Title: [157431] trunk
- Revision
- 157431
- Author
- [email protected]
- Date
- 2013-10-14 16:58:22 -0700 (Mon, 14 Oct 2013)
Log Message
Assertion failure in Range::processContentsBetweenOffsets
https://bugs.webkit.org/show_bug.cgi?id=122777
Reviewed by Darin Adler.
Source/WebCore:
Merge https://chromium.googlesource.com/chromium/blink/+/c15de182774c7859c20d97126eb844ae97b792a4
This patch changes ASSERT statements for checking |endOffset| inbound in Range::processContentsBetweenOffsets()
to limit |endOffset|. This is necessary when DOMNodeRemovedFromDocument event handler splits text nodes,
Range::insertNode() on text node, in the range calling Range::deleteContents().
Test: fast/dom/Range/range-delete-contents-mutation-event-crash.html
* dom/Range.cpp:
(WebCore::Range::processContentsBetweenOffsets):
LayoutTests:
* fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt: Added.
* fast/dom/Range/range-delete-contents-mutation-event-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (157430 => 157431)
--- trunk/LayoutTests/ChangeLog 2013-10-14 23:36:32 UTC (rev 157430)
+++ trunk/LayoutTests/ChangeLog 2013-10-14 23:58:22 UTC (rev 157431)
@@ -1,3 +1,13 @@
+2013-10-14 Ryosuke Niwa <[email protected]>
+
+ Assertion failure in Range::processContentsBetweenOffsets
+ https://bugs.webkit.org/show_bug.cgi?id=122777
+
+ Reviewed by Darin Adler.
+
+ * fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt: Added.
+ * fast/dom/Range/range-delete-contents-mutation-event-crash.html: Added.
+
2013-10-14 Alexey Proskuryakov <[email protected]>
Add an empty window.crypto.webkitSubtle
Added: trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt (0 => 157431)
--- trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt 2013-10-14 23:58:22 UTC (rev 157431)
@@ -0,0 +1,3 @@
+This tests inserting a text node while calling deleteContents. WebKit should not hit an assertion.
+
+PASS.
Added: trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash.html (0 => 157431)
--- trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash.html 2013-10-14 23:58:22 UTC (rev 157431)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="container">
+<div id="sample">foobar</div>baz
+</div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var sample = document.getElementById('sample');
+
+function removingHandler()
+{
+ document.removeEventListener('DOMNodeRemovedFromDocument', removingHandler, true);
+ var range = document.createRange();
+ range.setStart(sample.nextSibling, 1);
+ range.insertNode(document.createTextNode('FOO'));
+}
+
+document.addEventListener('DOMNodeRemovedFromDocument', removingHandler, true);
+
+var range = document.createRange();
+range.setStart(sample, 0);
+range.setEnd(sample.nextSibling, 3);
+range.deleteContents();
+
+document.body.innerHTML = 'This tests inserting a text node while calling deleteContents. WebKit should not hit an assertion.<br><br>PASS.';
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (157430 => 157431)
--- trunk/Source/WebCore/ChangeLog 2013-10-14 23:36:32 UTC (rev 157430)
+++ trunk/Source/WebCore/ChangeLog 2013-10-14 23:58:22 UTC (rev 157431)
@@ -1,3 +1,21 @@
+2013-10-14 Ryosuke Niwa <[email protected]>
+
+ Assertion failure in Range::processContentsBetweenOffsets
+ https://bugs.webkit.org/show_bug.cgi?id=122777
+
+ Reviewed by Darin Adler.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/c15de182774c7859c20d97126eb844ae97b792a4
+
+ This patch changes ASSERT statements for checking |endOffset| inbound in Range::processContentsBetweenOffsets()
+ to limit |endOffset|. This is necessary when DOMNodeRemovedFromDocument event handler splits text nodes,
+ Range::insertNode() on text node, in the range calling Range::deleteContents().
+
+ Test: fast/dom/Range/range-delete-contents-mutation-event-crash.html
+
+ * dom/Range.cpp:
+ (WebCore::Range::processContentsBetweenOffsets):
+
2013-10-14 Alexey Proskuryakov <[email protected]>
Add an empty window.crypto.webkitSubtle
Modified: trunk/Source/WebCore/dom/Range.cpp (157430 => 157431)
--- trunk/Source/WebCore/dom/Range.cpp 2013-10-14 23:36:32 UTC (rev 157430)
+++ trunk/Source/WebCore/dom/Range.cpp 2013-10-14 23:58:22 UTC (rev 157431)
@@ -787,7 +787,8 @@
case Node::TEXT_NODE:
case Node::CDATA_SECTION_NODE:
case Node::COMMENT_NODE:
- ASSERT(endOffset <= toCharacterData(container)->length());
+ endOffset = std::min(endOffset, static_cast<CharacterData*>(container)->length());
+ startOffset = std::min(startOffset, endOffset);
if (action == Extract || action == Clone) {
RefPtr<CharacterData> c = static_pointer_cast<CharacterData>(container->cloneNode(true));
deleteCharacterData(c, startOffset, endOffset, ec);
@@ -801,7 +802,8 @@
toCharacterData(container)->deleteData(startOffset, endOffset - startOffset, ec);
break;
case Node::PROCESSING_INSTRUCTION_NODE:
- ASSERT(endOffset <= toProcessingInstruction(container)->data().length());
+ endOffset = std::min(endOffset, static_cast<ProcessingInstruction*>(container)->data().length());
+ startOffset = std::min(startOffset, endOffset);
if (action == Extract || action == Clone) {
RefPtr<ProcessingInstruction> c = static_pointer_cast<ProcessingInstruction>(container->cloneNode(true));
c->setData(c->data().substring(startOffset, endOffset - startOffset), ec);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
