Summary: | Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> | ||||
Component: | New Bugs | Assignee: | Ryosuke Niwa <rniwa> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | ap, cdumez, commit-queue, darin, enrica | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Ryosuke Niwa
2016-07-20 21:44:49 PDT
Created attachment 284188 [details]
Fixes the bug
Comment on attachment 284188 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review > Source/WebCore/editing/DeleteSelectionCommand.cpp:867 > + if (textNode.length() && textNode.renderer()) Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future? Comment on attachment 284188 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review >> Source/WebCore/editing/DeleteSelectionCommand.cpp:867 >> + if (textNode.length() && textNode.renderer()) > > Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future? We try to avoid selecting a node without renderer but I wouldn't be surprised if we ended up getting it. In general, I don't think m_endingPosition has any sort of guarantee like VisiblePosition's deepEquivalent. Comment on attachment 284188 [details] Fixes the bug Clearing flags on attachment: 284188 Committed r203518: <http://trac.webkit.org/changeset/203518> All reviewed patches have been landed. Closing bug. |