- Revision
- 116895
- Author
- [email protected]
- Date
- 2012-05-13 06:45:51 -0700 (Sun, 13 May 2012)
Log Message
Merge 110332 - Crash due to inserting letter into div with first-letter
https://bugs.webkit.org/show_bug.cgi?id=78534
Patch by Ken Buchanan <[email protected]> on 2012-03-09
Reviewed by David Hyatt.
Source/WebCore:
This fixes an issue in RenderTextFragment with setTextInternal
getting called with different intents. While most calls to it
are intended to change the underlying DOM node string, it can
also be called as a result of styleDidChange just for transforms
on the substring text fragment. This adds a mechanism for internal
callers to specify if the internal text is being updated without
a DOM node text change.
* rendering/RenderTextFragment.cpp:
(WebCore::RenderTextFragment::styleDidChange)
(WebCore::RenderTextFragment::setTextInternal)
* rendering/RenderTextFragment.h:
(WebCore::RenderTextFragment)
LayoutTests:
Test case to exercise the crashing condition in bug 78534. It inserts
a character in a first-letter div to induce an invalid RenderTextFragment
state.
* editing/inserting/insert-character-in-first-letter-crash-expected.txt: Added
* editing/inserting/insert-character-in-first-letter-crash.html: Added
Conflicts:
Source/WebCore/rendering/RenderTextFragment.cpp
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (116894 => 116895)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-13 13:45:32 UTC (rev 116894)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-13 13:45:51 UTC (rev 116895)
@@ -1,3 +1,17 @@
+2012-03-09 Ken Buchanan <[email protected]>
+
+ Crash due to inserting letter into div with first-letter
+ https://bugs.webkit.org/show_bug.cgi?id=78534
+
+ Reviewed by David Hyatt.
+
+ Test case to exercise the crashing condition in bug 78534. It inserts
+ a character in a first-letter div to induce an invalid RenderTextFragment
+ state.
+
+ * editing/inserting/insert-character-in-first-letter-crash-expected.txt: Added
+ * editing/inserting/insert-character-in-first-letter-crash.html: Added
+
2012-04-19 Dominik Röttsches <[email protected]>
[GTK] 3 fast/ layout tests failing after upgrading libsoup to 2.37.92
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash-expected.txt (0 => 116895)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash-expected.txt 2012-05-13 13:45:51 UTC (rev 116895)
@@ -0,0 +1,2 @@
+◦◦
+PASS if no assert or crash in debug.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash.html (0 => 116895)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-character-in-first-letter-crash.html 2012-05-13 13:45:51 UTC (rev 116895)
@@ -0,0 +1,35 @@
+<html>
+ <head>
+ <style>
+ #div1 {
+ -webkit-text-security: circle;
+ }
+ #div1::first-letter {
+ display: table-row-group;
+ }
+ #div2 {
+ display: table;
+ }
+ #div2:last-child {
+ display: table-row;
+ }
+ </style>
+ <script>
+ window._onload_ = function() {
+ var div1 = document.getElementById('div1');
+ document.designMode='on';
+ document.execCommand('selectall');
+ document.execCommand('insertText', false, 'Z');
+ document.execCommand('Undo');
+ div1.appendChild(document.createElement('div'));
+ document.execCommand('selectall');
+
+ document.body.appendChild(document.createTextNode("PASS if no assert or crash in debug."));
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ }
+ </script>
+ </head>
+ <body><div id=div1>AB<div id=div2></div></div></body>
+</html>
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (116894 => 116895)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-13 13:45:32 UTC (rev 116894)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-13 13:45:51 UTC (rev 116895)
@@ -1,3 +1,24 @@
+2012-03-09 Ken Buchanan <[email protected]>
+
+ Crash due to inserting letter into div with first-letter
+ https://bugs.webkit.org/show_bug.cgi?id=78534
+
+ Reviewed by David Hyatt.
+
+ This fixes an issue in RenderTextFragment with setTextInternal
+ getting called with different intents. While most calls to it
+ are intended to change the underlying DOM node string, it can
+ also be called as a result of styleDidChange just for transforms
+ on the substring text fragment. This adds a mechanism for internal
+ callers to specify if the internal text is being updated without
+ a DOM node text change.
+
+ * rendering/RenderTextFragment.cpp:
+ (WebCore::RenderTextFragment::styleDidChange)
+ (WebCore::RenderTextFragment::setTextInternal)
+ * rendering/RenderTextFragment.h:
+ (WebCore::RenderTextFragment)
+
2012-03-13 Philip Rogers <[email protected]>
Fix the use of stale text fragments
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.cpp (116894 => 116895)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.cpp 2012-05-13 13:45:32 UTC (rev 116894)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.cpp 2012-05-13 13:45:51 UTC (rev 116895)
@@ -33,6 +33,7 @@
, m_start(startOffset)
, m_end(length)
, m_firstLetter(0)
+ , m_allowFragmentReset(true)
{
}
@@ -42,6 +43,7 @@
, m_end(str ? str->length() : 0)
, m_contentString(str)
, m_firstLetter(0)
+ , m_allowFragmentReset(true)
{
}
@@ -60,7 +62,9 @@
void RenderTextFragment::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
{
+ m_allowFragmentReset = false;
RenderText::styleDidChange(diff, oldStyle);
+ m_allowFragmentReset = true;
if (RenderBlock* block = blockForAccompanyingFirstLetter()) {
block->style()->removeCachedPseudoStyle(FIRST_LETTER);
@@ -77,16 +81,19 @@
void RenderTextFragment::setText(PassRefPtr<StringImpl> text, bool force)
{
- RenderText::setText(text, force);
- m_start = 0;
- m_end = textLength();
- if (m_firstLetter) {
- ASSERT(!m_contentString);
- m_firstLetter->destroy();
- m_firstLetter = 0;
- if (Node* t = node()) {
- ASSERT(!t->renderer());
- t->setRenderer(this);
+ RenderText::setTextInternal(text);
+
+ if (m_allowFragmentReset) {
+ m_start = 0;
+ m_end = textLength();
+ if (m_firstLetter) {
+ ASSERT(!m_contentString);
+ m_firstLetter->destroy();
+ m_firstLetter = 0;
+ if (Node* t = node()) {
+ ASSERT(!t->renderer());
+ t->setRenderer(this);
+ }
}
}
}
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.h (116894 => 116895)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.h 2012-05-13 13:45:32 UTC (rev 116894)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderTextFragment.h 2012-05-13 13:45:51 UTC (rev 116895)
@@ -64,6 +64,7 @@
unsigned m_end;
RefPtr<StringImpl> m_contentString;
RenderObject* m_firstLetter;
+ bool m_allowFragmentReset;
};
inline RenderTextFragment* toRenderTextFragment(RenderObject* object)
