Title: [106380] trunk
- Revision
- 106380
- Author
- [email protected]
- Date
- 2012-01-31 12:41:05 -0800 (Tue, 31 Jan 2012)
Log Message
Source/WebCore: Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block
https://bugs.webkit.org/show_bug.cgi?id=77077
Reviewed by Enrica Casucci.
The crash was caused by a missing null check after removing the position out of the start block.
Fixed the bug by adding an early return.
Tests: editing/deleting/delete-start-block.html
editing/selection/move-into-empty-root-inline-box.html
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::handleGeneralDelete):
LayoutTests: Crash in previousLinePosition when moving into a root inline box without leaves
https://bugs.webkit.org/show_bug.cgi?id=76812
Reviewed by Enrica Casucci.
Add a regression test for the crash. Unfortunately, we can only test previousLinePosition.
* editing/selection/move-into-empty-root-inline-box-expected.txt: Added.
* editing/selection/move-into-empty-root-inline-box.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (106379 => 106380)
--- trunk/LayoutTests/ChangeLog 2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/LayoutTests/ChangeLog 2012-01-31 20:41:05 UTC (rev 106380)
@@ -1,3 +1,15 @@
+2012-01-31 Ryosuke Niwa <[email protected]>
+
+ Crash in previousLinePosition when moving into a root inline box without leaves
+ https://bugs.webkit.org/show_bug.cgi?id=76812
+
+ Reviewed by Enrica Casucci.
+
+ Add a regression test for the crash. Unfortunately, we can only test previousLinePosition.
+
+ * editing/selection/move-into-empty-root-inline-box-expected.txt: Added.
+ * editing/selection/move-into-empty-root-inline-box.html: Added.
+
2012-01-31 Tony Chang <[email protected]>
[chromium] Fix css3/flexbox/cross-axis-scrollbar-expected to work on
Added: trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt (0 => 106380)
--- trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt 2012-01-31 20:41:05 UTC (rev 106380)
@@ -0,0 +1,5 @@
+This tests removing the start block. WebKit should not crash.
+| <div>
+| <br>
+| <br>
+| <br>
Added: trunk/LayoutTests/editing/deleting/delete-start-block.html (0 => 106380)
--- trunk/LayoutTests/editing/deleting/delete-start-block.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-start-block.html 2012-01-31 20:41:05 UTC (rev 106380)
@@ -0,0 +1,15 @@
+><progress><script src=""
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.designMode="on";
+document.execCommand("selectall");
+document.execCommand("justifycenter",false);
+document.body.removeChild(document.body.firstElementChild);
+document.execCommand("insertparagraph");
+
+Markup.description("This tests removing the start block. WebKit should not crash.");
+Markup.dump(document.body);
+
+</script>
Modified: trunk/Source/WebCore/ChangeLog (106379 => 106380)
--- trunk/Source/WebCore/ChangeLog 2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/Source/WebCore/ChangeLog 2012-01-31 20:41:05 UTC (rev 106380)
@@ -1,3 +1,19 @@
+2012-01-31 Ryosuke Niwa <[email protected]>
+
+ Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block
+ https://bugs.webkit.org/show_bug.cgi?id=77077
+
+ Reviewed by Enrica Casucci.
+
+ The crash was caused by a missing null check after removing the position out of the start block.
+ Fixed the bug by adding an early return.
+
+ Tests: editing/deleting/delete-start-block.html
+ editing/selection/move-into-empty-root-inline-box.html
+
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::handleGeneralDelete):
+
2012-01-31 Rafael Brandao <[email protected]>
HTMLIsIndexElement should not expose HTMLInputElement properties
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (106379 => 106380)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2012-01-31 20:41:05 UTC (rev 106380)
@@ -418,6 +418,8 @@
if (startNode == m_startBlock && startOffset == 0 && canHaveChildrenForEditing(startNode) && !startNode->hasTagName(tableTag)) {
startOffset = 0;
startNode = startNode->traverseNextNode();
+ if (!startNode)
+ return;
}
if (startOffset >= caretMaxOffset(startNode) && startNode->isTextNode()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes