[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 14:39:40 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit dda08b0e78ddd114453b167e7db248850fb2c15b
Author: jschuh at chromium.org <jschuh at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 15 01:50:40 2010 +0000

    2010-10-14  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by James Robinson.
    
            Crash in HTMLTextFormControlElement::selection()
            https://bugs.webkit.org/show_bug.cgi?id=47522
    
            Patch by Ryosuke Niwa  <rniwa at webkit.org>
    
            The bug was caused by our triggering layout inside RenderTextControl::selection.
            Fixed it by changing the return type of RenderTextControl::selection to PassRefPtr<Range> from VisibleSelection.
    
            Test: fast/forms/render-text-crash.html
    
            * editing/Editor.cpp:
            (WebCore::Editor::selectionForCommand): Calls HTMLTextFormControlElement::selection.
            * html/HTMLFormControlElement.cpp:
            (WebCore::HTMLTextFormControlElement::selection): Calls RenderTextControl::selection.
            * html/HTMLFormControlElement.h:
            * rendering/RenderTextControl.cpp:
            (WebCore::RenderTextControl::selection): Changed the return type.
            * rendering/RenderTextControl.h:
    2010-10-14  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by James Robinson.
    
            Crash in HTMLTextFormControlElement::selection()
            https://bugs.webkit.org/show_bug.cgi?id=47522
    
            Patch by Ryosuke Niwa  <rniwa at webkit.org>
    
            Added a test to ensure WebKit does not crash when moving selection between input elements.
    
            * fast/forms/render-text-crash-expected.txt: Added.
            * fast/forms/render-text-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69831 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c3a4f5c..3999668 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-14  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by James Robinson.
+
+        Crash in HTMLTextFormControlElement::selection()
+        https://bugs.webkit.org/show_bug.cgi?id=47522
+
+        Patch by Ryosuke Niwa  <rniwa at webkit.org>
+
+        Added a test to ensure WebKit does not crash when moving selection between input elements.
+
+        * fast/forms/render-text-crash-expected.txt: Added.
+        * fast/forms/render-text-crash.html: Added.
+
 2010-10-14  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Simon Fraser.
diff --git a/LayoutTests/fast/forms/render-text-crash-expected.txt b/LayoutTests/fast/forms/render-text-crash-expected.txt
new file mode 100644
index 0000000..643f784
--- /dev/null
+++ b/LayoutTests/fast/forms/render-text-crash-expected.txt
@@ -0,0 +1,3 @@
+To run this test manually, press arrow keys three times. WebKit should not crash. On DRT, you see see PASS:
+
+ PASS
diff --git a/LayoutTests/fast/forms/render-text-crash.html b/LayoutTests/fast/forms/render-text-crash.html
new file mode 100644
index 0000000..3fee346
--- /dev/null
+++ b/LayoutTests/fast/forms/render-text-crash.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>To run this test manually, press arrow keys three times. WebKit should not crash. On DRT, you see see PASS:</p>
+<input type="text" onkeydown="move(this.nextSibling)"
+><input type="text" onkeydown="move(this.nextSibling)"
+><input type="text" onkeydown="move(this.nextSibling)"
+><input type="text" onkeydown="move(this.nextSibling)"
+><input type="text" onkeydown="move(this.nextSibling)"
+><input type="text" onkeydown="move(this.nextSibling)">
+<script type="text/javascript">
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var activeInput = null;
+
+function move(newInput)
+{
+    newInput.className = '';
+    newInput.style.dispaly = '';
+    newInput.focus();
+    if (activeInput)
+        activeInput.style.display = 'none';
+    activeInput = newInput;
+}
+
+var inputs = document.getElementsByTagName('input');
+move(inputs[0]);
+
+if (window.eventSender) {
+    layoutTestController.waitUntilDone();
+    for (var i = 0; i < inputs.length - 1; i++)
+        eventSender.keyDown('downArrow', []);
+    layoutTestController.notifyDone();
+}
+
+document.body.appendChild(document.createTextNode('PASS'));
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 689ac7b..77e2ea5 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-10-14  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by James Robinson.
+
+        Crash in HTMLTextFormControlElement::selection()
+        https://bugs.webkit.org/show_bug.cgi?id=47522
+
+        Patch by Ryosuke Niwa  <rniwa at webkit.org>
+
+        The bug was caused by our triggering layout inside RenderTextControl::selection.
+        Fixed it by changing the return type of RenderTextControl::selection to PassRefPtr<Range> from VisibleSelection.
+
+        Test: fast/forms/render-text-crash.html
+
+        * editing/Editor.cpp:
+        (WebCore::Editor::selectionForCommand): Calls HTMLTextFormControlElement::selection.
+        * html/HTMLFormControlElement.cpp:
+        (WebCore::HTMLTextFormControlElement::selection): Calls RenderTextControl::selection.
+        * html/HTMLFormControlElement.h:
+        * rendering/RenderTextControl.cpp:
+        (WebCore::RenderTextControl::selection): Changed the return type.
+        * rendering/RenderTextControl.h:
+
 2010-10-14  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Simon Fraser.
diff --git a/WebCore/editing/Editor.cpp b/WebCore/editing/Editor.cpp
index b41f8e8..7ac6532 100644
--- a/WebCore/editing/Editor.cpp
+++ b/WebCore/editing/Editor.cpp
@@ -95,10 +95,14 @@ VisibleSelection Editor::selectionForCommand(Event* event)
     Node* target = event->target()->toNode();
     Node* selectionStart = selection.start().node();
     if (target && (!selectionStart || target->shadowAncestorNode() != selectionStart->shadowAncestorNode())) {
+        RefPtr<Range> range;
         if (target->hasTagName(inputTag) && static_cast<HTMLInputElement*>(target)->isTextField())
-            return static_cast<HTMLInputElement*>(target)->selection();
-        if (target->hasTagName(textareaTag))
-            return static_cast<HTMLTextAreaElement*>(target)->selection();
+            range = static_cast<HTMLInputElement*>(target)->selection();
+        else if (target->hasTagName(textareaTag))
+            range = static_cast<HTMLTextAreaElement*>(target)->selection();
+
+        if (range)
+            return VisibleSelection(range.get());
     }
     return selection;
 }
diff --git a/WebCore/html/HTMLFormControlElement.cpp b/WebCore/html/HTMLFormControlElement.cpp
index 2080d91..215e502 100644
--- a/WebCore/html/HTMLFormControlElement.cpp
+++ b/WebCore/html/HTMLFormControlElement.cpp
@@ -592,10 +592,10 @@ int HTMLTextFormControlElement::selectionEnd()
     return toRenderTextControl(renderer())->selectionEnd();
 }
 
