[blink] Avoid null pointer dereference in HitTestResult::isMisspelled()

The method HitTestResult::isMisspelled() assumed that renderer would
always be present in the right-clicked editable item. This is not the case
when right-clicking on an item in an editable combobox created by jQuery
Searchable DropDown Plugin (http://jsearchdropdown.sf.net).

This patch changes HitTestResult::isMisspelled() to check if the renderer
is present. If there's no renderer, then the method returns false (there
shouldn't be spellcheck related items in the context menu).

Manual test 1: Click on the drop-down on http://jsearchdropdown.sf.net and
right-click on any of the items. The page should not crash.

Manual test 2: Run the following script and right-click anywhere on the
page. The page should not crash.

<html>
<head>
<script>
window.onload = function() {
  var element = document.getElementsByTagName('html')[0];
  document.adoptNode(element);
  var newElement = document.createElementNS('http://www.w3.org/2000/svg', 'title');
  document.appendChild(newElement);
  document.execCommand('SelectAll', false)
  document.designMode = 'on';
};
</script>
</head>
</html>

TEST=LayoutTests/editing/spelling/right-click-no-renderer-crash.html
BUG=304165

Review URL: https://codereview.chromium.org/26168008

git-svn-id: svn://svn.chromium.org/blink/trunk@168490 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/editing/spelling/right-click-no-renderer-crash-expected.txt

+Page should not crash when a node does not have a renderer object associated with it. To test manually, right-click anywhere on the page. The test succeeds if the page does not crash. On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".PASS successfullyParsed is true
+
+TEST COMPLETE
+

third_party/WebKit/LayoutTests/editing/spelling/right-click-no-renderer-crash.html

+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test.js"></script>
+<script>
+window.onload = function() {
+  var element = document.getElementsByTagName('html')[0];
+  document.adoptNode(element);
+  var newElement = document.createElementNS('http://www.w3.org/2000/svg', 'title');
+  document.appendChild(newElement);
+  document.execCommand('SelectAll', false)
+  document.designMode = 'on';
+
+  description('Page should not crash when a node does not have a renderer object associated with it. ' +
+              'To test manually, right-click anywhere on the page. ' +
+              'The test succeeds if the page does not crash. ');
+
+  if (window.eventSender) {
+    eventSender.mouseMoveTo(10, 10);
+    eventSender.contextClick();
+  }
+
+  finishJSTest();
+};
+</script>
+</head>
+</html>

third_party/WebKit/Source/core/rendering/HitTestResult.cpp

@@ -347,7 +347,7 @@ bool HitTestResult::isLiveLink() const
 
 bool HitTestResult::isMisspelled() const
 {
-    if (!targetNode())
+    if (!targetNode() || !targetNode()->renderer())
         return false;
     VisiblePosition pos(targetNode()->renderer()->positionForPoint(localPoint()));
     if (pos.isNull())