[blink] Avoid null pointer dereference in HitTestResult::isMisspelled()

[blink] Avoid null pointer dereference in HitTestResult::isMisspelled()

The method HitTestResult::isMisspelled() assumed that renderer would
always be present in the right-clicked editable item. This is not the case
when right-clicking on an item in an editable combobox created by jQuery
Searchable DropDown Plugin (http://jsearchdropdown.sf.net).

This patch changes HitTestResult::isMisspelled() to check if the renderer
is present. If there's no renderer, then the method returns false (there
shouldn't be spellcheck related items in the context menu).

Manual test 1: Click on the drop-down on http://jsearchdropdown.sf.net and
right-click on any of the items. The page should not crash.

Manual test 2: Run the following script and right-click anywhere on the
page. The page should not crash.

<html>
<head>
<script>
window.onload = function() {
  var element = document.getElementsByTagName('html')[0];
  document.adoptNode(element);
  var newElement = document.createElementNS('http://www.w3.org/2000/svg', 'title');
  document.appendChild(newElement);
  document.execCommand('SelectAll', false)
  document.designMode = 'on';
};
</script>
</head>
</html>

TEST=LayoutTests/editing/spelling/right-click-no-renderer-crash.html
BUG=304165
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168490

[please use gerrit instead, 2013-10-07 18:53:52]

Tony: PTAL.

[tony, 2013-10-07 19:11:21]

Please create a manual test and add it to the ManualTests directory.

I would be great if we could come up with a way to click on popup menu items
using testRunner, but that's probably beyond the scope of this bug.

[groby-ooo-7-16, 2014-02-21 03:55:30]

Seems the bug now has a repro case. Rouslan, any chance you can add a test and
close this?

[please use gerrit instead, 2014-02-21 16:56:55]

Sounds good. (Although the "minimized" repro case is 130 lines long, which makes
me think that it's not the smallest possible.)

[please use gerrit instead, 2014-02-21 16:56:56]

Sounds good. (Although the "minimized" repro case is 130 lines long, which makes
me think that it's not the smallest possible.)

[please use gerrit instead, 2014-02-25 00:06:19]

Eric: PTAL.

[tony, 2014-02-25 00:08:29]

FWIW, I'm happy to LGTM this change since it's simple.

[please use gerrit instead, 2014-02-25 00:17:13]

Try-bots failing due to the issue being private.

[eseidel, 2014-02-25 00:30:01]

The fix looks generally good, I'm just not sure it's the right place to fix
this.

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
File LayoutTests/editing/spelling/right-click-no-renderer-crash.html (right):

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
LayoutTests/editing/spelling/right-click-no-renderer-crash.html:7: var element =
document.getElementsByTagName('*')[0];
Can we be more specific as to which element we're selecting?  Presumably the
<script> element?

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
LayoutTests/editing/spelling/right-click-no-renderer-crash.html:19:
eventSender.contextClick();
Is this click at 0,0?

https://codereview.chromium.org/26168008/diff/55001/Source/core/rendering/Hit...
File Source/core/rendering/HitTestResult.cpp (right):

https://codereview.chromium.org/26168008/diff/55001/Source/core/rendering/Hit...
Source/core/rendering/HitTestResult.cpp:350: if (!targetNode() ||
!targetNode()->renderer())
I'm surprised that we'd have a HitTestResult which did not have an associated
renderer?  Are you sure there aren't other parts of the code which assume this? 
Do other pathways in HitTestResult check for a renderer?

[please use gerrit instead, 2014-02-25 01:14:53]

Eric: PTAL Patch Set 4.

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
File LayoutTests/editing/spelling/right-click-no-renderer-crash.html (right):

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
LayoutTests/editing/spelling/right-click-no-renderer-crash.html:7: var element =
document.getElementsByTagName('*')[0];
On 2014/02/25 00:30:02, eseidel wrote:
> Can we be more specific as to which element we're selecting?  Presumably the
> <script> element?

Changed '*' to 'html'. Only <html> element causes the crash with these steps to
reproduce the bug.

https://codereview.chromium.org/26168008/diff/55001/LayoutTests/editing/spell...
LayoutTests/editing/spelling/right-click-no-renderer-crash.html:19:
eventSender.contextClick();
On 2014/02/25 00:30:02, eseidel wrote:
> Is this click at 0,0?