-VisibleSelection HTMLTextFormControlElement::selection() const
+PassRefPtr<Range> HTMLTextFormControlElement::selection() const
 {
     if (!renderer() || !isTextFormControl() || cachedSelectionStart() < 0 || cachedSelectionEnd() < 0)
-        return VisibleSelection();
+        return 0;
     return toRenderTextControl(renderer())->selection(cachedSelectionStart(), cachedSelectionEnd());
 }
 
diff --git a/WebCore/html/HTMLFormControlElement.h b/WebCore/html/HTMLFormControlElement.h
index b685896..4792dba 100644
--- a/WebCore/html/HTMLFormControlElement.h
+++ b/WebCore/html/HTMLFormControlElement.h
@@ -187,7 +187,7 @@ public:
     void setSelectionEnd(int);
     void select();
     void setSelectionRange(int start, int end);
-    VisibleSelection selection() const;
+    PassRefPtr<Range> selection() const;
 
 protected:
     HTMLTextFormControlElement(const QualifiedName&, Document*, HTMLFormElement*);
diff --git a/WebCore/rendering/RenderTextControl.cpp b/WebCore/rendering/RenderTextControl.cpp
index f48081b..7cfe7c9 100644
--- a/WebCore/rendering/RenderTextControl.cpp
+++ b/WebCore/rendering/RenderTextControl.cpp
@@ -262,10 +262,12 @@ void RenderTextControl::setSelectionRange(int start, int end)
         frame->selection()->setSelection(newSelection);
 }
 
-VisibleSelection RenderTextControl::selection(int start, int end) const
+PassRefPtr<Range> RenderTextControl::selection(int start, int end) const
 {
-    return VisibleSelection(VisiblePosition(m_innerText.get(), start, VP_DEFAULT_AFFINITY),
-                            VisiblePosition(m_innerText.get(), end, VP_DEFAULT_AFFINITY));
+    if (!m_innerText)
+        return 0;
+
+    return Range::create(document(), m_innerText, start, m_innerText, end);
 }
 
 VisiblePosition RenderTextControl::visiblePositionForIndex(int index)
diff --git a/WebCore/rendering/RenderTextControl.h b/WebCore/rendering/RenderTextControl.h
index a33f11d..84d7b0b 100644
--- a/WebCore/rendering/RenderTextControl.h
+++ b/WebCore/rendering/RenderTextControl.h
@@ -46,7 +46,7 @@ public:
     void setSelectionEnd(int);
     void select();
     void setSelectionRange(int start, int end);
-    VisibleSelection selection(int start, int end) const;
+    PassRefPtr<Range> selection(int start, int end) const;
 
     virtual void subtreeHasChanged();
     String text();

-- 
WebKit Debian packaging

