[webkit-changes] [124054] branches/safari-536.26-branch

Mon, 30 Jul 2012 11:15:37 -0700

Title: [124054] branches/safari-536.26-branch

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124053 => 124054)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 18:01:07 UTC (rev 124053)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 18:15:38 UTC (rev 124054)
@@ -1,5 +1,19 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 116669
+
+    2012-05-10  Abhishek Arya  <[email protected]>
+
+            Crash in ApplyStyleCommand::joinChildTextNodes.
+            https://bugs.webkit.org/show_bug.cgi?id=85939
+
+            Reviewed by Ryosuke Niwa.
+
+            * editing/style/apply-style-join-child-text-nodes-crash-expected.txt: Added.
+            * editing/style/apply-style-join-child-text-nodes-crash.html: Added.
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 116551
 
     2012-05-09  Ken Buchanan  <[email protected]>

Copied: branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash-expected.txt (from rev 116669, trunk/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash-expected.txt) (0 => 124054)


--- branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash-expected.txt	2012-07-30 18:15:38 UTC (rev 124054)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.

Copied: branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash.html (from rev 116669, trunk/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash.html) (0 => 124054)


--- branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/style/apply-style-join-child-text-nodes-crash.html	2012-07-30 18:15:38 UTC (rev 124054)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script id="script1">
+document.addEventListener("DOMCharacterDataModified",function(){
+    document.body.innerHTML = "PASS. WebKit didn't crash."; 
+    gc();
+    finishJSTest();
+},true);
+</script>
+<script>
+window.jsTestIsAsync = true;
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+var scriptElement = document.getElementById('script1');
+scriptElement.parentNode.appendChild(scriptElement.firstChild);
+scriptElement.parentNode.removeChild(scriptElement);
+document.designMode = "on";
+document.execCommand("SelectAll");
+document.execCommand("FontSizeDelta", false, 3);
+</script>
+<script src=""
+</body>
+</html>
+

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124053 => 124054)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 18:01:07 UTC (rev 124053)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 18:15:38 UTC (rev 124054)
@@ -1,5 +1,29 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 116669
+
+    2012-05-10  Abhishek Arya  <[email protected]>
+
+            Crash in ApplyStyleCommand::joinChildTextNodes.
+            https://bugs.webkit.org/show_bug.cgi?id=85939
+
+            Reviewed by Ryosuke Niwa.
+
+            Test: editing/style/apply-style-join-child-text-nodes-crash.html
+
+            * editing/ApplyStyleCommand.cpp:
+            (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): add conditions
+            to bail out if our start and end position nodes are removed due to 
+            mutation events in joinChildTextNodes.
+            (WebCore::ApplyStyleCommand::applyInlineStyle): this executes after
+            applyRelativeFontStyleChange in ApplyStyleCommand::doApply. So, need
+            to bail out if our start and end position nodes are removed due to
+            mutation events.
+            (WebCore::ApplyStyleCommand::joinChildTextNodes): hold all the children
+            in a ref vector to prevent them from getting destroyed due to mutation events.
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 116647
 
     2012-05-10  Stephen Chenney  <[email protected]>

Modified: branches/safari-536.26-branch/Source/WebCore/editing/ApplyStyleCommand.cpp (124053 => 124054)


--- branches/safari-536.26-branch/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-07-30 18:01:07 UTC (rev 124053)
+++ branches/safari-536.26-branch/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-07-30 18:15:38 UTC (rev 124054)
@@ -320,12 +320,19 @@
         start = startPosition();
         end = endPosition();
     }
+    
+    if (start.isNull() || end.isNull())
+        return;
+
     if (end.deprecatedNode()->isTextNode() && start.deprecatedNode()->parentNode() != end.deprecatedNode()->parentNode()) {
         joinChildTextNodes(end.deprecatedNode()->parentNode(), start, end);
         start = startPosition();
         end = endPosition();
     }
 
+    if (start.isNull() || end.isNull())
+        return;
+
     // Split the start text nodes if needed to apply style.
     if (isValidCaretPositionInTextNode(start)) {
         splitTextAtStart(start, end);
@@ -542,6 +549,10 @@
     // adjust to the positions we want to use for applying style
     Position start = startPosition();
     Position end = endPosition();
+
+    if (start.isNull() || end.isNull())
+        return;
+
     if (comparePositions(end, start) < 0) {
         Position swap = start;
         start = end;
@@ -1427,26 +1438,31 @@
     Position newStart = start;
     Position newEnd = end;
 
-    Node* child = node->firstChild();
-    while (child) {
-        Node* next = child->nextSibling();
-        if (child->isTextNode() && next && next->isTextNode()) {
-            Text* childText = toText(child);
-            Text* nextText = toText(next);
-            if (start.anchorType() == Position::PositionIsOffsetInAnchor && next == start.containerNode())
-                newStart = Position(childText, childText->length() + start.offsetInContainerNode());
-            if (end.anchorType() == Position::PositionIsOffsetInAnchor && next == end.containerNode())
-                newEnd = Position(childText, childText->length() + end.offsetInContainerNode());
-            String textToMove = nextText->data();
-            insertTextIntoNode(childText, childText->length(), textToMove);
-            removeNode(next);
-            // don't move child node pointer. it may want to merge with more text nodes.
-        }
-        else {
-            child = child->nextSibling();
-        }
+    Vector<RefPtr<Text> > textNodes;
+    for (Node* curr = node->firstChild(); curr; curr = curr->nextSibling()) {
+        if (!curr->isTextNode())
+            continue;
+        
+        textNodes.append(toText(curr));
     }
 
+    for (size_t i = 0; i < textNodes.size(); ++i) {
+        Text* childText = textNodes[i].get();
+        Node* next = childText->nextSibling();
+        if (!next || !next->isTextNode())
+            continue;
+    
+        Text* nextText = toText(next);
+        if (start.anchorType() == Position::PositionIsOffsetInAnchor && next == start.containerNode())
+            newStart = Position(childText, childText->length() + start.offsetInContainerNode());
+        if (end.anchorType() == Position::PositionIsOffsetInAnchor && next == end.containerNode())
+            newEnd = Position(childText, childText->length() + end.offsetInContainerNode());
+        String textToMove = nextText->data();
+        insertTextIntoNode(childText, childText->length(), textToMove);
+        removeNode(next);
+        // don't move child node pointer. it may want to merge with more text nodes.
+    }
+
     updateStartEnd(newStart, newEnd);
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to