Changed the click to be explicitly at (10, 10). It was (0, 0) originally, but I
don't want to make assumptions on whether (0, 0) is inside or outside the page
on different platforms.

https://codereview.chromium.org/26168008/diff/55001/Source/core/rendering/Hit...
File Source/core/rendering/HitTestResult.cpp (right):

https://codereview.chromium.org/26168008/diff/55001/Source/core/rendering/Hit...
Source/core/rendering/HitTestResult.cpp:350: if (!targetNode() ||
!targetNode()->renderer())
On 2014/02/25 00:30:02, eseidel wrote:
> I'm surprised that we'd have a HitTestResult which did not have an associated
> renderer?

So was I. :-)

> Are you sure there aren't other parts of the code which assume this? 
> Do other pathways in HitTestResult check for a renderer?

The other methods in HitTestResult check for renderer() before using a node. See
for example:

HitTestResult::spellingToolTip()
HitTestResult::title()
HitTestResult::image()
etc

[yosin_UTC9, 2014-02-25 01:19:05]

On 2014/02/25 00:30:01, eseidel wrote:
> The fix looks generally good, I'm just not sure it's the right place to fix
> this.
I agree with Eric.

It should be done in EventHandler::sendContextMenuEvent(), the only place where
using isMisspelled(), rather than having HitTestResult::isMisspelled().
I think HitTestResult is API object exposed by render tree. For
layer/modularity, render tree should not know about spell checker. 

BTW, I also think move EventHanddler::sendContextMenuEvent() to another place,
although I've not yet found right place.

[please use gerrit instead, 2014-02-25 18:37:10]

Yoshi & Eric: PTAL. I've moved is-misspelled logic into
EventHandlerr::sendContextMenuEvent().

[please use gerrit instead, 2014-02-28 18:27:06]

ping...

[eseidel, 2014-02-28 22:01:46]

I don't like this fix.  We took code which logically made sense as a function
inlined it into a larger function.  If we're going to remove it from
HitTestResult, we should do so because it allows us to reduce HitTestResult's
dependencies (includes).

If it's true that HitTestResults do not necessarily have a renderer, than the
original fix is fine (or a version of this one which moves the code but keeps it
in a separate (static?) function.

If HitTestResults are expected to always have a renderer, than this is the wrong
fix.

[eseidel, 2014-02-28 22:04:27]

My apologies for being slow to review.

It looks like targetNode()->renderer() is null checked in other places, so the
null-check is fine.  I would either land the first patch, or move the code into
a static helper function.  I would not inline this logic into the larger
function.

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

[please use gerrit instead, 2014-02-28 23:56:03]

Eric: PTAL Patch Set 6.

Patch Set 6 has the original fix, which I also think is the correct fix for this
bug. It's the smallest possible fix among the possibilities that I explored. It
also stays within the conventions of HitTestResult implementation, which assumes
that the target node may not have a renderer.

If HitTestResult is not the right place to have isMisspelled() function, then
this issue should be tracked in a separate bug. The fix for that should be
independent of the fix for this crasher.

[eseidel, 2014-03-01 00:16:20]

lgtm

[commit-bot: I haz the power, 2014-03-01 00:16:31]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rouslan@chromium.org/26168008/115001

[commit-bot: I haz the power, 2014-03-01 00:41:03]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-01 00:41:04]

Retried try job too often on blink_presubmit for step(s) presubmit
http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=blink_pres...

[please use gerrit instead, 2014-03-03 17:25:04]

Removed the "private" bit to enable commit.

[please use gerrit instead, 2014-03-03 17:25:10]

The CQ bit was checked by rouslan@chromium.org

[commit-bot: I haz the power, 2014-03-03 17:25:44]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rouslan@chromium.org/26168008/115001

[commit-bot: I haz the power, 2014-03-03 19:29:40]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-03 19:29:41]

Retried try job too often on linux_blink for step(s) webkit_tests
http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=linux_blin...

[please use gerrit instead, 2014-03-03 22:37:40]

The CQ bit was checked by rouslan@chromium.org

[commit-bot: I haz the power, 2014-03-03 22:38:06]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rouslan@chromium.org/26168008/115001

[commit-bot: I haz the power, 2014-03-03 23:23:13]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rouslan@chromium.org/26168008/115001

[commit-bot: I haz the power, 2014-03-04 15:55:31]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-04 15:55:32]

Retried try job too often on win_layout for step(s) webkit_lint
http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win_layout...

[please use gerrit instead, 2014-03-04 18:57:53]

The CQ bit was checked by rouslan@chromium.org

[commit-bot: I haz the power, 2014-03-04 18:58:32]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rouslan@chromium.org/26168008/115001

[commit-bot: I haz the power, 2014-03-05 15:46:28]

Change committed as 168490