[webkit-changes] [124037] branches/safari-536.26-branch

Mon, 30 Jul 2012 10:07:07 -0700

Title: [124037] branches/safari-536.26-branch

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124036 => 124037)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 17:04:40 UTC (rev 124036)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 17:07:13 UTC (rev 124037)
@@ -1,5 +1,19 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 116545
+
+    2012-05-09  Abhishek Arya  <[email protected]>
+
+            Crash in ReplaceSelectionCommand::performTrivialReplace
+            https://bugs.webkit.org/show_bug.cgi?id=85943
+
+            Reviewed by Ryosuke Niwa.
+
+            * editing/inserting/insert-html-crash-expected.txt: Added.
+            * editing/inserting/insert-html-crash.html: Added.
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 116476
 
     2012-05-08  Abhishek Arya  <[email protected]>

Copied: branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash-expected.txt (from rev 116545, trunk/LayoutTests/editing/inserting/insert-html-crash-expected.txt) (0 => 124037)


--- branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash-expected.txt	2012-07-30 17:07:13 UTC (rev 124037)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.

Copied: branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash.html (from rev 116545, trunk/LayoutTests/editing/inserting/insert-html-crash.html) (0 => 124037)


--- branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/inserting/insert-html-crash.html	2012-07-30 17:07:13 UTC (rev 124037)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+document.addEventListener("DOMCharacterDataModified", function() {
+    document.body.innerHTML = "PASS. WebKit didn't crash."; 
+    gc();
+    finishJSTest();
+}, true);
+
+document.write("A<br>");
+document.designMode = "on";
+document.execCommand("SelectAll");
+document.execCommand("InsertHTML", false, 4);
+</script>
+<script src=""
+</html>

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124036 => 124037)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 17:04:40 UTC (rev 124036)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 17:07:13 UTC (rev 124037)
@@ -1,5 +1,23 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 116545
+
+    2012-05-09  Abhishek Arya  <[email protected]>
+
+            Crash in ReplaceSelectionCommand::performTrivialReplace
+            https://bugs.webkit.org/show_bug.cgi?id=85943
+
+            Reviewed by Ryosuke Niwa.
+
+            RefPtr nodeAfterInsertionPos to guard against mutation events.
+
+            Test: editing/inserting/insert-html-crash.html
+
+            * editing/ReplaceSelectionCommand.cpp:
+            (WebCore::ReplaceSelectionCommand::performTrivialReplace):
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 116476
 
     2012-05-08  Abhishek Arya  <[email protected]>

Modified: branches/safari-536.26-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp (124036 => 124037)


--- branches/safari-536.26-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-07-30 17:04:40 UTC (rev 124036)
+++ branches/safari-536.26-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-07-30 17:07:13 UTC (rev 124037)
@@ -1299,7 +1299,7 @@
     if (nodeToSplitToAvoidPastingIntoInlineNodesWithStyle(endingSelection().start()))
         return false;
 
-    Node* nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
+    RefPtr<Node> nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
     Text* textNode = toText(fragment.firstChild());
     // Our fragment creation code handles tabs, spaces, and newlines, so we don't have to worry about those here.
 
@@ -1308,8 +1308,9 @@
     if (end.isNull())
         return false;
 
-    if (nodeAfterInsertionPos && nodeAfterInsertionPos->hasTagName(brTag) && shouldRemoveEndBR(nodeAfterInsertionPos, positionBeforeNode(nodeAfterInsertionPos)))
-        removeNodeAndPruneAncestors(nodeAfterInsertionPos);
+    if (nodeAfterInsertionPos && nodeAfterInsertionPos->parentNode() && nodeAfterInsertionPos->hasTagName(brTag)
+        && shouldRemoveEndBR(nodeAfterInsertionPos.get(), positionBeforeNode(nodeAfterInsertionPos.get())))
+        removeNodeAndPruneAncestors(nodeAfterInsertionPos.get());
 
     VisibleSelection selectionAfterReplace(m_selectReplacement ? start : end, end);
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to