- Revision
- 263302
- Author
- commit-qu...@webkit.org
- Date
- 2020-06-19 17:16:12 -0700 (Fri, 19 Jun 2020)
Log Message
Crash in WebCore::Range::borderAndTextRects
https://bugs.webkit.org/show_bug.cgi?id=209379
Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-06-19
Reviewed by Darin Adler.
When a parentless node is moved to a new document, then all ranges associated with this node and its children also should
be updated with new document information.
Test woould be submitted later.
* dom/Document.cpp:
(WebCore::Document::parentlessNodeMoveToNewDocument):
* dom/Document.h:
* dom/Node.cpp:
(WebCore::Node::moveNodeToNewDocument):
* dom/Range.cpp:
(WebCore::Range::parentlessNodeMoveToNewDocumentAffectsRange):
(WebCore::Range::updateRangeForParentlessNodeMoveToNewDocument):
* dom/Range.h:
Modified Paths
Diff
Modified: trunk/LayoutTests/fast/dom/move-detached-child-in-range-expected.txt (263301 => 263302)
--- trunk/LayoutTests/fast/dom/move-detached-child-in-range-expected.txt 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/LayoutTests/fast/dom/move-detached-child-in-range-expected.txt 2020-06-20 00:16:12 UTC (rev 263302)
@@ -1 +1 @@
-Final end container, offset: [object HTMLHeadingElement], 1
+Final end container, offset: [object HTMLHeadingElement], 0
Modified: trunk/Source/WebCore/ChangeLog (263301 => 263302)
--- trunk/Source/WebCore/ChangeLog 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/ChangeLog 2020-06-20 00:16:12 UTC (rev 263302)
@@ -1,3 +1,25 @@
+2020-06-19 Pinki Gyanchandani <pgyanchand...@apple.com>
+
+ Crash in WebCore::Range::borderAndTextRects
+ https://bugs.webkit.org/show_bug.cgi?id=209379
+
+ Reviewed by Darin Adler.
+
+ When a parentless node is moved to a new document, then all ranges associated with this node and its children also should
+ be updated with new document information.
+
+ Test woould be submitted later.
+
+ * dom/Document.cpp:
+ (WebCore::Document::parentlessNodeMoveToNewDocument):
+ * dom/Document.h:
+ * dom/Node.cpp:
+ (WebCore::Node::moveNodeToNewDocument):
+ * dom/Range.cpp:
+ (WebCore::Range::parentlessNodeMoveToNewDocumentAffectsRange):
+ (WebCore::Range::updateRangeForParentlessNodeMoveToNewDocument):
+ * dom/Range.h:
+
2020-06-19 Truitt Savell <tsav...@apple.com>
Unreviewed, reverting r263121.
Modified: trunk/Source/WebCore/dom/Document.cpp (263301 => 263302)
--- trunk/Source/WebCore/dom/Document.cpp 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/dom/Document.cpp 2020-06-20 00:16:12 UTC (rev 263302)
@@ -4675,6 +4675,19 @@
m_markers->removeMarkers(node);
}
+void Document::parentlessNodeMovedToNewDocument(Node& node)
+{
+ Vector<Range*, 5> rangesAffected;
+
+ for (auto* range : m_ranges) {
+ if (range->parentlessNodeMovedToNewDocumentAffectsRange(node))
+ rangesAffected.append(range);
+ }
+
+ for (auto* range : rangesAffected)
+ range->updateRangeForParentlessNodeMovedToNewDocument(node);
+}
+
static Node* fallbackFocusNavigationStartingNodeAfterRemoval(Node& node)
{
return node.previousSibling() ? node.previousSibling() : node.parentNode();
Modified: trunk/Source/WebCore/dom/Document.h (263301 => 263302)
--- trunk/Source/WebCore/dom/Document.h 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/dom/Document.h 2020-06-20 00:16:12 UTC (rev 263302)
@@ -829,6 +829,7 @@
void nodeChildrenWillBeRemoved(ContainerNode&);
// nodeWillBeRemoved is only safe when removing one node at a time.
void nodeWillBeRemoved(Node&);
+ void parentlessNodeMovedToNewDocument(Node&);
enum class AcceptChildOperation { Replace, InsertOrAdd };
bool canAcceptChild(const Node& newChild, const Node* refChild, AcceptChildOperation) const;
Modified: trunk/Source/WebCore/dom/Node.cpp (263301 => 263302)
--- trunk/Source/WebCore/dom/Node.cpp 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/dom/Node.cpp 2020-06-20 00:16:12 UTC (rev 263302)
@@ -2059,6 +2059,9 @@
oldDocument.moveNodeIteratorsToNewDocument(*this, newDocument);
+ if (!parentNode())
+ oldDocument.parentlessNodeMovedToNewDocument(*this);
+
if (AXObjectCache::accessibilityEnabled()) {
if (auto* cache = oldDocument.existingAXObjectCache())
cache->remove(*this);
Modified: trunk/Source/WebCore/dom/Range.cpp (263301 => 263302)
--- trunk/Source/WebCore/dom/Range.cpp 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/dom/Range.cpp 2020-06-20 00:16:12 UTC (rev 263302)
@@ -1612,6 +1612,18 @@
boundaryNodeWillBeRemoved(m_end, node);
}
+bool Range::parentlessNodeMovedToNewDocumentAffectsRange(Node& node)
+{
+ return node.containsIncludingShadowDOM(m_start.container());
+}
+
+void Range::updateRangeForParentlessNodeMovedToNewDocument(Node& node)
+{
+ m_ownerDocument->detachRange(*this);
+ m_ownerDocument = node.document();
+ m_ownerDocument->attachRange(*this);
+}
+
static inline void boundaryTextInserted(RangeBoundaryPoint& boundary, Node& text, unsigned offset, unsigned length)
{
if (boundary.container() != &text)
Modified: trunk/Source/WebCore/dom/Range.h (263301 => 263302)
--- trunk/Source/WebCore/dom/Range.h 2020-06-20 00:11:31 UTC (rev 263301)
+++ trunk/Source/WebCore/dom/Range.h 2020-06-20 00:16:12 UTC (rev 263302)
@@ -127,6 +127,8 @@
void nodeChildrenChanged(ContainerNode&);
void nodeChildrenWillBeRemoved(ContainerNode&);
void nodeWillBeRemoved(Node&);
+ bool parentlessNodeMovedToNewDocumentAffectsRange(Node&);
+ void updateRangeForParentlessNodeMovedToNewDocument(Node&);
void textInserted(Node&, unsigned offset, unsigned length);
void textRemoved(Node&, unsigned offset, unsigned length);
