[webkit-changes] [161050] trunk/Source/WebCore

Mon, 23 Dec 2013 23:42:09 -0800

Title: [161050] trunk/Source/WebCore
Revision
161050
Author
[email protected]
Date
2013-12-23 23:44:52 -0800 (Mon, 23 Dec 2013)

Log Message

Crash in ReplaceSelectionCommand
https://bugs.webkit.org/show_bug.cgi?id=126107

Reviewed by Benjamin Poulain.

Merge https://chromium.googlesource.com/chromium/blink/+/c1ebe5c1e808daf9db5e348a8d0ab32570b9f7a5
except the test since it doesn't reproduce the crash in WebKit.

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (161049 => 161050)


--- trunk/Source/WebCore/ChangeLog	2013-12-24 07:42:44 UTC (rev 161049)
+++ trunk/Source/WebCore/ChangeLog	2013-12-24 07:44:52 UTC (rev 161050)
@@ -1,3 +1,16 @@
+2013-12-23  Ryosuke Niwa  <[email protected]>
+
+        Crash in ReplaceSelectionCommand
+        https://bugs.webkit.org/show_bug.cgi?id=126107
+
+        Reviewed by Benjamin Poulain.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/c1ebe5c1e808daf9db5e348a8d0ab32570b9f7a5
+        except the test since it doesn't reproduce the crash in WebKit.
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+
 2013-12-23  Benjamin Poulain  <[email protected]>
 
         Add the pseudo classes link and any-link to the Selector Code Generator

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (161049 => 161050)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2013-12-24 07:42:44 UTC (rev 161049)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2013-12-24 07:44:52 UTC (rev 161050)
@@ -996,22 +996,22 @@
     // NOTE: This would be an incorrect usage of downstream() if downstream() were changed to mean the last position after 
     // p that maps to the same visible position as p (since in the case where a br is at the end of a block and collapsed 
     // away, there are positions after the br which map to the same visible position as [br, 0]).  
-    Node* endBR = insertionPos.downstream().deprecatedNode()->hasTagName(brTag) ? insertionPos.downstream().deprecatedNode() : 0;
+    RefPtr<Node> endBR = insertionPos.downstream().deprecatedNode()->hasTagName(brTag) ? insertionPos.downstream().deprecatedNode() : nullptr;
     VisiblePosition originalVisPosBeforeEndBR;
     if (endBR)
-        originalVisPosBeforeEndBR = VisiblePosition(positionBeforeNode(endBR), DOWNSTREAM).previous();
+        originalVisPosBeforeEndBR = VisiblePosition(positionBeforeNode(endBR.get()), DOWNSTREAM).previous();
     
-    startBlock = enclosingBlock(insertionPos.deprecatedNode());
+    RefPtr<Node> insertionBlock = enclosingBlock(insertionPos.deprecatedNode());
     
     // Adjust insertionPos to prevent nesting.
     // If the start was in a Mail blockquote, we will have already handled adjusting insertionPos above.
-    if (m_preventNesting && startBlock && !isTableCell(startBlock) && !startIsInsideMailBlockquote) {
-        ASSERT(startBlock != currentRoot);
+    if (m_preventNesting && insertionBlock && !isTableCell(insertionBlock.get()) && !startIsInsideMailBlockquote) {
+        ASSERT(insertionBlock != currentRoot);
         VisiblePosition visibleInsertionPos(insertionPos);
         if (isEndOfBlock(visibleInsertionPos) && !(isStartOfBlock(visibleInsertionPos) && fragment.hasInterchangeNewlineAtEnd()))
-            insertionPos = positionInParentAfterNode(startBlock);
+            insertionPos = positionInParentAfterNode(insertionBlock.get());
         else if (isStartOfBlock(visibleInsertionPos))
-            insertionPos = positionInParentBeforeNode(startBlock);
+            insertionPos = positionInParentBeforeNode(insertionBlock.get());
     }
     
     // Paste at start or end of link goes outside of link.
@@ -1121,14 +1121,14 @@
 
     VisiblePosition startOfInsertedContent = firstPositionInOrBeforeNode(insertedNodes.firstNodeInserted());
 
-    // We inserted before the startBlock to prevent nesting, and the content before the startBlock wasn't in its own block and
+    // We inserted before the insertionBlock to prevent nesting, and the content before the insertionBlock wasn't in its own block and
     // didn't have a br after it, so the inserted content ended up in the same paragraph.
-    if (startBlock && insertionPos.deprecatedNode() == startBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < startBlock->nodeIndex() && !isStartOfParagraph(startOfInsertedContent))
+    if (insertionBlock && insertionPos.deprecatedNode() == insertionBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < insertionBlock->nodeIndex() && !isStartOfParagraph(startOfInsertedContent))
         insertNodeAt(createBreakElement(document()), startOfInsertedContent.deepEquivalent());
 
-    if (endBR && (plainTextFragment || shouldRemoveEndBR(endBR, originalVisPosBeforeEndBR))) {
+    if (endBR && (plainTextFragment || shouldRemoveEndBR(endBR.get(), originalVisPosBeforeEndBR))) {
         RefPtr<Node> parent = endBR->parentNode();
-        insertedNodes.willRemoveNode(endBR);
+        insertedNodes.willRemoveNode(endBR.get());
         removeNode(endBR);
         if (Node* nodeToRemove = highestNodeToRemoveInPruning(parent.get())) {
             insertedNodes.willRemoveNode(nodeToRemove);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to