Bug 28474

Summary: REGESSION(r45316), Crash: WebKit crashes in Google Sites when indenting a table
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Critical CC: darin, ojan
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
demo, crashes your WebKit
none
fixes the bug, one line change. darin: review+

Ryosuke Niwa
Reported 2009-08-19 17:00:38 PDT
What steps will reproduce the problem? 1. Create a table in a Google Sites page. For example, 2x2. I think any size will do. 2. Click next to the right of the table, outside of it. 3. Click in the 'indent right' button. What is the expected result? The table is indented to the right. Chromium bug report: http://code.google.com/p/chromium/issues/detail?id=18284 This could be a regression due to http://trac.webkit.org/changeset/45316.
Attachments
demo, crashes your WebKit (433 bytes, text/html)
2009-08-19 20:13 PDT, Ryosuke Niwa 		no flags
Details
fixes the bug, one line change. (3.87 KB, patch)
2009-08-19 20:23 PDT, Ryosuke Niwa 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2009-08-19 20:13:20 PDT
Created attachment 35179 [details] demo, crashes your WebKit
Ryosuke Niwa
Comment 2 2009-08-19 20:23:44 PDT
Created attachment 35182 [details] fixes the bug, one line change.
Darin Adler
Comment 3 2009-08-19 21:59:30 PDT
Comment on attachment 35182 [details] fixes the bug, one line change. Can endOfCurrentParagraph ever have 0 for a node? r=me assuming the answer is no
Ryosuke Niwa
Comment 4 2009-08-19 22:37:42 PDT
(In reply to comment #3) > (From update of attachment 35182 [details]) > Can endOfCurrentParagraph ever have 0 for a node? > > r=me assuming the answer is no It should never be. We could add an ASSERT there but the ending condition of the while loop is that we traverse through nodes until we reach end of selection. So should it ever be null, we fall into an infinite loop. http://trac.webkit.org/browser/trunk/WebCore/editing/IndentOutdentCommand.cpp#L207
Ryosuke Niwa
Comment 5 2009-08-20 22:29:34 PDT
Landed in http://trac.webkit.org/changeset/47608.
Note You need to log in before you can comment on or make changes to this bug.