Bug 28474

Summary: REGESSION(r45316), Crash: WebKit crashes in Google Sites when indenting a table
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Critical CC: darin, ojan
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
demo, crashes your WebKit
none
fixes the bug, one line change. darin: review+

Description Ryosuke Niwa 2009-08-19 17:00:38 PDT 
What steps will reproduce the problem?
1. Create a table in a Google Sites page. For example, 2x2. I think any size will do.
2. Click next to the right of the table, outside of it.
3. Click in the 'indent right' button.

What is the expected result?
The table is indented to the right.

Chromium bug report: http://code.google.com/p/chromium/issues/detail?id=18284

This could be a regression due to http://trac.webkit.org/changeset/45316.
Comment 1 Ryosuke Niwa 2009-08-19 20:13:20 PDT 
Created attachment 35179 [details]
demo, crashes your WebKit
Comment 2 Ryosuke Niwa 2009-08-19 20:23:44 PDT 
Created attachment 35182 [details]
fixes the bug, one line change.
Comment 3 Darin Adler 2009-08-19 21:59:30 PDT 
Comment on attachment 35182 [details]
fixes the bug, one line change.

Can endOfCurrentParagraph ever have 0 for a node?

r=me assuming the answer is no
Comment 4 Ryosuke Niwa 2009-08-19 22:37:42 PDT 
(In reply to comment #3)
> (From update of attachment 35182 [details])
> Can endOfCurrentParagraph ever have 0 for a node?
> 
> r=me assuming the answer is no

It should never be.  We could add an ASSERT there but the ending condition of the while loop is that we traverse through nodes until we reach end of selection.  So should it ever be null, we fall into an infinite loop.

http://trac.webkit.org/browser/trunk/WebCore/editing/IndentOutdentCommand.cpp#L207
Comment 5 Ryosuke Niwa 2009-08-20 22:29:34 PDT 
Landed in http://trac.webkit.org/changeset/47608.