[webkit-changes] [125751] trunk/Source/WebCore

[inferno]

Title: [125751] trunk/Source/WebCore

Revision

125751

Author

infe...@chromium.org

Date

2012-08-16 00:06:14 -0700 (Thu, 16 Aug 2012)

Log Message

Unreviewed, rolling out r119705.
http://trac.webkit.org/changeset/119705
https://bugs.webkit.org/show_bug.cgi?id=94192

Causing crash on ClusterFuzz due to incorrect layout ordering
change (Requested by inferno-sec on #webkit).

Patch by Sheriff Bot <webkit.review....@gmail.com> on 2012-08-16

* dom/CharacterData.cpp:
(WebCore::CharacterData::setDataAndUpdate):
* editing/FrameSelection.cpp:
(WebCore::updatePositionAfterAdoptingTextReplacement):
(WebCore::FrameSelection::textWillBeReplaced):
* editing/FrameSelection.h:
(FrameSelection):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/CharacterData.cpp
• trunk/Source/WebCore/editing/FrameSelection.cpp
• trunk/Source/WebCore/editing/FrameSelection.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (125750 => 125751)

--- trunk/Source/WebCore/ChangeLog	2012-08-16 06:20:00 UTC (rev 125750)
+++ trunk/Source/WebCore/ChangeLog	2012-08-16 07:06:14 UTC (rev 125751)
@@ -1,3 +1,20 @@
+2012-08-16  Sheriff Bot  <webkit.review....@gmail.com>
+
+        Unreviewed, rolling out r119705.
+        http://trac.webkit.org/changeset/119705
+        https://bugs.webkit.org/show_bug.cgi?id=94192
+
+        Causing crash on ClusterFuzz due to incorrect layout ordering
+        change (Requested by inferno-sec on #webkit).
+
+        * dom/CharacterData.cpp:
+        (WebCore::CharacterData::setDataAndUpdate):
+        * editing/FrameSelection.cpp:
+        (WebCore::updatePositionAfterAdoptingTextReplacement):
+        (WebCore::FrameSelection::textWillBeReplaced):
+        * editing/FrameSelection.h:
+        (FrameSelection):
+
 2012-08-15  Kent Tamura  <tk...@chromium.org>
 
         [Chromium] Refactoring: Introduce a new function for some part of PopupContainer::layoutAndCalculateWidgetRect()

Modified: trunk/Source/WebCore/dom/CharacterData.cpp (125750 => 125751)

--- trunk/Source/WebCore/dom/CharacterData.cpp	2012-08-16 06:20:00 UTC (rev 125750)
+++ trunk/Source/WebCore/dom/CharacterData.cpp	2012-08-16 07:06:14 UTC (rev 125751)
@@ -183,14 +183,11 @@
 
 void CharacterData::setDataAndUpdate(const String& newData, unsigned offsetOfReplacedData, unsigned oldLength, unsigned newLength)
 {
+    if (document()->frame())
+        document()->frame()->selection()->textWillBeReplaced(this, offsetOfReplacedData, oldLength, newLength);
     String oldData = m_data;
     m_data = newData;
-
     updateRenderer(offsetOfReplacedData, oldLength);
-
-    if (document()->frame())
-        document()->frame()->selection()->textWasReplaced(this, offsetOfReplacedData, oldLength, newLength);
-
     document()->incDOMTreeVersion();
     dispatchModifiedEvent(oldData);
 }

Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (125750 => 125751)

--- trunk/Source/WebCore/editing/FrameSelection.cpp	2012-08-16 06:20:00 UTC (rev 125750)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp	2012-08-16 07:06:14 UTC (rev 125751)
@@ -422,8 +422,6 @@
     // (positionOffset > offset + oldLength) to avoid having a stale offset.
     if (positionOffset > offset + oldLength)
         position.moveToOffset(positionOffset - oldLength + newLength);
-
-    ASSERT(static_cast<unsigned>(position.offsetInContainerNode()) <= node->length());
 }
 
 static inline bool nodeIsDetachedFromDocument(Node* node)
@@ -433,7 +431,7 @@
     return highest->nodeType() == Node::DOCUMENT_FRAGMENT_NODE && !highest->isShadowRoot();
 }
 
-void FrameSelection::textWasReplaced(CharacterData* node, unsigned offset, unsigned oldLength, unsigned newLength)
+void FrameSelection::textWillBeReplaced(CharacterData* node, unsigned offset, unsigned oldLength, unsigned newLength)
 {
     // The fragment check is a performance optimization. See http://trac.webkit.org/changeset/30062.
     if (isNone() || !node || nodeIsDetachedFromDocument(node))

Modified: trunk/Source/WebCore/editing/FrameSelection.h (125750 => 125751)

--- trunk/Source/WebCore/editing/FrameSelection.h	2012-08-16 06:20:00 UTC (rev 125750)
+++ trunk/Source/WebCore/editing/FrameSelection.h	2012-08-16 07:06:14 UTC (rev 125751)
@@ -204,7 +204,7 @@
     void debugRenderer(RenderObject*, bool selected) const;
 
     void nodeWillBeRemoved(Node*);
-    void textWasReplaced(CharacterData*, unsigned offset, unsigned oldLength, unsigned newLength);
+    void textWillBeReplaced(CharacterData*, unsigned offset, unsigned oldLength, unsigned newLength);
 
     void setCaretVisible(bool caretIsVisible) { setCaretVisibility(caretIsVisible ? Visible : Hidden); }
     void clearCaretRectIfNeeded();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes