WebKit Bugzilla
You need to log in before you can comment on or make changes to this bug.
visual word movement: crashes on CSS generated content
Created an attachment (id=132710) [details] patch w/ layout test Ryosuke, Thanks for the bug report!
I checked other pointer dereference codes, and I think they are mostly looks ok. How about the following when textBox is a not-null-InlineTextBox? textBox->textRenderer()->text()->characters() I think it is fine since InlineTextBox must have a text renderer. And it should have text()->characters() although it could be null. There is similar usage in https://cs.corp.google.com/#chrome/src/third_party/WebKit/Source/WebCore/rendering/InlineTextBox.cpp&q=textRenderer()%20package:%5Echrome$%20file:%5Esrc/third_party/WebKit/.*.cpp&type=cs&l=346
(From update of attachment 132710 [details]) View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review > LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 > +<head> No DOCTYPE?
(From update of attachment 132710 [details]) View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review >> LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 >> +<head> > > No DOCTYPE? I will update all the tests in another patch.
(From update of attachment 132710 [details]) Clearing flags on attachment: 132710 Committed r111469: <http://trac.webkit.org/changeset/111469>
All reviewed patches have been landed. Closing bug.