[webkit-changes] [148325] branches/safari-536.30-branch

Fri, 12 Apr 2013 17:44:32 -0700

Title: [148325] branches/safari-536.30-branch

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148324 => 148325)


--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-13 00:37:46 UTC (rev 148324)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-13 00:46:21 UTC (rev 148325)
@@ -1,5 +1,22 @@
 2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
 
+        Merge 130717.
+
+    2012-10-08  Yoshifumi Inoue  <yo...@chromium.org>
+
+            HTMLSelectElement::typeAheadFind depends on implementation dependent behavior
+            https://bugs.webkit.org/show_bug.cgi?id=98710
+
+            Reviewed by Kent Tamura.
+
+            This patch adds a test for checking HTMLSelectElement::typeAheadFind
+            doesn't crash.
+
+            * fast/forms/select/select-typeahead-crash-expected.txt: Added.
+            * fast/forms/select/select-typeahead-crash.html: Added.
+
+2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
+
         Merge 117463.
 
     2012-05-17  Caio Marcelo de Oliveira Filho  <caio.olive...@openbossa.org>

Copied: branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt (from rev 130717, trunk/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt) (0 => 148325)


--- branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash-expected.txt	2013-04-13 00:46:21 UTC (rev 148325)
@@ -0,0 +1,12 @@
+Select element without option but optgroup causes crash on key press
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Please run this with DumpRenderTree.
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash.html (from rev 130717, trunk/LayoutTests/fast/forms/select/select-typeahead-crash.html) (0 => 148325)


--- branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash.html	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/forms/select/select-typeahead-crash.html	2013-04-13 00:46:21 UTC (rev 148325)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<p>Please run this with DumpRenderTree.</p>
+<select id="test"><optgroup></optgroup><optgroup></optgroup></select>
+<div id="console"></div>
+<script>
+description('Select element without option but optgroup causes crash on key press');
+function keyDown(key, modifiers)
+{
+    if (!window.eventSender)
+        return;
+    eventSender.keyDown(key, modifiers);
+}
+var test = document.getElementById("test");
+test.focus();
+keyDown('a');
+keyDown('b');
+</script>
+<script src=""
+</body>

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148324 => 148325)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-13 00:37:46 UTC (rev 148324)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-13 00:46:21 UTC (rev 148325)
@@ -1,5 +1,30 @@
 2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
 
+        Merge 130717.
+
+    2012-10-08  Yoshifumi Inoue  <yo...@chromium.org>
+
+            HTMLSelectElement::typeAheadFind depends on implementation dependent behavior
+            https://bugs.webkit.org/show_bug.cgi?id=98710
+
+            Reviewed by Kent Tamura.
+
+            This patch gets rid of C/C++ implementation dependent behavior from
+            HTMLSelectElement::typeAheadFind() which does modulo operation with
+            a negative operand.
+
+            HTMLSelectElement::typeAheadFind() contains _expression_ with modulo
+            operator and dividend can be -1 when the "select" element without
+            "option" element but "optgroup" element.
+
+            Test: fast/forms/select/select-typeahead-crash.html
+
+            * html/HTMLSelectElement.cpp:
+            (WebCore::HTMLSelectElement::typeAheadFind): Changed to do modulo
+            operation with both operands are non-negative.
+
+2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
+
         Merge 136619.
 
     2012-12-04  Abhishek Arya  <infe...@chromium.org>

Modified: branches/safari-536.30-branch/Source/WebCore/html/HTMLSelectElement.cpp (148324 => 148325)


--- branches/safari-536.30-branch/Source/WebCore/html/HTMLSelectElement.cpp	2013-04-13 00:37:46 UTC (rev 148324)
+++ branches/safari-536.30-branch/Source/WebCore/html/HTMLSelectElement.cpp	2013-04-13 00:46:21 UTC (rev 148325)
@@ -1452,8 +1452,10 @@
         return;
 
     int selected = selectedIndex();
-    int index = (optionToListIndex(selected >= 0 ? selected : 0) + searchStartOffset) % itemCount;
-    ASSERT(index >= 0);
+    int index = optionToListIndex(selected >= 0 ? selected : 0);
+    if (index < 0)
+        return;
+    index = (index + searchStartOffset) % itemCount;
 
     // Compute a case-folded copy of the prefix string before beginning the search for
     // a matching element. This code uses foldCase to work around the fact that

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to