New issue
Advanced search Search tips

Issue 808914 link

Starred by 2 users
Status: Fixed
Owner:
xiaoche...@chromium.org
Closed: Feb 2018
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

[LayoutNG] ComputeNGCaretPosition crashes with float ::first-letter

Project Member Reported by yoichio@chromium.org, Feb 5 2018 
Load the following html.
<style>
  .top {
    font-size: 30px;
    width: 200px
  }
</style>
<div class="top">
  foo<span id="span">bar</span>
</div>
<div class="top">
  <div id="foo">foo</div><div id="bar" contenteditable>bar</div>
</div>
<style>

  #div3:first-letter {
    float: right
  }
</style>
<div class="top" id="div3">foo<span>bar</span></div>
<script>
  var i = 0;
  setInterval(() => {
    i++;
    if (i > 2) i = 0;
    switch (i) {
      case 0:
        getSelection().setBaseAndExtent(span.firstChild, 1, span.firstChild, 2);
        return;
      case 1:
        getSelection().setBaseAndExtent(foo.firstChild, 1, bar.firstChild, 2);
        return;
      case 2:
        getSelection().setBaseAndExtent(div3.firstChild, 0, div3.firstChild, 2);
        return;
    }
  }, 500);
  getSelection().setBaseAndExtent(span.firstChild, 1, span.firstChild, 2);
</script>

Comment 1 by yoichio@chromium.org, Feb 5 2018 

Stack trace:
 	blink_core.dll!blink::ComputeNGCaretPosition(const blink::LayoutBlockFlow & context, unsigned int offset, blink::TextAffinity affinity) Line 422	C++	Symbols loaded.
 	blink_core.dll!blink::ComputeNGLocalCaretRect(const blink::LayoutBlockFlow & context, const blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & position) Line 460	C++	Symbols loaded.
 	blink_core.dll!blink::`anonymous namespace'::LocalCaretRectOfPositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >(const blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & position, blink::LayoutUnit * extra_width_to_end_of_line) Line 64	C++	Symbols loaded.
 	blink_core.dll!blink::LocalCaretRectOfPosition(const blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & position, blink::LayoutUnit * extra_width_to_end_of_line) Line 157	C++	Symbols loaded.
 	blink_core.dll!blink::AbsoluteCaretRectOfPosition(const blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & position, blink::LayoutUnit * extra_width_to_end_of_line) Line 1191	C++	Symbols loaded.
 	blink_core.dll!blink::Editor::FirstRectForRange(const blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & range) Line 1479	C++	Symbols loaded.
 	blink_core.dll!blink::FrameSelection::ComputeAbsoluteBounds(blink::IntRect & anchor, blink::IntRect & focus) Line 543	C++	Symbols loaded.
 	blink_core.dll!blink::WebViewImpl::SelectionBounds(blink::WebRect & anchor_web, blink::WebRect & focus_web) Line 2224	C++	Symbols loaded.
 	blink_core.dll!blink::WebViewFrameWidget::SelectionBounds(blink::WebRect & anchor, blink::WebRect & focus) Line 137	C++	Symbols loaded.
 	content.dll!content::RenderWidget::GetSelectionBounds(gfx::Rect * focus, gfx::Rect * anchor) Line 2264	C++	Symbols loaded.
 	content.dll!content::RenderWidget::UpdateSelectionBounds() Line 2294	C++	Symbols loaded.
 	content.dll!content::RenderWidget::WillBeginCompositorFrame() Line 1106	C++	Symbols loaded.
 	content.dll!content::RenderWidgetCompositor::WillBeginMainFrame() Line 1176	C++	Symbols loaded.
 	cc.dll!cc::LayerTreeHost::WillBeginMainFrame() Line 247	C++	Symbols loaded.

Comment 2 by xiaoche...@chromium.org, Feb 5 2018

Summary: [LayoutNG] ComputeNGCaretPosition crashes with float ::first-letter (was: [LayoutNG] ComputeNGCaretPosition crashes when FrameSelection::ComputeAbsoluteBounds is called.)
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 6 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/872b5e325643829e279921d8b7f06365e4baaff7

commit 872b5e325643829e279921d8b7f06365e4baaff7
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Tue Feb 06 04:59:57 2018

[LayoutNG] Fix caret position resolution when dealing with floats

The current caret position resolution algorithm assumes that all
descendants of an inline formatting context fragments are inline, and
hence contained in a line box. This is not the case with floats and
out-of-flow positioned fragments.

This patch makes the algorithm handle them correctly.

Bug:  808914 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_layout_ng
Change-Id: If238323a9b9694fb4a9d1668254a89eea8d6756e
Reviewed-on: https://chromium-review.googlesource.com/902685
Reviewed-by: Emil A Eklund <eae@chromium.org>
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534629}
[modify] https://crrev.com/872b5e325643829e279921d8b7f06365e4baaff7/third_party/WebKit/Source/core/editing/LocalCaretRectTest.cpp
[modify] https://crrev.com/872b5e325643829e279921d8b7f06365e4baaff7/third_party/WebKit/Source/core/layout/ng/inline/ng_caret_rect.cc

Comment 4 by xiaoche...@chromium.org, Feb 6 2018

Status: Fixed (was: Assigned)

Sign in to add a comment