[webkit-changes] [110487] trunk

Mon, 12 Mar 2012 15:18:06 -0700

Title: [110487] trunk
Revision
110487
Author
[email protected]
Date
2012-03-12 15:17:55 -0700 (Mon, 12 Mar 2012)

Log Message

Crash in Text::splitText due to mutation events.
https://bugs.webkit.org/show_bug.cgi?id=80828

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: fast/text/split-text-crash.xhtml

* dom/Range.cpp:
(WebCore::Range::insertNode): replace m_start.container() calls with ref protected node.

LayoutTests:

* fast/text/split-text-crash-expected.txt: Added.
* fast/text/split-text-crash.xhtml: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (110486 => 110487)


--- trunk/LayoutTests/ChangeLog	2012-03-12 21:59:55 UTC (rev 110486)
+++ trunk/LayoutTests/ChangeLog	2012-03-12 22:17:55 UTC (rev 110487)
@@ -1,3 +1,13 @@
+2012-03-12  Abhishek Arya  <[email protected]>
+
+        Crash in Text::splitText due to mutation events.
+        https://bugs.webkit.org/show_bug.cgi?id=80828
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/text/split-text-crash-expected.txt: Added.
+        * fast/text/split-text-crash.xhtml: Added.
+
 2012-03-12  Kenneth Russell  <[email protected]>
 
         Null argument to texSubImage2D crashes

Added: trunk/LayoutTests/fast/text/split-text-crash-expected.txt (0 => 110487)


--- trunk/LayoutTests/fast/text/split-text-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/text/split-text-crash-expected.txt	2012-03-12 22:17:55 UTC (rev 110487)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/fast/text/split-text-crash.xhtml (0 => 110487)


--- trunk/LayoutTests/fast/text/split-text-crash.xhtml	                        (rev 0)
+++ trunk/LayoutTests/fast/text/split-text-crash.xhtml	2012-03-12 22:17:55 UTC (rev 110487)
@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body></body>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+function crash() {
+    document.designMode = "on";
+    var textNode = document.body.appendChild(document.createTextNode("PASS. WebKit didn't crash."));
+    var range = document.createRange();
+    range.setStart(textNode, 0);
+    document.addEventListener("DOMNodeInserted", function () {
+        document.body.removeChild(textNode);
+        textNode = null;
+
+        if (window.layoutTestController) {
+            GCController.collect();
+            setTimeout("layoutTestController.notifyDone()", 0);
+        }
+    }, true);
+    try {
+        range.insertNode(document.createTextNode(""));
+    } catch(e) { }
+}
+
+window._onload_ = crash;
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/text/split-text-crash.xhtml
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (110486 => 110487)


--- trunk/Source/WebCore/ChangeLog	2012-03-12 21:59:55 UTC (rev 110486)
+++ trunk/Source/WebCore/ChangeLog	2012-03-12 22:17:55 UTC (rev 110487)
@@ -1,3 +1,15 @@
+2012-03-12  Abhishek Arya  <[email protected]>
+
+        Crash in Text::splitText due to mutation events.
+        https://bugs.webkit.org/show_bug.cgi?id=80828
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: fast/text/split-text-crash.xhtml
+
+        * dom/Range.cpp:
+        (WebCore::Range::insertNode): replace m_start.container() calls with ref protected node.
+
 2012-03-12  Kenneth Russell  <[email protected]>
 
         Null argument to texSubImage2D crashes

Modified: trunk/Source/WebCore/dom/Range.cpp (110486 => 110487)


--- trunk/Source/WebCore/dom/Range.cpp	2012-03-12 21:59:55 UTC (rev 110486)
+++ trunk/Source/WebCore/dom/Range.cpp	2012-03-12 22:17:55 UTC (rev 110487)
@@ -1037,11 +1037,15 @@
     }
 
     bool collapsed = m_start == m_end;
+    RefPtr<Node> container;
     if (startIsText) {
-        RefPtr<Text> newText = toText(m_start.container())->splitText(m_start.offset(), ec);
+        container = m_start.container();
+        RefPtr<Text> newText = toText(container.get())->splitText(m_start.offset(), ec);
         if (ec)
             return;
-        m_start.container()->parentNode()->insertBefore(newNode.release(), newText.get(), ec);
+        
+        container = m_start.container();
+        container->parentNode()->insertBefore(newNode.release(), newText.get(), ec);
         if (ec)
             return;
 
@@ -1055,7 +1059,8 @@
             lastChild = (newNodeType == Node::DOCUMENT_FRAGMENT_NODE) ? newNode->lastChild() : newNode;
 
         int startOffset = m_start.offset();
-        m_start.container()->insertBefore(newNode.release(), m_start.container()->childNode(startOffset), ec);
+        container = m_start.container();
+        container->insertBefore(newNode.release(), container->childNode(startOffset), ec);
         if (ec)
             return;
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to