Modified: trunk/LayoutTests/ChangeLog (121030 => 121031)
--- trunk/LayoutTests/ChangeLog 2012-06-22 16:46:28 UTC (rev 121030)
+++ trunk/LayoutTests/ChangeLog 2012-06-22 16:48:49 UTC (rev 121031)
@@ -1,3 +1,13 @@
+2012-06-22 Abhishek Arya <[email protected]>
+
+ Crash in DragController::concludeEditDrag.
+ https://bugs.webkit.org/show_bug.cgi?id=89762
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt: Added.
+ * editing/pasteboard/drop-text-events-sideeffect-crash.html: Added.
+
2012-06-22 Takashi Sakamoto <[email protected]>
[Shadow] parentTreeScope() of nested shadow DOM subtree returns document().
Added: trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt (0 => 121031)
--- trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt 2012-06-22 16:48:49 UTC (rev 121031)
@@ -0,0 +1,11 @@
+Ensure safety on side-effect on drop-initiated TextEvent.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS testTargetEditable.innerHTML is 'initialValue'
+PASS testTargetIFrameDocument.body.innerHTML is 'initialBody'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html (0 => 121031)
--- trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html 2012-06-22 16:48:49 UTC (rev 121031)
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+document.body.contentEditable = "true";
+</script>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (121030 => 121031)
--- trunk/Source/WebCore/ChangeLog 2012-06-22 16:46:28 UTC (rev 121030)
+++ trunk/Source/WebCore/ChangeLog 2012-06-22 16:48:49 UTC (rev 121031)
@@ -1,3 +1,18 @@
+2012-06-22 Abhishek Arya <[email protected]>
+
+ Crash in DragController::concludeEditDrag.
+ https://bugs.webkit.org/show_bug.cgi?id=89762
+
+ Reviewed by Ryosuke Niwa.
+
+ RefPtr the innerFrame since it can get destroyed due to mutation
+ event fired in DragController::dispatchTextInputEventFor().
+
+ Test: editing/pasteboard/drop-text-events-sideeffect-crash.html
+
+ * page/DragController.cpp:
+ (WebCore::DragController::concludeEditDrag):
+
2012-06-22 Andrey Kosyakov <[email protected]>
Web Inspector: timeline event details popup misses CPU time
Modified: trunk/Source/WebCore/page/DragController.cpp (121030 => 121031)
--- trunk/Source/WebCore/page/DragController.cpp 2012-06-22 16:46:28 UTC (rev 121030)
+++ trunk/Source/WebCore/page/DragController.cpp 2012-06-22 16:48:49 UTC (rev 121031)
@@ -442,10 +442,10 @@
Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
if (!element)
return false;
- Frame* innerFrame = element->ownerDocument()->frame();
+ RefPtr<Frame> innerFrame = element->ownerDocument()->frame();
ASSERT(innerFrame);
- if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame, dragData))
+ if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame.get(), dragData))
return true;
if (dragData->containsColor()) {
@@ -490,7 +490,7 @@
ResourceCacheValidationSuppressor validationSuppressor(cachedResourceLoader);
if (dragIsMove(innerFrame->selection(), dragData) || dragCaret.isContentRichlyEditable()) {
bool chosePlainText = false;
- RefPtr<DocumentFragment> fragment = documentFragmentFromDragData(dragData, innerFrame, range, true, chosePlainText);
+ RefPtr<DocumentFragment> fragment = documentFragmentFromDragData(dragData, innerFrame.get(), range, true, chosePlainText);
if (!fragment || !innerFrame->editor()->shouldInsertFragment(fragment, range, EditorInsertActionDropped)) {
return false;
}
@@ -503,7 +503,7 @@
bool smartInsert = smartDelete && innerFrame->selection()->granularity() == WordGranularity && dragData->canSmartReplace();
applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete));
} else {
- if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) {
+ if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point)) {
ReplaceSelectionCommand::CommandOptions options = ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::PreventNesting;
if (dragData->canSmartReplace())
options |= ReplaceSelectionCommand::SmartReplace;
@@ -513,13 +513,13 @@
}
}
} else {
- String text = dragData->asPlainText(innerFrame);
+ String text = dragData->asPlainText(innerFrame.get());
if (text.isEmpty() || !innerFrame->editor()->shouldInsertText(text, range.get(), EditorInsertActionDropped)) {
return false;
}
m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData);
- if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
+ if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point))
applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::MatchStyle | ReplaceSelectionCommand::PreventNesting));
}
