Skip to site navigation (Press enter)

[webkit-changes] [144894] trunk

tony Wed, 06 Mar 2013 00:27:44 -0800

Title: [144894] trunk

Revision: 144894
Author: t...@chromium.org
Date: 2013-03-06 00:29:42 -0800 (Wed, 06 Mar 2013)

Log Message

Crash during middle mouse click when page is removed
https://bugs.webkit.org/show_bug.cgi?id=111489


Reviewed by Hajime Morrita.

Source/WebCore:

Check for a null page that can happen if we remove the document from the DOM.
The other methods in EventHandler also check for a null page.

Test: editing/pasteboard/selection-paste-crash.html

* page/EventHandler.cpp:
(WebCore::EventHandler::handlePasteGlobalSelection):

LayoutTests:

* editing/pasteboard/resources/selection-paste-crash.html: Added.
* editing/pasteboard/selection-paste-crash-expected.txt: Added.
* editing/pasteboard/selection-paste-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/EventHandler.cpp

Added Paths

trunk/LayoutTests/editing/pasteboard/resources/selection-paste-crash.html
trunk/LayoutTests/editing/pasteboard/selection-paste-crash-expected.txt
trunk/LayoutTests/editing/pasteboard/selection-paste-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (144893 => 144894)


--- trunk/LayoutTests/ChangeLog	2013-03-06 08:11:23 UTC (rev 144893)
+++ trunk/LayoutTests/ChangeLog	2013-03-06 08:29:42 UTC (rev 144894)
@@ -1,3 +1,14 @@
+2013-03-06  Tony Chang  <t...@chromium.org>
+
+        Crash during middle mouse click when page is removed
+        https://bugs.webkit.org/show_bug.cgi?id=111489
+
+        Reviewed by Hajime Morrita.
+
+        * editing/pasteboard/resources/selection-paste-crash.html: Added.
+        * editing/pasteboard/selection-paste-crash-expected.txt: Added.
+        * editing/pasteboard/selection-paste-crash.html: Added.
+
 2013-03-05  Claudio Saavedra  <csaave...@igalia.com>
 
         Make toggle-unlink.html test Mac specific behaviour

Added: trunk/LayoutTests/editing/pasteboard/resources/selection-paste-crash.html (0 => 144894)


--- trunk/LayoutTests/editing/pasteboard/resources/selection-paste-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/resources/selection-paste-crash.html	2013-03-06 08:29:42 UTC (rev 144894)
@@ -0,0 +1 @@
+<body _onclick_="parent.removeIframe()">
\ No newline at end of file

Added: trunk/LayoutTests/editing/pasteboard/selection-paste-crash-expected.txt (0 => 144894)


--- trunk/LayoutTests/editing/pasteboard/selection-paste-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/selection-paste-crash-expected.txt	2013-03-06 08:29:42 UTC (rev 144894)
@@ -0,0 +1,3 @@
+This test passes if middle mouse clicking in the rectangle below does not crash.
+
+

Added: trunk/LayoutTests/editing/pasteboard/selection-paste-crash.html (0 => 144894)


--- trunk/LayoutTests/editing/pasteboard/selection-paste-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/selection-paste-crash.html	2013-03-06 08:29:42 UTC (rev 144894)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test passes if middle mouse clicking in the rectangle below does not crash.</p>
+<iframe id="iframe" src=''></iframe>
+<script>
+var iframe = document.getElementById("iframe");
+
+function removeIframe()
+{
+    document.body.removeChild(iframe);
+}
+
+window._onload_ = function() {
+    if (!window.testRunner || !window.eventSender)
+        return;
+    testRunner.dumpAsText();
+
+    var x = iframe.offsetLeft + iframe.offsetWidth / 2;
+    var y = iframe.offsetTop + iframe.offsetHeight / 2;
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseDown(1);
+    eventSender.mouseUp(1);
+}
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (144893 => 144894)


--- trunk/Source/WebCore/ChangeLog	2013-03-06 08:11:23 UTC (rev 144893)
+++ trunk/Source/WebCore/ChangeLog	2013-03-06 08:29:42 UTC (rev 144894)
@@ -1,3 +1,18 @@
+2013-03-06  Tony Chang  <t...@chromium.org>
+
+        Crash during middle mouse click when page is removed
+        https://bugs.webkit.org/show_bug.cgi?id=111489
+
+        Reviewed by Hajime Morrita.
+
+        Check for a null page that can happen if we remove the document from the DOM.
+        The other methods in EventHandler also check for a null page.
+
+        Test: editing/pasteboard/selection-paste-crash.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handlePasteGlobalSelection):
+
 2013-03-05  Eric Seidel  <e...@webkit.org>
 
         Replace shouldLazyAttach bool with an enum for readability

Modified: trunk/Source/WebCore/page/EventHandler.cpp (144893 => 144894)


--- trunk/Source/WebCore/page/EventHandler.cpp	2013-03-06 08:11:23 UTC (rev 144893)
+++ trunk/Source/WebCore/page/EventHandler.cpp	2013-03-06 08:29:42 UTC (rev 144894)
@@ -1868,6 +1868,8 @@
         return false;
 #endif
 
+    if (!m_frame->page())
+        return false;
     Frame* focusFrame = m_frame->page()->focusController()->focusedOrMainFrame();
     // Do not paste here if the focus was moved somewhere else.
     if (m_frame == focusFrame && m_frame->editor()->client()->supportsGlobalSelection())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes