Skip to site navigation (Press enter)

[webkit-changes] [135193] trunk

inferno Mon, 19 Nov 2012 13:41:50 -0800

Title: [135193] trunk

Revision: 135193
Author: [email protected]
Date: 2012-11-19 13:43:28 -0800 (Mon, 19 Nov 2012)

Log Message

Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
https://bugs.webkit.org/show_bug.cgi?id=100150


Reviewed by Ryosuke Niwa.

Source/WebCore:

RefPtr startDummySpanAncestor and endDummySpanAncestor since
they can go away inside fixRangeAndApplyInlineStyle call.

Test: editing/style/apply-style-crash.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyInlineStyle):

LayoutTests:

* editing/style/apply-style-crash-expected.txt: Added.
* editing/style/apply-style-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/ApplyStyleCommand.cpp

Added Paths

trunk/LayoutTests/editing/style/apply-style-crash-expected.txt
trunk/LayoutTests/editing/style/apply-style-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (135192 => 135193)


--- trunk/LayoutTests/ChangeLog	2012-11-19 21:25:48 UTC (rev 135192)
+++ trunk/LayoutTests/ChangeLog	2012-11-19 21:43:28 UTC (rev 135193)
@@ -1,3 +1,13 @@
+2012-11-19  Abhishek Arya  <[email protected]>
+
+        Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
+        https://bugs.webkit.org/show_bug.cgi?id=100150
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/style/apply-style-crash-expected.txt: Added.
+        * editing/style/apply-style-crash.html: Added.
+
 2012-11-19  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r135172.

Added: trunk/LayoutTests/editing/style/apply-style-crash-expected.txt (0 => 135193)


--- trunk/LayoutTests/editing/style/apply-style-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/style/apply-style-crash-expected.txt	2012-11-19 21:43:28 UTC (rev 135193)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/editing/style/apply-style-crash.html (0 => 135193)


--- trunk/LayoutTests/editing/style/apply-style-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/style/apply-style-crash.html	2012-11-19 21:43:28 UTC (rev 135193)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+_onload_ = function() {
+    x.innerHTML += '';
+}
+
+setTimeout(function() {
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('bold');
+
+    document.body.offsetTop;
+    document.body.innerHTML = "PASS. WebKit didn't crash.";
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, 0)
+</script>
+<div id="x"><iframe src=""
+<span><span><plaintext>
+
Property changes on: trunk/LayoutTests/editing/style/apply-style-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (135192 => 135193)


--- trunk/Source/WebCore/ChangeLog	2012-11-19 21:25:48 UTC (rev 135192)
+++ trunk/Source/WebCore/ChangeLog	2012-11-19 21:43:28 UTC (rev 135193)
@@ -1,3 +1,18 @@
+2012-11-19  Abhishek Arya  <[email protected]>
+
+        Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
+        https://bugs.webkit.org/show_bug.cgi?id=100150
+
+        Reviewed by Ryosuke Niwa.
+
+        RefPtr startDummySpanAncestor and endDummySpanAncestor since
+        they can go away inside fixRangeAndApplyInlineStyle call.
+
+        Test: editing/style/apply-style-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyle):
+
 2012-11-19  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r135172.

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (135192 => 135193)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-11-19 21:25:48 UTC (rev 135192)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2012-11-19 21:43:28 UTC (rev 135193)
@@ -538,8 +538,8 @@
 
 void ApplyStyleCommand::applyInlineStyle(EditingStyle* style)
 {
-    Node* startDummySpanAncestor = 0;
-    Node* endDummySpanAncestor = 0;
+    RefPtr<Node> startDummySpanAncestor = 0;
+    RefPtr<Node> endDummySpanAncestor = 0;
 
     // update document layout once before removing styles
     // so that we avoid the expense of updating before each and every call
@@ -664,9 +664,9 @@
     fixRangeAndApplyInlineStyle(styleToApply.get(), start, end);
 
     // Remove dummy style spans created by splitting text elements.
-    cleanupUnstyledAppleStyleSpans(startDummySpanAncestor);
+    cleanupUnstyledAppleStyleSpans(startDummySpanAncestor.get());
     if (endDummySpanAncestor != startDummySpanAncestor)
-        cleanupUnstyledAppleStyleSpans(endDummySpanAncestor);
+        cleanupUnstyledAppleStyleSpans(endDummySpanAncestor.get());
 }
 
 void ApplyStyleCommand::fixRangeAndApplyInlineStyle(EditingStyle* style, const Position& start, const Position& end)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes