Bug 699353 - Don't attempt to paint the caret if the offset for the frame is invalid; r=roc; r=roc
authorEhsan Akhgari <ehsan@mozilla.com>
Thu, 26 Jan 2012 16:40:25 -0500
changeset 86534 7dcf885c2139da3f9ff9ff9dc95ca9eb74dd6073
parent 86533 6ddb4ad758e5690643ea6a71c04b0a1bbe92dcd5
child 86535 41842e41890e96859313c1d6e8f2a1ba0c8f3463
push id5913
push usereakhgari@mozilla.com
push dateThu, 09 Feb 2012 20:41:58 +0000
treeherdermozilla-inbound@7dcf885c2139 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc, roc
bugs699353
milestone13.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 699353 - Don't attempt to paint the caret if the offset for the frame is invalid; r=roc; r=roc
layout/base/crashtests/699353-1.html
layout/base/crashtests/crashtests.list
layout/base/nsCaret.cpp
layout/base/tests/bug682712-1.html
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/699353-1.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+
+<script>
+
+function boom()
+{
+  document.execCommand("inserthtml", false, "ABC ");
+  document.execCommand("delete", false, null);
+  document.execCommand("inserthtml", false, "<style>");
+}
+
+</script>
+</head>
+
+<body onload="setTimeout(boom, 0);" contenteditable="true"></body>
+</html>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -341,10 +341,11 @@ load 663662-1.html
 load 663662-2.html
 load 665837.html
 load 668941.xhtml
 load 670226.html
 asserts(2) load 675246-1.xhtml # Bug 675713
 load 691118-1.html
 load 695861.html
 load 698335.html
+needs-focus pref(accessibility.browsewithcaret,true) load 699353-1.html
 load 707098.html
 load 722137.html
--- a/layout/base/nsCaret.cpp
+++ b/layout/base/nsCaret.cpp
@@ -528,16 +528,24 @@ void nsCaret::PaintCaret(nsDisplayListBu
   const nsRect drawCaretRect = mCaretRect + aOffset;
   PRInt32 contentOffset;
 
 #ifdef DEBUG
   nsIFrame* frame =
 #endif
     GetCaretFrame(&contentOffset);
   NS_ASSERTION(frame == aForFrame, "We're referring different frame");
+  // If the offset falls outside of the frame, then don't paint the caret.
+  PRInt32 startOffset, endOffset;
+  if (aForFrame->GetType() == nsGkAtoms::textFrame &&
+      (NS_FAILED(aForFrame->GetOffsets(startOffset, endOffset)) ||
+      startOffset > contentOffset ||
+      endOffset < contentOffset)) {
+    return;
+  }
   nscolor foregroundColor = aForFrame->GetCaretColorAt(contentOffset);
 
   // Only draw the native caret if the foreground color matches that of
   // -moz-fieldtext (the color of the text in a textbox). If it doesn't match
   // we are likely in contenteditable or a custom widget and we risk being hard to see
   // against the background. In that case, fall back to the CSS color.
   nsPresContext* presContext = aForFrame->PresContext();
 
--- a/layout/base/tests/bug682712-1.html
+++ b/layout/base/tests/bug682712-1.html
@@ -16,17 +16,17 @@
         document.body.clientWidth;
         iframe.style.display = "";
         document.body.clientWidth;
 
         setTimeout(function() {
           synthesizeMouse(iframe, 10, 10, {});
 
           // Now try to move the caret
-          win.getSelection().collapse(doc.body.firstChild, 1);
+          win.getSelection().collapse(doc.body.firstChild, 0);
           synthesizeKey("VK_RIGHT", {});
 
           document.documentElement.removeAttribute("class");
         }, 0);
       }
     </script>
   </body>
 </html>