[webkit-changes] [116545] trunk

[inferno]

Title: [116545] trunk

Revision

116545

Author

infe...@chromium.org

Date

2012-05-09 11:28:39 -0700 (Wed, 09 May 2012)

Log Message

Crash in ReplaceSelectionCommand::performTrivialReplace
https://bugs.webkit.org/show_bug.cgi?id=85943

Reviewed by Ryosuke Niwa.

Source/WebCore:

RefPtr nodeAfterInsertionPos to guard against mutation events.

Test: editing/inserting/insert-html-crash.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::performTrivialReplace):

LayoutTests:

* editing/inserting/insert-html-crash-expected.txt: Added.
* editing/inserting/insert-html-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

Added Paths

• trunk/LayoutTests/editing/inserting/insert-html-crash-expected.txt
• trunk/LayoutTests/editing/inserting/insert-html-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (116544 => 116545)

--- trunk/LayoutTests/ChangeLog	2012-05-09 17:58:47 UTC (rev 116544)
+++ trunk/LayoutTests/ChangeLog	2012-05-09 18:28:39 UTC (rev 116545)
@@ -1,3 +1,13 @@
+2012-05-09  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in ReplaceSelectionCommand::performTrivialReplace
+        https://bugs.webkit.org/show_bug.cgi?id=85943
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/inserting/insert-html-crash-expected.txt: Added.
+        * editing/inserting/insert-html-crash.html: Added.
+
 2012-05-03  Shawn Singh  <shawnsi...@chromium.org>
 
         Hit testing is incorrect in some cases with perspective transforms

Added: trunk/LayoutTests/editing/inserting/insert-html-crash-expected.txt (0 => 116545)

--- trunk/LayoutTests/editing/inserting/insert-html-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-html-crash-expected.txt	2012-05-09 18:28:39 UTC (rev 116545)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/editing/inserting/insert-html-crash.html (0 => 116545)

--- trunk/LayoutTests/editing/inserting/insert-html-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-html-crash.html	2012-05-09 18:28:39 UTC (rev 116545)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+document.addEventListener("DOMCharacterDataModified", function() {
+    document.body.innerHTML = "PASS. WebKit didn't crash."; 
+    gc();
+    finishJSTest();
+}, true);
+
+document.write("A<br>");
+document.designMode = "on";
+document.execCommand("SelectAll");
+document.execCommand("InsertHTML", false, 4);
+</script>
+<script src=""
+</html>
Property changes on: trunk/LayoutTests/editing/inserting/insert-html-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (116544 => 116545)

--- trunk/Source/WebCore/ChangeLog	2012-05-09 17:58:47 UTC (rev 116544)
+++ trunk/Source/WebCore/ChangeLog	2012-05-09 18:28:39 UTC (rev 116545)
@@ -1,3 +1,17 @@
+2012-05-09  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in ReplaceSelectionCommand::performTrivialReplace
+        https://bugs.webkit.org/show_bug.cgi?id=85943
+
+        Reviewed by Ryosuke Niwa.
+
+        RefPtr nodeAfterInsertionPos to guard against mutation events.
+
+        Test: editing/inserting/insert-html-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::performTrivialReplace):
+
 2012-05-03  Shawn Singh  <shawnsi...@chromium.org>
 
         Hit testing is incorrect in some cases with perspective transforms

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (116544 => 116545)

--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-05-09 17:58:47 UTC (rev 116544)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-05-09 18:28:39 UTC (rev 116545)
@@ -1299,7 +1299,7 @@
     if (nodeToSplitToAvoidPastingIntoInlineNodesWithStyle(endingSelection().start()))
         return false;
 
-    Node* nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
+    RefPtr<Node> nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
     Text* textNode = toText(fragment.firstChild());
     // Our fragment creation code handles tabs, spaces, and newlines, so we don't have to worry about those here.
 
@@ -1308,8 +1308,9 @@
     if (end.isNull())
         return false;
 
-    if (nodeAfterInsertionPos && nodeAfterInsertionPos->hasTagName(brTag) && shouldRemoveEndBR(nodeAfterInsertionPos, positionBeforeNode(nodeAfterInsertionPos)))
-        removeNodeAndPruneAncestors(nodeAfterInsertionPos);
+    if (nodeAfterInsertionPos && nodeAfterInsertionPos->parentNode() && nodeAfterInsertionPos->hasTagName(brTag)
+        && shouldRemoveEndBR(nodeAfterInsertionPos.get(), positionBeforeNode(nodeAfterInsertionPos.get())))
+        removeNodeAndPruneAncestors(nodeAfterInsertionPos.get());
 
     VisibleSelection selectionAfterReplace(m_selectReplacement ? start : end, end);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes