[webkit-changes] [111469] trunk

Tue, 20 Mar 2012 16:50:31 -0700

Title: [111469] trunk
Revision
111469
Author
[email protected]
Date
2012-03-20 16:49:52 -0700 (Tue, 20 Mar 2012)

Log Message

visual word movement: crashes on CSS generated content.
https://bugs.webkit.org/show_bug.cgi?id=81581

Reviewed by Ryosuke Niwa.

Source/WebCore:

Check for null pointer when referencing box->renderer()->node() in previousRootInlineBox and nextRootInlineBox.

Test: editing/selection/move-by-word-visually-crash-test-css-generated-content.html

* editing/visible_units.cpp:
(WebCore::previousRootInlineBox):
(WebCore::nextRootInlineBox):

LayoutTests:

* editing/selection/move-by-word-visually-crash-test-css-generated-content-expected.txt: Added.
* editing/selection/move-by-word-visually-crash-test-css-generated-content.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (111468 => 111469)


--- trunk/LayoutTests/ChangeLog	2012-03-20 23:47:38 UTC (rev 111468)
+++ trunk/LayoutTests/ChangeLog	2012-03-20 23:49:52 UTC (rev 111469)
@@ -1,3 +1,13 @@
+2012-03-20  Xiaomei Ji  <[email protected]>
+
+        visual word movement: crashes on CSS generated content.
+        https://bugs.webkit.org/show_bug.cgi?id=81581
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/move-by-word-visually-crash-test-css-generated-content-expected.txt: Added.
+        * editing/selection/move-by-word-visually-crash-test-css-generated-content.html: Added.
+
 2012-03-20  Dan Bernstein  <[email protected]>
 
         Updated expected results for this test after r110409.

Added: trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content-expected.txt (0 => 111469)


--- trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content-expected.txt	2012-03-20 23:49:52 UTC (rev 111469)
@@ -0,0 +1 @@
+Crash test passed

Added: trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html (0 => 111469)


--- trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html	2012-03-20 23:49:52 UTC (rev 111469)
@@ -0,0 +1,28 @@
+<head>
+<style>
+div:before {
+    content: url(../../accessibility/resources/cake.png);
+}
+</style>
+</head>
+<script src=""
+<script>
+
+_onload_ = function() {
+    try {
+        runTest();
+        document.body.innerHTML = "Crash test passed";
+    } finally {
+    }
+};
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.setEditingBehavior('win');
+}
+</script>
+<div contenteditable dir=ltr>
+<div title="0|0" class="test_move_by_word" dir=ltr>in div 1</div>
+<div title="0|0" class="test_move_by_word" dir=ltr><img src=""
+<h1>text area</h1>
+</div>

Modified: trunk/Source/WebCore/ChangeLog (111468 => 111469)


--- trunk/Source/WebCore/ChangeLog	2012-03-20 23:47:38 UTC (rev 111468)
+++ trunk/Source/WebCore/ChangeLog	2012-03-20 23:49:52 UTC (rev 111469)
@@ -1,3 +1,18 @@
+2012-03-20  Xiaomei Ji  <[email protected]>
+
+        visual word movement: crashes on CSS generated content.
+        https://bugs.webkit.org/show_bug.cgi?id=81581
+
+        Reviewed by Ryosuke Niwa.
+
+        Check for null pointer when referencing box->renderer()->node() in previousRootInlineBox and nextRootInlineBox.
+
+        Test: editing/selection/move-by-word-visually-crash-test-css-generated-content.html
+
+        * editing/visible_units.cpp:
+        (WebCore::previousRootInlineBox):
+        (WebCore::nextRootInlineBox):
+
 2012-03-20  Luke Macpherson  <[email protected]>
 
         Use CSSPrimitiveValue::convertToLength() to handle CSSPropertyWebkitBoxReflect and in createGridTrackBreadth.

Modified: trunk/Source/WebCore/editing/visible_units.cpp (111468 => 111469)


--- trunk/Source/WebCore/editing/visible_units.cpp	2012-03-20 23:47:38 UTC (rev 111468)
+++ trunk/Source/WebCore/editing/visible_units.cpp	2012-03-20 23:49:52 UTC (rev 111469)
@@ -103,6 +103,10 @@
 static const RootInlineBox* previousRootInlineBox(const InlineBox* box, const VisiblePosition& visiblePosition)
 {
     Node* highestRoot = highestEditableRoot(visiblePosition.deepEquivalent(), ContentIsEditable);
+
+    if (!box->renderer() || !box->renderer()->node())
+        return 0;
+
     Node* node = box->renderer()->node();
     Node* enclosingBlockNode = enclosingNodeWithNonInlineRenderer(node);
     Node* previousNode = previousLeafWithSameEditability(node, ContentIsEditable);
@@ -132,6 +136,10 @@
 static const RootInlineBox* nextRootInlineBox(const InlineBox* box, const VisiblePosition& visiblePosition)
 {
     Node* highestRoot = highestEditableRoot(visiblePosition.deepEquivalent(), ContentIsEditable);
+
+    if (!box->renderer() || !box->renderer()->node())
+        return 0;
+
     Node* node = box->renderer()->node();
     Node* enclosingBlockNode = enclosingNodeWithNonInlineRenderer(node);
     Node* nextNode = nextLeafWithSameEditability(node, ContentIsEditable);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to