Changeset 83548 in webkit
- Timestamp:
- Apr 11, 2011 6:33:48 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r83547 r83548 1 2011-04-11 Ryosuke Niwa <rniwa@webkit.org> 2 3 Reviewed by Tony Chang. 4 5 [chromium] Crash in WebViewImpl::caretOrSelectionBounds 6 https://bugs.webkit.org/show_bug.cgi?id=58269 7 8 Added a test to ensure WebKit does not crash when selecting over a file input element. 9 While the bug was specific to Chromium port, the test will be run on all ports because 10 all other ports should not crash either. 11 12 * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added. 13 * editing/selection/extend-over-file-input-by-drag-crash.html: Added. 14 1 15 2011-04-11 Brady Eidson <beidson@apple.com> 2 16 -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r83545 r83548 4102 4102 B0149E7F11A4B21500196A7B /* ImageResizerThread.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */; }; 4103 4103 B0149E8011A4B21500196A7B /* ImageResizerThread.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7C11A4B21500196A7B /* ImageResizerThread.h */; }; 4104 B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */ = {isa = PBXBuildFile; fileRef = B164F82D1345779E00BC777F /* HTMLTrackElement.idl */; };4105 4104 B1827493134CA4C100B98C2D /* CallbackFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B1827492134CA4C100B98C2D /* CallbackFunction.cpp */; }; 4106 4105 B1D5ECB5134B58DA0087C78F /* CallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */; }; … … 10395 10394 B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ImageResizerThread.cpp; sourceTree = "<group>"; }; 10396 10395 B0149E7C11A4B21500196A7B /* ImageResizerThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ImageResizerThread.h; sourceTree = "<group>"; }; 10397 B164F82D1345779E00BC777F /* HTMLTrackElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = HTMLTrackElement.idl; path = html/HTMLTrackElement.idl; sourceTree = "<group>"; };10398 10396 B1827492134CA4C100B98C2D /* CallbackFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallbackFunction.cpp; sourceTree = "<group>"; }; 10399 10397 B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallbackFunction.h; sourceTree = "<group>"; }; … … 23020 23018 1AB1AE7A0C051FDE00139F4F /* zoomInCursor.png in Resources */, 23021 23019 1AB1AE7B0C051FDE00139F4F /* zoomOutCursor.png in Resources */, 23022 B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */,23023 23020 ); 23024 23021 runOnlyForDeploymentPostprocessing = 0; -
trunk/Source/WebKit/chromium/ChangeLog
r83545 r83548 1 2011-04-11 Ryosuke Niwa <rniwa@webkit.org> 2 3 Reviewed by Tony Chang. 4 5 [chromium] Crash in WebViewImpl::caretOrSelectionBounds 6 https://bugs.webkit.org/show_bug.cgi?id=58269 7 8 The bug was caused by caretOrSelectionBounds's incorrectly assuming 9 SelectionController::toNormalizedRange to always return a non-null Range. 10 11 Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode 12 by containerNode() and calls to SelectionController::start() and SelectionController::end() 13 by calls to SelectionController::base() and SelectionController::extent() because 14 selection extends from base to extent, not from start to end. 15 16 Test: editing/selection/extend-over-file-input-by-drag-crash.html 17 18 * src/WebViewImpl.cpp: 19 (WebKit::WebViewImpl::caretOrSelectionBounds): 20 1 21 2011-04-11 Dimitri Glazkov <dglazkov@chromium.org> 2 22 -
trunk/Source/WebKit/chromium/src/WebViewImpl.cpp
r83320 r83548 1439 1439 return rect; 1440 1440 1441 const Node* node = controller-> start().deprecatedNode();1441 const Node* node = controller->base().containerNode(); 1442 1442 if (!node || !node->renderer()) 1443 1443 return rect; … … 1446 1446 rect = view->contentsToWindow(controller->absoluteCaretBounds()); 1447 1447 else if (controller->isRange()) { 1448 node = controller->end().deprecatedNode(); 1449 if (!node || !node->renderer()) 1448 node = controller->extent().containerNode(); 1449 RefPtr<Range> range = controller->toNormalizedRange(); 1450 if (!node || !node->renderer() || !range) 1450 1451 return rect; 1451 RefPtr<Range> range = controller->toNormalizedRange();1452 1452 rect = view->contentsToWindow(focused->editor()->firstRectForRange(range.get())); 1453 1453 }
Note: See TracChangeset
for help on using the changeset viewer.