[webkit-changes] [109218] trunk

Wed, 29 Feb 2012 08:43:29 -0800

Title: [109218] trunk
Revision
109218
Author
[email protected]
Date
2012-02-29 08:43:31 -0800 (Wed, 29 Feb 2012)

Log Message

Crash in WebCore::CompositeEditCommand::insertNodeAt
https://bugs.webkit.org/show_bug.cgi?id=67764

Patch by Parag Radke <[email protected]> on 2012-02-29
Reviewed by Ryosuke Niwa.

Source/WebCore:

If caret position after deletion and destination position coincides then
removing the node will result in removing the destination node also. Hence crash.

Test: editing/deleting/delete-block-merge-contents-025.html

* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cleanupAfterDeletion):
If the caret position after delete and the destination position
renderes at the same place, pruning the node and making an early exit.

LayoutTests:

Added a test case to test deletion when caret position after deletion and
destination postion renders at the same place.

* editing/deleting/delete-block-merge-contents-025-expected.txt: Added.
* editing/deleting/delete-block-merge-contents-025.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (109217 => 109218)


--- trunk/LayoutTests/ChangeLog	2012-02-29 16:08:57 UTC (rev 109217)
+++ trunk/LayoutTests/ChangeLog	2012-02-29 16:43:31 UTC (rev 109218)
@@ -1,3 +1,16 @@
+2012-02-29  Parag Radke  <[email protected]>
+
+        Crash in WebCore::CompositeEditCommand::insertNodeAt
+        https://bugs.webkit.org/show_bug.cgi?id=67764
+
+        Reviewed by Ryosuke Niwa.
+
+        Added a test case to test deletion when caret position after deletion and
+        destination postion renders at the same place.
+
+        * editing/deleting/delete-block-merge-contents-025-expected.txt: Added.
+        * editing/deleting/delete-block-merge-contents-025.html: Added.
+
 2012-02-29  Nikolas Zimmermann  <[email protected]>
 
         Not reviewed. Final set of pixel tests for Snow Leopard, svg/ passes with tolerance 0 again,

Added: trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025-expected.txt (0 => 109218)


--- trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025-expected.txt	2012-02-29 16:43:31 UTC (rev 109218)
@@ -0,0 +1,5 @@
+This is to test a usecase in which caret position after deletion and the destination position coincides. To pass this testcase it should not crash.
+
+000A0
+
+

Added: trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025.html (0 => 109218)


--- trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025.html	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-block-merge-contents-025.html	2012-02-29 16:43:31 UTC (rev 109218)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<p>
+This is to test a usecase in which caret position after deletion and the destination position coincides.
+To pass this testcase it should not crash.
+<div contenteditable="true" id="div"><hkern><span contenteditable="false"><dl>000A0<script>
+var sel = window.getSelection();
+sel.setPosition(div, 2000000000);
+document.execCommand("Delete");
+</script>

Modified: trunk/Source/WebCore/ChangeLog (109217 => 109218)


--- trunk/Source/WebCore/ChangeLog	2012-02-29 16:08:57 UTC (rev 109217)
+++ trunk/Source/WebCore/ChangeLog	2012-02-29 16:43:31 UTC (rev 109218)
@@ -1,3 +1,20 @@
+2012-02-29  Parag Radke  <[email protected]>
+
+        Crash in WebCore::CompositeEditCommand::insertNodeAt
+        https://bugs.webkit.org/show_bug.cgi?id=67764
+
+        Reviewed by Ryosuke Niwa.
+
+        If caret position after deletion and destination position coincides then
+        removing the node will result in removing the destination node also. Hence crash.
+
+        Test: editing/deleting/delete-block-merge-contents-025.html
+
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::cleanupAfterDeletion):
+        If the caret position after delete and the destination position
+        renderes at the same place, pruning the node and making an early exit.
+
 2012-02-29  Pavel Feldman  <[email protected]>
 
         Web Inspector: remove calculator's updateBoundaries in the timeline panel.

Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (109217 => 109218)


--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2012-02-29 16:08:57 UTC (rev 109217)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2012-02-29 16:43:31 UTC (rev 109218)
@@ -1032,8 +1032,15 @@
         // doesn't require a placeholder to prop itself open (like a bordered
         // div or an li), remove it during the move (the list removal code
         // expects this behavior).
-        else if (isBlock(node))
+        else if (isBlock(node)) {
+            // If caret position after deletion and destination position coincides,
+            // node should not be removed.
+            if (!position.rendersInDifferentPosition(destination.deepEquivalent())) {
+                prune(node);
+                return;
+            }
             removeNodeAndPruneAncestors(node);
+        }
         else if (lineBreakExistsAtPosition(position)) {
             // There is a preserved '\n' at caretAfterDelete.
             // We can safely assume this is a text node.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to