| Summary: | Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> | ||||
| Component: | New Bugs | Assignee: | Ryosuke Niwa <rniwa> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ap, cdumez, commit-queue, darin, enrica | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Ryosuke Niwa
2016-07-20 21:44:49 PDT
Created attachment 284188 [details]
Fixes the bug
Comment on attachment 284188 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review > Source/WebCore/editing/DeleteSelectionCommand.cpp:867 > + if (textNode.length() && textNode.renderer()) Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future? Comment on attachment 284188 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review >> Source/WebCore/editing/DeleteSelectionCommand.cpp:867 >> + if (textNode.length() && textNode.renderer()) > > Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future? We try to avoid selecting a node without renderer but I wouldn't be surprised if we ended up getting it. In general, I don't think m_endingPosition has any sort of guarantee like VisiblePosition's deepEquivalent. Comment on attachment 284188 [details] Fixes the bug Clearing flags on attachment: 284188 Committed r203518: <http://trac.webkit.org/changeset/203518> All reviewed patches have been landed. Closing bug. |