Title: [96028] branches/chromium/835
- Revision
- 96028
- Author
- [email protected]
- Date
- 2011-09-26 16:13:07 -0700 (Mon, 26 Sep 2011)
Log Message
Merge 94511 - Crash in Range::processAncestorsAndTheirSiblings.
BUG=95360
Review URL: http://codereview.chromium.org/8041051
Modified Paths
Added Paths
Diff
Copied: branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt (from rev 94511, trunk/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt) (0 => 96028)
--- branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt (rev 0)
+++ branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt 2011-09-26 23:13:07 UTC (rev 96028)
@@ -0,0 +1,2 @@
+
+PASS
Copied: branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html (from rev 94511, trunk/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html) (0 => 96028)
--- branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html (rev 0)
+++ branches/chromium/835/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html 2011-09-26 23:13:07 UTC (rev 96028)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<div id="test1">
+<input id="test2"/>
+<input id="test3"/>
+<ol></ol>
+</div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ var range = document.createRange();
+ var test1 = document.getElementById("test1");
+ var test2 = document.getElementById("test2");
+ var test3 = document.getElementById("test3");
+
+ range.setStartBefore(test2);
+ range.selectNodeContents(test3);
+ range.setEndAfter(test1);
+ range.commonAncestorContainer;
+ range.deleteContents();
+}
+
+document.addEventListener("DOMSubtreeModified", runTest, true);
+document.body.appendChild(document.createTextNode("PASS"));
+</script>
+</html>
\ No newline at end of file
Modified: branches/chromium/835/Source/WebCore/dom/Range.cpp (96027 => 96028)
--- branches/chromium/835/Source/WebCore/dom/Range.cpp 2011-09-26 23:10:25 UTC (rev 96027)
+++ branches/chromium/835/Source/WebCore/dom/Range.cpp 2011-09-26 23:13:07 UTC (rev 96028)
@@ -58,6 +58,8 @@
static WTF::RefCountedLeakCounter rangeCounter("Range");
#endif
+typedef Vector<RefPtr<Node> > NodeVector;
+
inline Range::Range(PassRefPtr<Document> ownerDocument)
: m_ownerDocument(ownerDocument)
, m_start(m_ownerDocument)
@@ -669,8 +671,6 @@
PassRefPtr<DocumentFragment> Range::processContents(ActionType action, ExceptionCode& ec)
{
- typedef Vector<RefPtr<Node> > NodeVector;
-
RefPtr<DocumentFragment> fragment;
if (action == EXTRACT_CONTENTS || action == CLONE_CONTENTS)
fragment = DocumentFragment::create(m_ownerDocument.get());
@@ -884,9 +884,14 @@
// FIXME: This assertion may fail if DOM is modified during mutation event
// FIXME: Share code with Range::processNodes
ASSERT(!firstChildInAncestorToProcess || firstChildInAncestorToProcess->parentNode() == ancestor);
- RefPtr<Node> next;
- for (Node* child = firstChildInAncestorToProcess.get(); child; child = next.get()) {
- next = direction == ProcessContentsForward ? child->nextSibling() : child->previousSibling();
+
+ NodeVector nodes;
+ for (Node* child = firstChildInAncestorToProcess.get(); child;
+ child = (direction == ProcessContentsForward) ? child->nextSibling() : child->previousSibling())
+ nodes.append(child);
+
+ for (NodeVector::const_iterator it = nodes.begin(); it != nodes.end(); it++) {
+ Node* child = it->get();
switch (action) {
case DELETE_CONTENTS:
ancestor->removeChild(child, ec);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
