Fix smartclip crash

Left upper corner of the rect may not always be the starting position
in the DOM hierarchy, and this assumption was causing crashes.

BUG=589082

Review URL: https://codereview.chromium.org/1806813004

(cherry picked from commit cddc46848415206666281dfb0cefbb8eba1f7aed)

Cr-Original-Commit-Position: refs/heads/master@{#381838}
Cr-Commit-Position: refs/branch-heads/2623@{#634}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

3 files changed, 35 insertions, 1 deletions

diff --git a/third_party/WebKit/Source/web/WebViewImpl.cpp b/third_party/WebKit/Source/web/WebViewImpl.cpp
index 8119287..7beee47 100644
--- a/third_party/WebKit/Source/web/WebViewImpl.cpp
+++ b/third_party/WebKit/Source/web/WebViewImpl.cpp
@@ -3903,7 +3903,11 @@ void WebViewImpl::extractSmartClipData(WebRect rectInViewport, WebString& clipTe
     if (!startPosition.document() || !endPosition.document())
         return;
 
-    clipHtml = createMarkup(startPosition, endPosition, AnnotateForInterchange, ConvertBlocksToInlines::NotConvert, ResolveNonLocalURLs);
+    if (startPosition.compareTo(endPosition) <= 0) {
+        clipHtml = createMarkup(startPosition, endPosition, AnnotateForInterchange, ConvertBlocksToInlines::NotConvert, ResolveNonLocalURLs);
+    } else {
+        clipHtml = createMarkup(endPosition, startPosition, AnnotateForInterchange, ConvertBlocksToInlines::NotConvert, ResolveNonLocalURLs);
+    }
 }
 
 void WebViewImpl::hidePopups()
diff --git a/third_party/WebKit/Source/web/tests/WebViewTest.cpp b/third_party/WebKit/Source/web/tests/WebViewTest.cpp
index 11f7efd..9871232 100644
--- a/third_party/WebKit/Source/web/tests/WebViewTest.cpp
+++ b/third_party/WebKit/Source/web/tests/WebViewTest.cpp
@@ -2187,6 +2187,22 @@ TEST_F(WebViewTest, SmartClipReturnsEmptyStringsWhenUserSelectIsNone)
     EXPECT_STREQ("", clipHtml.utf8().c_str());
 }
 
+TEST_F(WebViewTest, SmartClipDoesNotCrashPositionReversed)
+{
+    WebString clipText;
+    WebString clipHtml;
+    WebRect clipRect;
+    URLTestHelpers::registerMockedURLFromBaseURL(WebString::fromUTF8(m_baseURL.c_str()), WebString::fromUTF8("Ahem.ttf"));
+    URLTestHelpers::registerMockedURLFromBaseURL(WebString::fromUTF8(m_baseURL.c_str()), WebString::fromUTF8("smartclip_reversed_positions.html"));
+    WebView* webView = m_webViewHelper.initializeAndLoad(m_baseURL + "smartclip_reversed_positions.html");
+    webView->resize(WebSize(500, 500));
+    webView->updateAllLifecyclePhases();
+    // Left upper corner of the rect will be end position in the DOM hierarchy.
+    WebRect cropRect(30, 110, 400, 250);
+    // This should not still crash. See crbug.com/589082 for more details.
+    webView->extractSmartClipData(cropRect, clipText, clipHtml, clipRect);
+}
+
 class CreateChildCounterFrameClient : public FrameTestHelpers::TestWebFrameClient {
 public:
     CreateChildCounterFrameClient() : m_count(0) { }
diff --git a/third_party/WebKit/Source/web/tests/data/smartclip_reversed_positions.html b/third_party/WebKit/Source/web/tests/data/smartclip_reversed_positions.html
new file mode 100644
index 0000000..1054ac6
--- /dev/null
+++ b/third_party/WebKit/Source/web/tests/data/smartclip_reversed_positions.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<meta content="width=640px,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0" name="viewport">
+<body>
+    <div style="display: block; float: left; position: relative; width: 200px; background: #ff0000;">
+        <h3 style="display: block; margin-right: 0px; position: relative; width: 200px; word-wrap: break-word; zoom: 1; background: #0000ff;">
+1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0</h3>
+        <div style="width: 400px; height: 100px; background: #00ff00;">
+        </div>
+    </div>
+</body>
+</html>