Title: [94885] branches/chromium/874
- Revision
- 94885
- Author
- [email protected]
- Date
- 2011-09-09 16:10:39 -0700 (Fri, 09 Sep 2011)
Log Message
Merge 94841 - Crashes in WebCore::AppendNodeCommand::create().
https://bugs.webkit.org/show_bug.cgi?id=67767
Patch by Shinya Kawanaka <[email protected]> on 2011-09-09
Reviewed by Darin Adler.
Source/WebCore:
In CompositeEditCommand::closeParagraphUnderNewElement(), lastNode could be a non Element node.
The current code assumes lastNode is an Element node. This patch checks it.
Test: editing/execCommand/ident-crashes-topnode-is-text.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): Added an element node check.
LayoutTests:
Added a crash test case.
* editing/execCommand/ident-crashes-topnode-is-text-expected.txt: Added.
* editing/execCommand/ident-crashes-topnode-is-text.html: Added.
[email protected]
BUG=95550
Review URL: http://codereview.chromium.org/7863014
Modified Paths
Added Paths
Diff
Copied: branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text-expected.txt (from rev 94841, trunk/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text-expected.txt) (0 => 94885)
--- branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text-expected.txt (rev 0)
+++ branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text-expected.txt 2011-09-09 23:10:39 UTC (rev 94885)
@@ -0,0 +1,4 @@
+execCommand("Indent") was crashing if the top element to be formatted is actually not an element.
+The test has passed if it does not crash.
+
+PASS
Copied: branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text.html (from rev 94841, trunk/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text.html) (0 => 94885)
--- branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text.html (rev 0)
+++ branches/chromium/874/LayoutTests/editing/execCommand/ident-crashes-topnode-is-text.html 2011-09-09 23:10:39 UTC (rev 94885)
@@ -0,0 +1,16 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ window.getSelection().setBaseAndExtent(start, 0, null, 0);
+ document.execCommand("Indent");
+
+ document.writeln('execCommand("Indent") was crashing if the top element to be formatted is actually not an element.<br>');
+ document.writeln('The test has passed if it does not crash.<br><br>')
+ document.writeln('PASS');
+}
+</script>
+<body _onLoad_="runTest();">
+ ><defs contenteditable="true" id="start">
+ <rt>AAAAAAA0A0AAAA00
Modified: branches/chromium/874/Source/WebCore/editing/CompositeEditCommand.cpp (94884 => 94885)
--- branches/chromium/874/Source/WebCore/editing/CompositeEditCommand.cpp 2011-09-09 23:05:27 UTC (rev 94884)
+++ branches/chromium/874/Source/WebCore/editing/CompositeEditCommand.cpp 2011-09-09 23:10:39 UTC (rev 94885)
@@ -808,7 +808,7 @@
appendNode(topNode, blockElement);
RefPtr<Node> lastNode = topNode;
- if (start.deprecatedNode() != outerNode) {
+ if (start.deprecatedNode() != outerNode && lastNode->isElementNode()) {
Vector<RefPtr<Node> > ancestors;
// Insert each node from innerNode to outerNode (excluded) in a list.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
