Changeset 83548 in webkit


Ignore:
Timestamp:
Apr 11, 2011 6:33:48 PM (13 years ago)
Author:
rniwa@webkit.org
Message:

2011-04-11 Ryosuke Niwa <rniwa@webkit.org>

Reviewed by Tony Chang.

[chromium] Crash in WebViewImpl::caretOrSelectionBounds
https://bugs.webkit.org/show_bug.cgi?id=58269

The bug was caused by caretOrSelectionBounds's incorrectly assuming
SelectionController::toNormalizedRange to always return a non-null Range.

Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
by containerNode() and calls to SelectionController::start() and SelectionController::end()
by calls to SelectionController::base() and SelectionController::extent() because
selection extends from base to extent, not from start to end.

Test: editing/selection/extend-over-file-input-by-drag-crash.html

  • src/WebViewImpl.cpp: (WebKit::WebViewImpl::caretOrSelectionBounds):

2011-04-11 Ryosuke Niwa <rniwa@webkit.org>

Reviewed by Tony Chang.

[chromium] Crash in WebViewImpl::caretOrSelectionBounds
https://bugs.webkit.org/show_bug.cgi?id=58269

Added a test to ensure WebKit does not crash when selecting over a file input element.
While the bug was specific to Chromium port, the test will be run on all ports because
all other ports should not crash either.

  • editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
  • editing/selection/extend-over-file-input-by-drag-crash.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r83547 r83548  
     12011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Reviewed by Tony Chang.
     4
     5        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
     6        https://bugs.webkit.org/show_bug.cgi?id=58269
     7
     8        Added a test to ensure WebKit does not crash when selecting over a file input element.
     9        While the bug was specific to Chromium port, the test will be run on all ports because
     10        all other ports should not crash either.
     11
     12        * editing/selection/extend-over-file-input-by-drag-crash-expected.txt: Added.
     13        * editing/selection/extend-over-file-input-by-drag-crash.html: Added.
     14
    1152011-04-11  Brady Eidson  <beidson@apple.com>
    216
  • trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

    r83545 r83548  
    41024102                B0149E7F11A4B21500196A7B /* ImageResizerThread.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */; };
    41034103                B0149E8011A4B21500196A7B /* ImageResizerThread.h in Headers */ = {isa = PBXBuildFile; fileRef = B0149E7C11A4B21500196A7B /* ImageResizerThread.h */; };
    4104                 B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */ = {isa = PBXBuildFile; fileRef = B164F82D1345779E00BC777F /* HTMLTrackElement.idl */; };
    41054104                B1827493134CA4C100B98C2D /* CallbackFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B1827492134CA4C100B98C2D /* CallbackFunction.cpp */; };
    41064105                B1D5ECB5134B58DA0087C78F /* CallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */; };
     
    1039510394                B0149E7B11A4B21500196A7B /* ImageResizerThread.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ImageResizerThread.cpp; sourceTree = "<group>"; };
    1039610395                B0149E7C11A4B21500196A7B /* ImageResizerThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ImageResizerThread.h; sourceTree = "<group>"; };
    10397                 B164F82D1345779E00BC777F /* HTMLTrackElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = HTMLTrackElement.idl; path = html/HTMLTrackElement.idl; sourceTree = "<group>"; };
    1039810396                B1827492134CA4C100B98C2D /* CallbackFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallbackFunction.cpp; sourceTree = "<group>"; };
    1039910397                B1D5ECB4134B58DA0087C78F /* CallbackFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallbackFunction.h; sourceTree = "<group>"; };
     
    2302023018                                1AB1AE7A0C051FDE00139F4F /* zoomInCursor.png in Resources */,
    2302123019                                1AB1AE7B0C051FDE00139F4F /* zoomOutCursor.png in Resources */,
    23022                                 B164F82E1345779E00BC777F /* HTMLTrackElement.idl in Resources */,
    2302323020                        );
    2302423021                        runOnlyForDeploymentPostprocessing = 0;
  • trunk/Source/WebKit/chromium/ChangeLog

    r83545 r83548  
     12011-04-11  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Reviewed by Tony Chang.
     4
     5        [chromium] Crash in WebViewImpl::caretOrSelectionBounds
     6        https://bugs.webkit.org/show_bug.cgi?id=58269
     7
     8        The bug was caused by caretOrSelectionBounds's incorrectly assuming
     9        SelectionController::toNormalizedRange to always return a non-null Range.
     10
     11        Fixed the bug by adding a null pointer check. Also replaced calls to deprecatedNode
     12        by containerNode() and calls to SelectionController::start() and SelectionController::end()
     13        by calls to SelectionController::base() and SelectionController::extent() because
     14        selection extends from base to extent, not from start to end.
     15
     16        Test: editing/selection/extend-over-file-input-by-drag-crash.html
     17
     18        * src/WebViewImpl.cpp:
     19        (WebKit::WebViewImpl::caretOrSelectionBounds):
     20
    1212011-04-11  Dimitri Glazkov  <dglazkov@chromium.org>
    222
  • trunk/Source/WebKit/chromium/src/WebViewImpl.cpp

    r83320 r83548  
    14391439        return rect;
    14401440
    1441     const Node* node = controller->start().deprecatedNode();
     1441    const Node* node = controller->base().containerNode();
    14421442    if (!node || !node->renderer())
    14431443        return rect;
     
    14461446        rect = view->contentsToWindow(controller->absoluteCaretBounds());
    14471447    else if (controller->isRange()) {
    1448         node = controller->end().deprecatedNode();
    1449         if (!node || !node->renderer())
     1448        node = controller->extent().containerNode();
     1449        RefPtr<Range> range = controller->toNormalizedRange();
     1450        if (!node || !node->renderer() || !range)
    14501451            return rect;
    1451         RefPtr<Range> range = controller->toNormalizedRange();
    14521452        rect = view->contentsToWindow(focused->editor()->firstRectForRange(range.get()));
    14531453    }
Note: See TracChangeset for help on using the changeset viewer.