Title: [114817] trunk
- Revision
- 114817
- Author
- [email protected]
- Date
- 2012-04-20 18:08:30 -0700 (Fri, 20 Apr 2012)
Log Message
CRASH at WebCore::ReplaceSelectionCommand::removeRedundantMarkup
https://bugs.webkit.org/show_bug.cgi?id=84518
<rdar://problem/10714790>
Reviewed by Simon Fraser.
Source/WebCore:
There are cases where the m_lastNodeInserted is NULL to begin with or
gets deleted by removeRedundantStylesAndKeepStyleSpanInline.
This change handles those cases properly.
Tests: editing/pasteboard/paste-sanitize-crash-1.html
editing/pasteboard/paste-sanitize-crash-2.html
* editing/ReplaceSelectionCommand.h:
(WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf):
* editing/SimplifyMarkupCommand.cpp:
(WebCore::SimplifyMarkupCommand::doApply):
LayoutTests:
* editing/pasteboard/paste-sanitize-crash-1-expected.txt: Added.
* editing/pasteboard/paste-sanitize-crash-1.html: Added.
* editing/pasteboard/paste-sanitize-crash-2-expected.txt: Added.
* editing/pasteboard/paste-sanitize-crash-2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (114816 => 114817)
--- trunk/LayoutTests/ChangeLog 2012-04-21 01:06:27 UTC (rev 114816)
+++ trunk/LayoutTests/ChangeLog 2012-04-21 01:08:30 UTC (rev 114817)
@@ -1,3 +1,16 @@
+2012-04-20 Enrica Casucci <[email protected]>
+
+ CRASH at WebCore::ReplaceSelectionCommand::removeRedundantMarkup
+ https://bugs.webkit.org/show_bug.cgi?id=84518
+ <rdar://problem/10714790>
+
+ Reviewed by Simon Fraser.
+
+ * editing/pasteboard/paste-sanitize-crash-1-expected.txt: Added.
+ * editing/pasteboard/paste-sanitize-crash-1.html: Added.
+ * editing/pasteboard/paste-sanitize-crash-2-expected.txt: Added.
+ * editing/pasteboard/paste-sanitize-crash-2.html: Added.
+
2012-04-20 Gustavo Noronha Silva <[email protected]>
Rebasing editing results after r114799.
Added: trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1-expected.txt (0 => 114817)
--- trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1-expected.txt 2012-04-21 01:08:30 UTC (rev 114817)
@@ -0,0 +1,7 @@
+one
+two
+three
+four
+two
+
+
Added: trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1.html (0 => 114817)
--- trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1.html (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-1.html 2012-04-21 01:08:30 UTC (rev 114817)
@@ -0,0 +1,34 @@
+<html>
+ <head<></head>
+ <script>
+ function runTest()
+ {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var elem = document.getElementById("test");
+
+ x = elem.offsetLeft + elem.offsetWidth / 2;
+ y = elem.offsetTop + elem.offsetHeight / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ document.execCommand("copy");
+ eventSender.keyDown("downArrow");
+ eventSender.keyDown("downArrow");
+ eventSender.keyDown("downArrow");
+ document.execCommand("paste");
+ }
+ </script>
+ <body _onload_="runTest()" contenteditable="true" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
+ <div>one </div>
+ <div id="test">two </div>three
+ <div>four </div>
+ <div><br></div>
+ </body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2-expected.txt (0 => 114817)
--- trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2-expected.txt 2012-04-21 01:08:30 UTC (rev 114817)
@@ -0,0 +1,5 @@
+one
+two
+three
+four
+two
Added: trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2.html (0 => 114817)
--- trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2.html (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-sanitize-crash-2.html 2012-04-21 01:08:30 UTC (rev 114817)
@@ -0,0 +1,29 @@
+<html>
+ <head<></head>
+ <script>
+ function runTest()
+ {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var elem = document.getElementById("test");
+
+ x = elem.offsetLeft + elem.offsetWidth / 2;
+ y = elem.offsetTop + elem.offsetHeight / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ document.execCommand("copy");
+ eventSender.keyDown("downArrow");
+ eventSender.keyDown("downArrow");
+ eventSender.keyDown("downArrow");
+ document.execCommand("paste");
+ }
+ </script>
+ <body _onload_="runTest()" contenteditable="true" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>one </div><div id="test">two </div>
+ three <div>four </div><div><br></div></body></html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (114816 => 114817)
--- trunk/Source/WebCore/ChangeLog 2012-04-21 01:06:27 UTC (rev 114816)
+++ trunk/Source/WebCore/ChangeLog 2012-04-21 01:08:30 UTC (rev 114817)
@@ -1,3 +1,23 @@
+2012-04-20 Enrica Casucci <[email protected]>
+
+ CRASH at WebCore::ReplaceSelectionCommand::removeRedundantMarkup
+ https://bugs.webkit.org/show_bug.cgi?id=84518
+ <rdar://problem/10714790>
+
+ Reviewed by Simon Fraser.
+
+ There are cases where the m_lastNodeInserted is NULL to begin with or
+ gets deleted by removeRedundantStylesAndKeepStyleSpanInline.
+ This change handles those cases properly.
+
+ Tests: editing/pasteboard/paste-sanitize-crash-1.html
+ editing/pasteboard/paste-sanitize-crash-2.html
+
+ * editing/ReplaceSelectionCommand.h:
+ (WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf):
+ * editing/SimplifyMarkupCommand.cpp:
+ (WebCore::SimplifyMarkupCommand::doApply):
+
2012-04-20 Michael Nordman <[email protected]>
[chromium] Tiny change to DomStorage v8 bindings to avoid a relatively expensive test in a couple
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.h (114816 => 114817)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.h 2012-04-21 01:06:27 UTC (rev 114816)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.h 2012-04-21 01:08:30 UTC (rev 114817)
@@ -68,7 +68,7 @@
Node* firstNodeInserted() const { return m_firstNodeInserted.get(); }
Node* lastLeafInserted() const { return m_lastNodeInserted->lastDescendant(); }
- Node* pastLastLeaf() const { return m_firstNodeInserted ? lastLeafInserted()->traverseNextNode() : 0; }
+ Node* pastLastLeaf() const { return m_lastNodeInserted ? lastLeafInserted()->traverseNextNode() : 0; }
private:
RefPtr<Node> m_firstNodeInserted;
Modified: trunk/Source/WebCore/editing/SimplifyMarkupCommand.cpp (114816 => 114817)
--- trunk/Source/WebCore/editing/SimplifyMarkupCommand.cpp 2012-04-21 01:06:27 UTC (rev 114816)
+++ trunk/Source/WebCore/editing/SimplifyMarkupCommand.cpp 2012-04-21 01:08:30 UTC (rev 114817)
@@ -62,7 +62,8 @@
nodesToRemove.append(currentNode);
currentNode = currentNode->parentNode();
- ASSERT(currentNode);
+ if (!currentNode)
+ break;
if (!currentNode->renderer() || !currentNode->renderer()->isRenderInline() || toRenderInline(currentNode->renderer())->alwaysCreateLineBoxes())
continue;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
