Bug 75941

Summary: [crash] Renderer crashes when spell checking a disabled input field.
Product: WebKit Reporter: Shinya Kawanaka <shinyak>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: rniwa, tkent, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Shinya Kawanaka
Reported 2012-01-09 23:39:58 PST
ReplaceSelectionCommand::doApply() crashes if input element is disabled. This won't happen if a command is invoked from execCommand or something though, because the command invocation is prevented if an input element is disabled. Repro on chromium: 1. Open a page with <input disabled value=foobar> 2. Right click on the word "foobar" 3. Correct it to "footer" http://crbug.com/109622
Attachments
Patch (10.31 KB, patch)
2012-01-10 00:44 PST, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Patch (11.71 KB, patch)
2012-01-10 05:15 PST, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Patch (3.75 KB, patch)
2012-01-11 17:39 PST, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Shinya Kawanaka
Comment 1 2012-01-10 00:44:08 PST
Created attachment 121806 [details] Patch
Kent Tamura
Comment 2 2012-01-10 00:52:46 PST
(In reply to comment #0) > This won't happen if a command is invoked from execCommand or something though, because the command invocation is prevented if an input element is disabled. Don't non-Chromium ports have this problem? If not, we should put the test to LayoutTests/platform/chromium/.
Kent Tamura
Comment 3 2012-01-10 01:21:11 PST
(In reply to comment #0) > This won't happen if a command is invoked from execCommand or something though, because the command invocation is prevented if an input element is disabled. Can we add similar check to WebFrameImpl::replaceSelection()?
Shinya Kawanaka
Comment 4 2012-01-10 05:06:57 PST
(In reply to comment #2) > (In reply to comment #0) > > This won't happen if a command is invoked from execCommand or something though, because the command invocation is prevented if an input element is disabled. > > Don't non-Chromium ports have this problem? > If not, we should put the test to LayoutTests/platform/chromium/. This crash might happen, but in the other ports currently some checks seems performed before calling replaceSelection. We should add LaytoutTestController::replaceSelection in the other ports to perform tests, but I just have prioritized fixing chrome crash problem.
Shinya Kawanaka
Comment 5 2012-01-10 05:15:31 PST
Created attachment 121832 [details] Patch
Ryosuke Niwa
Comment 6 2012-01-10 10:29:52 PST
Comment on attachment 121832 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=121832&action=review > Source/WebKit/chromium/src/WebFrameImpl.cpp:1127 > + if (!frame()->selection()->isContentEditable()) > + return; > + This check should be done inside Editor::replaceSelectionWithText > Tools/DumpRenderTree/chromium/LayoutTestController.cpp:809 > +void LayoutTestController::replaceSelection(const CppArgumentList& arguments, CppVariant* result) > +{ > + if (arguments.size() <= 0 || !arguments[0].isString()) { > + result->setNull(); > + return; > + } > + > + std::string text = arguments[0].toString(); > + m_shell->webView()->focusedFrame()->replaceSelection(WebString::fromUTF8(text)); > +} I'm not certain it's such a good idea to add a new method on layoutTestController for this one specific test. It's probably okay not to add a test for this fix or add a manual test.
Shinya Kawanaka
Comment 7 2012-01-11 17:39:37 PST
Created attachment 122144 [details] Patch
Shinya Kawanaka
Comment 8 2012-01-11 17:40:21 PST
> I'm not certain it's such a good idea to add a new method on layoutTestController for this one specific test. It's probably okay not to add a test for this fix or add a manual test. I've added a manual test.
Hajime Morrita
Comment 9 2012-01-16 02:03:53 PST
Comment on attachment 122144 [details] Patch r+, seeing Ryosuke's points are addressed in the latest patch.
WebKit Review Bot
Comment 10 2012-01-16 03:31:53 PST
Comment on attachment 122144 [details] Patch Clearing flags on attachment: 122144 Committed r105050: <http://trac.webkit.org/changeset/105050>
WebKit Review Bot
Comment 11 2012-01-16 03:31:58 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.