug.cgi?id=82177
+
+        Reviewed by Dimitri Glazkov.
+
+        VisibleSelection::adjustSelectionToAvoidCrossingShadowBoundaries has moved the start position or
+        the end position to the invalid position, i.e. position after (before) the non-existing node.
+
+        This patch fixes the problem, and adds assertion that the selection does not cross shadow boundaries.
+
+        Test: fast/dom/shadow/drag-to-meter-in-shadow-crash.html
+
+        * editing/VisibleSelection.cpp:
+        (WebCore::VisibleSelection::adjustSelectionToAvoidCrossingShadowBoundaries):
+
 2012-03-26  Scott Byer  <scottbyer@chromium.org>
 
         Enable layout testing of the scroll animator.
index e64739d768449d4653b8bd93746b813ca36148fd..86f529b6a45b8634b77f6f94a2397e83e67b394d 100644 (file)
@@ -471,12 +471,14 @@ void VisibleSelection::adjustSelectionToAvoidCrossingShadowBoundaries()
         return;
 
     if (m_baseIsFirst) {
-        m_extent = startRootNode ? lastPositionInNode(startRootNode) : positionBeforeNode(endRootNode->shadowAncestorNode());
+        m_extent = startRootNode ? lastPositionInOrAfterNode(startRootNode) : positionBeforeNode(endRootNode->shadowAncestorNode());
         m_end = m_extent;
     } else {
-        m_extent = endRootNode ? firstPositionInNode(endRootNode) : positionAfterNode(startRootNode->shadowAncestorNode());
+        m_extent = endRootNode ? firstPositionInOrBeforeNode(endRootNode) : positionAfterNode(startRootNode->shadowAncestorNode());
         m_start = m_extent;
     }
+
+    ASSERT(m_start.anchorNode()->treeScope() == m_end.anchorNode()->treeScope());
 }
 
 void VisibleSelection::adjustSelectionToAvoidCrossingEditingBoundaries()