| Summary: | visual word movement: crashes on CSS generated content | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Xiaomei Ji <xji> | ||||
| Component: | HTML Editing | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | rniwa, webkit.review.bot | ||||
| Priority: | P2 | ||||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 25298 | ||||||
| Attachments: |
|
||||||
|
Description
Xiaomei Ji
2012-03-19 16:08:47 PDT
Created attachment 132710 [details]
patch w/ layout test
Ryosuke, Thanks for the bug report!
I checked other pointer dereference codes, and I think they are mostly looks ok. How about the following when textBox is a not-null-InlineTextBox? textBox->textRenderer()->text()->characters() I think it is fine since InlineTextBox must have a text renderer. And it should have text()->characters() although it could be null. There is similar usage in https://cs.corp.google.com/#chrome/src/third_party/WebKit/Source/WebCore/rendering/InlineTextBox.cpp&q=textRenderer()%20package:%5Echrome$%20file:%5Esrc/third_party/WebKit/.*.cpp&type=cs&l=346 Comment on attachment 132710 [details] patch w/ layout test View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review > LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 > +<head> No DOCTYPE? Comment on attachment 132710 [details] patch w/ layout test View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review >> LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 >> +<head> > > No DOCTYPE? I will update all the tests in another patch. Comment on attachment 132710 [details] patch w/ layout test Clearing flags on attachment: 132710 Committed r111469: <http://trac.webkit.org/changeset/111469> All reviewed patches have been landed. Closing bug. |