2011-02-09 Ryosuke Niwa <rniwa@webkit.org>

        Reviewed by Darin Adler.

        REGRESSION(r76107): Crash in VisibleSelection::toNormalizedRange
        https://bugs.webkit.org/show_bug.cgi?id=54053

        The bug was caused by RenderBlock::positionForPoint's improperly returning a shadow node inside
        RenderFileUploadControl for hit testing and VisibleSelection::toNormalizedRange's always assuming
        the position variable "s" is not null.

        Fixed the bug by always returning a null position from RenderFileUploadControl::positionForPoint,
        and also exiting early when either "s" or "e" is null in VisibleSelection::toNormalizedRange.

        Test: fast/forms/file-input-hit-test.html

        * editing/VisibleSelection.cpp:
        (WebCore::VisibleSelection::toNormalizedRange):
        * rendering/RenderFileUploadControl.cpp:
        (WebCore::RenderFileUploadControl::positionForPoint):
        * rendering/RenderFileUploadControl.h:
2011-02-09  Ryosuke Niwa  <rniwa@webkit.org>

        Reviewed by Darin Adler.

        REGRESSION(r76107): Crash in VisibleSelection::toNormalizedRange
        https://bugs.webkit.org/show_bug.cgi?id=54053

        Added a test to ensure WebKit does not crash when a user clicks on a region immediately after a file
        upload control.

        * fast/forms/file-input-hit-test-expected.txt: Added.
        * fast/forms/file-input-hit-test.html: Added.


git-svn-id: svn://svn.chromium.org/blink/trunk@78168 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2011-02-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        REGRESSION(r76107): Crash in VisibleSelection::toNormalizedRange
+        https://bugs.webkit.org/show_bug.cgi?id=54053
+
+        Added a test to ensure WebKit does not crash when a user clicks on a region immediately after a file
+        upload control.
+
+        * fast/forms/file-input-hit-test-expected.txt: Added.
+        * fast/forms/file-input-hit-test.html: Added.
+
 2011-02-09  Zhenyao Mo  <zmo@google.com>
 
         Unreviewed, test expectations update.

third_party/WebKit/LayoutTests/fast/forms/file-input-hit-test-expected.txt

+This tests clicking on a region immediately after a file input field. WebKit should not crash and you should see PASS below. To manually test this, click on the black region below.
+
+PASS

third_party/WebKit/LayoutTests/fast/forms/file-input-hit-test.html

+<!DOCTYPE htlm>
+<html>
+<body>
+<p>This tests clicking on a region immediately after a file input field. WebKit should not crash and you should see PASS below.
+To manually test this, click on the black region below.</p>
+<div id="form" style="width: 200px; height: 200px; position: absolute; top: 20px; left: 0px; background: black;">
+<input type="file" style="width: 100px; height: 50px; display: block; padding: 10px; background: white;">
+</div>
+<script>
+
+if (window.layoutTestController && window.eventSender) {
+    layoutTestController.dumpAsText();
+
+    eventSender.mouseMoveTo(180, 50);
+    eventSender.leapForward(200);
+    eventSender.mouseDown();
+    eventSender.leapForward(200);
+    eventSender.mouseUp();
+    eventSender.leapForward(200);
+    document.writeln('PASS');
+}
+
+</script>
+</body>
+</html>

third_party/WebKit/Source/WebCore/ChangeLog

+2011-02-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        REGRESSION(r76107): Crash in VisibleSelection::toNormalizedRange
+        https://bugs.webkit.org/show_bug.cgi?id=54053
+
+        The bug was caused by RenderBlock::positionForPoint's improperly returning a shadow node inside
+        RenderFileUploadControl for hit testing and VisibleSelection::toNormalizedRange's always assuming
+        the position variable "s" is not null.
+
+        Fixed the bug by always returning a null position from RenderFileUploadControl::positionForPoint,
+        and also exiting early when either "s" or "e" is null in VisibleSelection::toNormalizedRange.
+
+        Test: fast/forms/file-input-hit-test.html
+
+        * editing/VisibleSelection.cpp:
+        (WebCore::VisibleSelection::toNormalizedRange):
+        * rendering/RenderFileUploadControl.cpp:
+        (WebCore::RenderFileUploadControl::positionForPoint):
+        * rendering/RenderFileUploadControl.h:
+
 2011-02-09  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Beth Dakin.

third_party/WebKit/Source/WebCore/editing/VisibleSelection.cpp

@@ -172,6 +172,9 @@ PassRefPtr<Range> VisibleSelection::toNormalizedRange() const
         s = s.parentAnchoredEquivalent();
         e = e.parentAnchoredEquivalent();
     }
+    
+    if (s.isNull() || e.isNull())
+        return 0;
 
     // VisibleSelections are supposed to always be valid.  This constructor will ASSERT
     // if a valid range could not be created, which is fine for this callsite.

third_party/WebKit/Source/WebCore/rendering/RenderFileUploadControl.cpp

@@ -297,6 +297,11 @@ void RenderFileUploadControl::computePreferredLogicalWidths()
     setPreferredLogicalWidthsDirty(false);
 }
 
+VisiblePosition RenderFileUploadControl::positionForPoint(const IntPoint&)
+{
+    return VisiblePosition();
+}
+
 void RenderFileUploadControl::receiveDroppedFiles(const Vector<String>& paths)
 {
     if (allowsMultipleFiles())

third_party/WebKit/Source/WebCore/rendering/RenderFileUploadControl.h

@@ -28,7 +28,7 @@ namespace WebCore {
 
 class Chrome;
 class HTMLInputElement;
-    
+
 // Each RenderFileUploadControl contains a RenderButton (for opening the file chooser), and
 // sufficient space to draw a file icon and filename. The RenderButton has a shadow node
 // associated with it to receive click/hover events.
@@ -71,6 +71,8 @@ private:
     Chrome* chrome() const;
     int maxFilenameWidth() const;
     PassRefPtr<RenderStyle> createButtonStyle(const RenderStyle* parentStyle) const;
+    
+    virtual VisiblePosition positionForPoint(const IntPoint&);
 
     RefPtr<HTMLInputElement> m_button;
     RefPtr<FileChooser> m_fileChooser;