Title: [96632] trunk
- Revision
- 96632
- Author
- [email protected]
- Date
- 2011-10-04 12:47:32 -0700 (Tue, 04 Oct 2011)
Log Message
Source/WebCore: Hold refptr to identified previous sibling within findPlaceForCounter.
https://bugs.webkit.org/show_bug.cgi?id=68563
Reviewed by Adam Barth.
Test: fast/css/counters/counter-after-style-crash.html
* rendering/RenderCounter.cpp:
(WebCore::findPlaceForCounter):
LayoutTests: Add test for crash when performing rich text mutations with counter nodes.
https://bugs.webkit.org/show_bug.cgi?id=68563
Reviewed by Adam Barth.
* fast/css/counters/counter-after-style-crash-expected.txt: Added.
* fast/css/counters/counter-after-style-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (96631 => 96632)
--- trunk/LayoutTests/ChangeLog 2011-10-04 19:35:23 UTC (rev 96631)
+++ trunk/LayoutTests/ChangeLog 2011-10-04 19:47:32 UTC (rev 96632)
@@ -1,3 +1,13 @@
+2011-09-21 Cris Neckar <[email protected]>
+
+ Add test for crash when performing rich text mutations with counter nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=68563
+
+ Reviewed by Adam Barth.
+
+ * fast/css/counters/counter-after-style-crash-expected.txt: Added.
+ * fast/css/counters/counter-after-style-crash.html: Added.
+
2011-10-04 Joshua Bell <[email protected]>
IndexedDB add() should fail if key is NaN
Added: trunk/LayoutTests/fast/css/counters/counter-after-style-crash-expected.txt (0 => 96632)
--- trunk/LayoutTests/fast/css/counters/counter-after-style-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/counters/counter-after-style-crash-expected.txt 2011-10-04 19:47:32 UTC (rev 96632)
@@ -0,0 +1 @@
+PASS: Counters updated successfully without crashing
Added: trunk/LayoutTests/fast/css/counters/counter-after-style-crash.html (0 => 96632)
--- trunk/LayoutTests/fast/css/counters/counter-after-style-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/counters/counter-after-style-crash.html 2011-10-04 19:47:32 UTC (rev 96632)
@@ -0,0 +1,32 @@
+<html>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+ }
+ </script>
+ <style>
+ div {
+ counter-reset:ctr
+ }
+
+ :after {
+ content:counter(x);
+ counter-increment:ctr;
+ }
+ </style>
+ <junk>TESTING..</div><div><div></div>
+ <span></span>
+ <table>
+ </script>
+ <script>
+ document.designMode='on';
+ document.execCommand('selectall');
+ document.execCommand('italic');
+ document.execCommand('removeformat');
+
+ document.body.innerHTML = "PASS: Counters updated successfully without crashing";
+ layoutTestController.notifyDone();
+ </script>
+ </table>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (96631 => 96632)
--- trunk/Source/WebCore/ChangeLog 2011-10-04 19:35:23 UTC (rev 96631)
+++ trunk/Source/WebCore/ChangeLog 2011-10-04 19:47:32 UTC (rev 96632)
@@ -1,3 +1,15 @@
+2011-09-21 Cris Neckar <[email protected]>
+
+ Hold refptr to identified previous sibling within findPlaceForCounter.
+ https://bugs.webkit.org/show_bug.cgi?id=68563
+
+ Reviewed by Adam Barth.
+
+ Test: fast/css/counters/counter-after-style-crash.html
+
+ * rendering/RenderCounter.cpp:
+ (WebCore::findPlaceForCounter):
+
2011-10-04 Joshua Bell <[email protected]>
IndexedDB add() should fail if key is NaN
Modified: trunk/Source/WebCore/rendering/RenderCounter.cpp (96631 => 96632)
--- trunk/Source/WebCore/rendering/RenderCounter.cpp 2011-10-04 19:35:23 UTC (rev 96631)
+++ trunk/Source/WebCore/rendering/RenderCounter.cpp 2011-10-04 19:47:32 UTC (rev 96632)
@@ -303,13 +303,15 @@
// we are trying to find a place for. This is the next renderer to be checked.
RenderObject* currentRenderer = previousInPreOrder(counterOwner);
previousSibling = 0;
+ RefPtr<CounterNode> previousSiblingProtector = 0;
+
while (currentRenderer) {
CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
if (searchEndRenderer == currentRenderer) {
// We may be at the end of our search.
if (currentCounter) {
// We have a suitable counter on the EndSearchRenderer.
- if (previousSibling) { // But we already found another counter that we come after.
+ if (previousSiblingProtector) { // But we already found another counter that we come after.
if (currentCounter->actsAsReset()) {
// We found a reset counter that is on a renderer that is a sibling of ours or a parent.
if (isReset && areRenderersElementsSiblings(currentRenderer, counterOwner)) {
@@ -326,16 +328,19 @@
// In some cases renders can be reparented (ex. nodes inside a table but not in a column or row).
// In these cases the identified previousSibling will be invalid as its parent is different from
// our identified parent.
- if (previousSibling->parent() != currentCounter)
- previousSibling = 0;
+ if (previousSiblingProtector->parent() != currentCounter)
+ previousSiblingProtector = 0;
+
+ previousSibling = previousSiblingProtector.get();
return true;
}
// CurrentCounter, the counter at the EndSearchRenderer, is not reset.
if (!isReset || !areRenderersElementsSiblings(currentRenderer, counterOwner)) {
// If the node we are placing is not reset or we have found a counter that is attached
// to an ancestor of the placed counter's owner renderer we know we are a sibling of that node.
- ASSERT(currentCounter->parent() == previousSibling->parent());
+ ASSERT(currentCounter->parent() == previousSiblingProtector->parent());
parent = currentCounter->parent();
+ previousSibling = previousSiblingProtector.get();
return true;
}
} else {
@@ -350,6 +355,7 @@
return parent;
}
parent = currentCounter;
+ previousSibling = previousSiblingProtector.get();
return true;
}
if (!isReset || !areRenderersElementsSiblings(currentRenderer, counterOwner)) {
@@ -357,7 +363,7 @@
previousSibling = currentCounter;
return true;
}
- previousSibling = currentCounter;
+ previousSiblingProtector = currentCounter;
}
}
// We come here if the previous sibling or parent of our owner renderer had no
@@ -370,18 +376,18 @@
// counter being placed is attached to.
if (currentCounter) {
// We found a suitable counter.
- if (previousSibling) {
+ if (previousSiblingProtector) {
// Since we had a suitable previous counter before, we should only consider this one as our
// previousSibling if it is a reset counter and hence the current previousSibling is its child.
if (currentCounter->actsAsReset()) {
- previousSibling = currentCounter;
+ previousSiblingProtector = currentCounter;
// We are no longer interested in previous siblings of the currentRenderer or their children
// as counters they may have attached cannot be the previous sibling of the counter we are placing.
currentRenderer = parentElement(currentRenderer)->renderer();
continue;
}
} else
- previousSibling = currentCounter;
+ previousSiblingProtector = currentCounter;
currentRenderer = previousSiblingOrParent(currentRenderer);
continue;
}
@@ -390,7 +396,7 @@
// which may be done twice in some cases. Rearranging the decision points though, to accommodate this
// performance improvement would create more code duplication than is worthwhile in my oppinion and may further
// impede the readability of this already complex algorithm.
- if (previousSibling)
+ if (previousSiblingProtector)
currentRenderer = previousSiblingOrParent(currentRenderer);
else
currentRenderer = previousInPreOrder(currentRenderer);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
