Bug 60071

Summary: Crash in SpellingCorrectionController::respondToChangedSelection
Product: WebKit Reporter: Enrica Casucci <enrica>
Component: HTML EditingAssignee: Enrica Casucci <enrica>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, rniwa
Priority: P2 Keywords: InRadar, PlatformOnly
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Patch rniwa: review+

Enrica Casucci
Reported 2011-05-03 15:27:08 PDT
Probably caused by not validating the selection bounds. <rdar://problem/9358190>
Attachments
Patch (4.21 KB, patch)
2011-05-03 15:58 PDT, Enrica Casucci 		rniwa: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Enrica Casucci
Comment 1 2011-05-03 15:58:37 PDT
Created attachment 92152 [details] Patch
Ryosuke Niwa
Comment 2 2011-05-03 16:02:37 PDT
Comment on attachment 92152 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92152&action=review > Source/WebCore/editing/SpellingCorrectionController.cpp:390 > + // Creating a Visible position triggers a layout and there is no > + // guarantee that the selection is still valid. Seems odd that layout cases a position to become null but okay.
Alexey Proskuryakov
Comment 3 2011-05-03 16:19:21 PDT
Is the _selection_ actually becoming invalid? The comment seems slightly confusing.
Enrica Casucci
Comment 4 2011-05-03 16:34:09 PDT
The selection is in a text field that gets hidden. The spelling code builds a VisiblePosition from the start position of the selection, producing a null position.
Ryosuke Niwa
Comment 5 2011-05-03 16:36:00 PDT
Comment on attachment 92152 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92152&action=review > LayoutTests/editing/selection/undo-crash-expected.txt:2 > +SUCCEEDED PASS might be more consistent with the rest of editing tests.
Ryosuke Niwa
Comment 6 2011-05-03 16:36:11 PDT
(In reply to comment #4) > The selection is in a text field that gets hidden. The spelling code builds a VisiblePosition from the start position of the selection, producing a null position. Makes sense.
Enrica Casucci
Comment 7 2011-05-03 16:42:09 PDT
http://trac.webkit.org/changeset/85687
Note You need to log in before you can comment on or make changes to this bug.