[webkit-changes] [112012] trunk

Sat, 24 Mar 2012 13:03:39 -0700

Title: [112012] trunk
Revision
112012
Author
[email protected]
Date
2012-03-24 13:03:28 -0700 (Sat, 24 Mar 2012)

Log Message

Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
https://bugs.webkit.org/show_bug.cgi?id=81959

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/execCommand/apply-style-command-crash.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange): RefPtr the weak
node iterator |node|.
* editing/ApplyStyleCommand.h:
(ApplyStyleCommand): convert |startNode| and |pastEndNode| into PassRefPtr.

LayoutTests:

* editing/execCommand/apply-style-command-crash-expected.txt: Added.
* editing/execCommand/apply-style-command-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (112011 => 112012)


--- trunk/LayoutTests/ChangeLog	2012-03-24 19:13:27 UTC (rev 112011)
+++ trunk/LayoutTests/ChangeLog	2012-03-24 20:03:28 UTC (rev 112012)
@@ -1,3 +1,13 @@
+2012-03-24  Abhishek Arya  <[email protected]>
+
+        Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
+        https://bugs.webkit.org/show_bug.cgi?id=81959
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/execCommand/apply-style-command-crash-expected.txt: Added.
+        * editing/execCommand/apply-style-command-crash.html: Added.
+
 2012-03-24  Pavel Feldman  <[email protected]>
 
         Not reviewed: restoring chromium's expectations for effect-custom-parameters-expected.png.

Added: trunk/LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt (0 => 112012)


--- trunk/LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt	2012-03-24 20:03:28 UTC (rev 112012)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash

Added: trunk/LayoutTests/editing/execCommand/apply-style-command-crash.html (0 => 112012)


--- trunk/LayoutTests/editing/execCommand/apply-style-command-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/apply-style-command-crash.html	2012-03-24 20:03:28 UTC (rev 112012)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+_onload_ = function() {
+    x.innerHTML += '';
+}
+
+setTimeout(function() {
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('bold');
+    document.body.offsetTop;
+    document.body.innerHTML = "PASS. WebKit didn't crash";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}, 0)
+</script>
+</head>
+<body>
+<div id="x">
+<iframe src=""
+<div>
+<input></input>
+</div>
+</ul>
+</body>
+</html>
+
Property changes on: trunk/LayoutTests/editing/execCommand/apply-style-command-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (112011 => 112012)


--- trunk/Source/WebCore/ChangeLog	2012-03-24 19:13:27 UTC (rev 112011)
+++ trunk/Source/WebCore/ChangeLog	2012-03-24 20:03:28 UTC (rev 112012)
@@ -1,3 +1,18 @@
+2012-03-24  Abhishek Arya  <[email protected]>
+
+        Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
+        https://bugs.webkit.org/show_bug.cgi?id=81959
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: editing/execCommand/apply-style-command-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange): RefPtr the weak
+        node iterator |node|.
+        * editing/ApplyStyleCommand.h:
+        (ApplyStyleCommand): convert |startNode| and |pastEndNode| into PassRefPtr.
+
 2012-03-24  Jesus Sanchez-Palencia  <[email protected]>
 
         Unreviewed, build fix since we use "-Werror=unused-but-set-variable".

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (112011 => 112012)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-03-24 19:13:27 UTC (rev 112011)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-03-24 20:03:28 UTC (rev 112012)
@@ -704,12 +704,13 @@
     return false;
 }
 
-void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, Node* node, Node* pastEndNode)
+void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, PassRefPtr<Node> startNode, PassRefPtr<Node> pastEndNode)
 {
     if (m_removeOnly)
         return;
 
-    for (RefPtr<Node> next; node && node != pastEndNode; node = next.get()) {
+    RefPtr<Node> node = startNode;
+    for (RefPtr<Node> next; node && node != pastEndNode; node = next) {
         next = node->traverseNextNode();
 
         if (!node->renderer() || !node->rendererIsEditable())
@@ -719,10 +720,10 @@
             // This is a plaintext-only region. Only proceed if it's fully selected.
             // pastEndNode is the node after the last fully selected node, so if it's inside node then
             // node isn't fully selected.
-            if (pastEndNode && pastEndNode->isDescendantOf(node))
+            if (pastEndNode && pastEndNode->isDescendantOf(node.get()))
                 break;
             // Add to this element's inline style and skip over its contents.
-            HTMLElement* element = toHTMLElement(node);
+            HTMLElement* element = toHTMLElement(node.get());
             RefPtr<StylePropertySet> inlineStyle = element->ensureInlineStyle()->copy();
             inlineStyle->merge(style->style());
             setNodeAttribute(element, styleAttr, inlineStyle->asText());
@@ -730,13 +731,13 @@
             continue;
         }
         
-        if (isBlock(node))
+        if (isBlock(node.get()))
             continue;
         
         if (node->childNodeCount()) {
-            if (node->contains(pastEndNode) || containsNonEditableRegion(node) || !node->parentNode()->rendererIsEditable())
+            if (node->contains(pastEndNode.get()) || containsNonEditableRegion(node.get()) || !node->parentNode()->rendererIsEditable())
                 continue;
-            if (editingIgnoresContent(node)) {
+            if (editingIgnoresContent(node.get())) {
                 next = node->traverseNextSibling();
                 continue;
             }
@@ -745,7 +746,7 @@
         RefPtr<Node> runStart = node;
         RefPtr<Node> runEnd = node;
         Node* sibling = node->nextSibling();
-        while (sibling && sibling != pastEndNode && !sibling->contains(pastEndNode)
+        while (sibling && sibling != pastEndNode && !sibling->contains(pastEndNode.get())
                && (!isBlock(sibling) || sibling->hasTagName(brTag))
                && !containsNonEditableRegion(sibling)) {
             runEnd = sibling;

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.h (112011 => 112012)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.h	2012-03-24 19:13:27 UTC (rev 112011)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.h	2012-03-24 20:03:28 UTC (rev 112012)
@@ -94,7 +94,7 @@
     void applyRelativeFontStyleChange(EditingStyle*);
     void applyInlineStyle(EditingStyle*);
     void fixRangeAndApplyInlineStyle(EditingStyle*, const Position& start, const Position& end);
-    void applyInlineStyleToNodeRange(EditingStyle*, Node* startNode, Node* pastEndNode);
+    void applyInlineStyleToNodeRange(EditingStyle*, PassRefPtr<Node> startNode, PassRefPtr<Node> pastEndNode);
     void addBlockStyle(const StyleChange&, HTMLElement*);
     void addInlineStyleIfNeeded(EditingStyle*, PassRefPtr<Node> start, PassRefPtr<Node> end, EAddStyledElement = AddStyledElement);
     void splitTextAtStart(const Position& start, const Position& end);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to