From: rniwa@webkit.org Date: Tue, 31 Jan 2012 20:41:05 +0000 (+0000) Subject: Source/WebCore: Crash in DeleteSelectionCommand::handleGeneralDelete when attempting... X-Git-Tag: 070512121124~14122 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4df07a299bed87714a771cca87543bf6b2fda842;p=profile%2Fivi%2Fwebkit-efl.git Source/WebCore: Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block https://bugs.webkit.org/show_bug.cgi?id=77077 Reviewed by Enrica Casucci. The crash was caused by a missing null check after removing the position out of the start block. Fixed the bug by adding an early return. Tests: editing/deleting/delete-start-block.html editing/selection/move-into-empty-root-inline-box.html * editing/DeleteSelectionCommand.cpp: (WebCore::DeleteSelectionCommand::handleGeneralDelete): LayoutTests: Crash in previousLinePosition when moving into a root inline box without leaves https://bugs.webkit.org/show_bug.cgi?id=76812 Reviewed by Enrica Casucci. Add a regression test for the crash. Unfortunately, we can only test previousLinePosition. * editing/selection/move-into-empty-root-inline-box-expected.txt: Added. * editing/selection/move-into-empty-root-inline-box.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106380 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 3cf0a79..c671fab 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,15 @@ +2012-01-31 Ryosuke Niwa + + Crash in previousLinePosition when moving into a root inline box without leaves + https://bugs.webkit.org/show_bug.cgi?id=76812 + + Reviewed by Enrica Casucci. + + Add a regression test for the crash. Unfortunately, we can only test previousLinePosition. + + * editing/selection/move-into-empty-root-inline-box-expected.txt: Added. + * editing/selection/move-into-empty-root-inline-box.html: Added. + 2012-01-31 Tony Chang [chromium] Fix css3/flexbox/cross-axis-scrollbar-expected to work on diff --git a/LayoutTests/editing/deleting/delete-start-block-expected.txt b/LayoutTests/editing/deleting/delete-start-block-expected.txt new file mode 100644 index 0000000..9626dee --- /dev/null +++ b/LayoutTests/editing/deleting/delete-start-block-expected.txt @@ -0,0 +1,5 @@ +This tests removing the start block. WebKit should not crash. +|
+|
+|
+|
diff --git a/LayoutTests/editing/deleting/delete-start-block.html b/LayoutTests/editing/deleting/delete-start-block.html new file mode 100644 index 0000000..a11faf5 --- /dev/null +++ b/LayoutTests/editing/deleting/delete-start-block.html @@ -0,0 +1,15 @@ +> diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index f9f8e55..2cb5e45 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,19 @@ +2012-01-31 Ryosuke Niwa + + Crash in DeleteSelectionCommand::handleGeneralDelete when attempting to delete the start block + https://bugs.webkit.org/show_bug.cgi?id=77077 + + Reviewed by Enrica Casucci. + + The crash was caused by a missing null check after removing the position out of the start block. + Fixed the bug by adding an early return. + + Tests: editing/deleting/delete-start-block.html + editing/selection/move-into-empty-root-inline-box.html + + * editing/DeleteSelectionCommand.cpp: + (WebCore::DeleteSelectionCommand::handleGeneralDelete): + 2012-01-31 Rafael Brandao HTMLIsIndexElement should not expose HTMLInputElement properties diff --git a/Source/WebCore/editing/DeleteSelectionCommand.cpp b/Source/WebCore/editing/DeleteSelectionCommand.cpp index 27f679f..839b734 100644 --- a/Source/WebCore/editing/DeleteSelectionCommand.cpp +++ b/Source/WebCore/editing/DeleteSelectionCommand.cpp @@ -418,6 +418,8 @@ void DeleteSelectionCommand::handleGeneralDelete() if (startNode == m_startBlock && startOffset == 0 && canHaveChildrenForEditing(startNode) && !startNode->hasTagName(tableTag)) { startOffset = 0; startNode = startNode->traverseNextNode(); + if (!startNode) + return; } if (startOffset >= caretMaxOffset(startNode) && startNode->isTextNode()) {