Title: [106380] trunk
Revision
106380
Author
[email protected]
Date
2012-01-31 12:41:05 -0800 (Tue, 31 Jan 2012)

Log Message

Source/WebCore: Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block
https://bugs.webkit.org/show_bug.cgi?id=77077

Reviewed by Enrica Casucci.

The crash was caused by a missing null check after removing the position out of the start block.
Fixed the bug by adding an early return.

Tests: editing/deleting/delete-start-block.html
       editing/selection/move-into-empty-root-inline-box.html

* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::handleGeneralDelete):

LayoutTests: Crash in previousLinePosition when moving into a root inline box without leaves
https://bugs.webkit.org/show_bug.cgi?id=76812

Reviewed by Enrica Casucci.

Add a regression test for the crash. Unfortunately, we can only test previousLinePosition.

* editing/selection/move-into-empty-root-inline-box-expected.txt: Added.
* editing/selection/move-into-empty-root-inline-box.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (106379 => 106380)


--- trunk/LayoutTests/ChangeLog	2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/LayoutTests/ChangeLog	2012-01-31 20:41:05 UTC (rev 106380)
@@ -1,3 +1,15 @@
+2012-01-31  Ryosuke Niwa  <[email protected]>
+
+        Crash in previousLinePosition when moving into a root inline box without leaves
+        https://bugs.webkit.org/show_bug.cgi?id=76812
+
+        Reviewed by Enrica Casucci.
+
+        Add a regression test for the crash. Unfortunately, we can only test previousLinePosition.
+
+        * editing/selection/move-into-empty-root-inline-box-expected.txt: Added.
+        * editing/selection/move-into-empty-root-inline-box.html: Added.
+
 2012-01-31  Tony Chang  <[email protected]>
 
         [chromium] Fix css3/flexbox/cross-axis-scrollbar-expected to work on

Added: trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt (0 => 106380)


--- trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-start-block-expected.txt	2012-01-31 20:41:05 UTC (rev 106380)
@@ -0,0 +1,5 @@
+This tests removing the start block. WebKit should not crash.
+| <div>
+|   <br>
+| <br>
+| <br>

Added: trunk/LayoutTests/editing/deleting/delete-start-block.html (0 => 106380)


--- trunk/LayoutTests/editing/deleting/delete-start-block.html	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-start-block.html	2012-01-31 20:41:05 UTC (rev 106380)
@@ -0,0 +1,15 @@
+><progress><script src=""
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.designMode="on";
+document.execCommand("selectall");
+document.execCommand("justifycenter",false);
+document.body.removeChild(document.body.firstElementChild);
+document.execCommand("insertparagraph");
+
+Markup.description("This tests removing the start block. WebKit should not crash.");
+Markup.dump(document.body);
+
+</script>

Modified: trunk/Source/WebCore/ChangeLog (106379 => 106380)


--- trunk/Source/WebCore/ChangeLog	2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/Source/WebCore/ChangeLog	2012-01-31 20:41:05 UTC (rev 106380)
@@ -1,3 +1,19 @@
+2012-01-31  Ryosuke Niwa  <[email protected]>
+
+        Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block
+        https://bugs.webkit.org/show_bug.cgi?id=77077
+
+        Reviewed by Enrica Casucci.
+
+        The crash was caused by a missing null check after removing the position out of the start block.
+        Fixed the bug by adding an early return.
+
+        Tests: editing/deleting/delete-start-block.html
+               editing/selection/move-into-empty-root-inline-box.html
+
+        * editing/DeleteSelectionCommand.cpp:
+        (WebCore::DeleteSelectionCommand::handleGeneralDelete):
+
 2012-01-31  Rafael Brandao  <[email protected]>
 
         HTMLIsIndexElement should not expose HTMLInputElement properties

Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (106379 => 106380)


--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2012-01-31 20:05:37 UTC (rev 106379)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2012-01-31 20:41:05 UTC (rev 106380)
@@ -418,6 +418,8 @@
     if (startNode == m_startBlock && startOffset == 0 && canHaveChildrenForEditing(startNode) && !startNode->hasTagName(tableTag)) {
         startOffset = 0;
         startNode = startNode->traverseNextNode();
+        if (!startNode)
+            return;
     }
 
     if (startOffset >= caretMaxOffset(startNode) && startNode->isTextNode()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to