[webkit-changes] [167151] trunk

[mmaxfield]

Title: [167151] trunk

Revision

167151

Author

mmaxfi...@apple.com

Date

2014-04-11 14:35:17 -0700 (Fri, 11 Apr 2014)

Log Message

Autocorrection causes ASSERT when replacing alternative string
https://bugs.webkit.org/show_bug.cgi?id=131475

Reviewed by Ryosuke Niwa.

In AlternativeTextController::applyAlternativeTextToRange(), we attempt to create
a Range that crosses from outside of a shadow root to inside of one. Instead,
we should keep the Range entirely within the shadow root.

Test: ManualTests/autocorrection/autocorrection-accept-crash.html

* editing/AlternativeTextController.cpp:
(WebCore::AlternativeTextController::applyAlternativeTextToRange):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/AlternativeTextController.cpp

Added Paths

• trunk/ManualTests/autocorrection/autocorrection-accept-crash.html

Diff

Added: trunk/ManualTests/autocorrection/autocorrection-accept-crash.html (0 => 167151)

--- trunk/ManualTests/autocorrection/autocorrection-accept-crash.html	                        (rev 0)
+++ trunk/ManualTests/autocorrection/autocorrection-accept-crash.html	2014-04-11 21:35:17 UTC (rev 167151)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<ol>
+<li>Type "word loadp" in the first box.</li>
+<li>When the suggestion popup appears, click in the second box.</li>
+</ol>
+<p>
+This test triggers a codepath when we are trying to determine a range around
+the new correction word. We were remembering the location for the new word
+by creating a Range from the beginning of the document to the beginning of
+the new word. However, since the word is inside a shadow root, this Range
+would collapse and be meaningless. Further processing using the range would
+trigger ASSERTs and crash.
+</p>
+<p>
+The test is successful if there is no crash.
+</p>
+<input id="t" type="text" spellCheck="true">
+<textarea id="a"></textarea>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (167150 => 167151)

--- trunk/Source/WebCore/ChangeLog	2014-04-11 21:27:10 UTC (rev 167150)
+++ trunk/Source/WebCore/ChangeLog	2014-04-11 21:35:17 UTC (rev 167151)
@@ -1,3 +1,19 @@
+2014-04-09  Myles C. Maxfield  <mmaxfi...@apple.com>
+
+        Autocorrection causes ASSERT when replacing alternative string
+        https://bugs.webkit.org/show_bug.cgi?id=131475
+
+        Reviewed by Ryosuke Niwa.
+
+        In AlternativeTextController::applyAlternativeTextToRange(), we attempt to create
+        a Range that crosses from outside of a shadow root to inside of one. Instead,
+        we should keep the Range entirely within the shadow root.
+
+        Test: ManualTests/autocorrection/autocorrection-accept-crash.html
+
+        * editing/AlternativeTextController.cpp:
+        (WebCore::AlternativeTextController::applyAlternativeTextToRange):
+
 2014-04-11  Hans Muller  <hmul...@adobe.com>
 
         [CSS Shapes] shape-outside from image doesn't load properly

Modified: trunk/Source/WebCore/editing/AlternativeTextController.cpp (167150 => 167151)

--- trunk/Source/WebCore/editing/AlternativeTextController.cpp	2014-04-11 21:27:10 UTC (rev 167150)
+++ trunk/Source/WebCore/editing/AlternativeTextController.cpp	2014-04-11 21:35:17 UTC (rev 167151)
@@ -260,8 +260,8 @@
     if (ec)
         return;
 
-    Position startPositionOfrangeWithAlternative = range->startPosition();
-    correctionStartOffsetInParagraphAsRange->setEnd(startPositionOfrangeWithAlternative.containerNode(), startPositionOfrangeWithAlternative.computeOffsetInContainerNode(), ec);
+    Position startPositionOfRangeWithAlternative = range->startPosition();
+    correctionStartOffsetInParagraphAsRange->setEnd(startPositionOfRangeWithAlternative.containerNode(), startPositionOfRangeWithAlternative.computeOffsetInContainerNode(), ec);
     if (ec)
         return;
 
@@ -270,11 +270,12 @@
 
     // Clone the range, since the caller of this method may want to keep the original range around.
     RefPtr<Range> rangeWithAlternative = range->cloneRange(ec);
-    
-    int paragraphStartIndex = TextIterator::rangeLength(Range::create(*m_frame.document(), m_frame.document(), 0, paragraphRangeContainingCorrection.get()->startContainer(), paragraphRangeContainingCorrection.get()->startOffset()).get());
+
+    ContainerNode& rootNode = paragraphRangeContainingCorrection.get()->startContainer()->treeScope().rootNode();
+    int paragraphStartIndex = TextIterator::rangeLength(Range::create(*rootNode.document(), &rootNode, 0, paragraphRangeContainingCorrection.get()->startContainer(), paragraphRangeContainingCorrection.get()->startOffset()).get());
     applyCommand(SpellingCorrectionCommand::create(rangeWithAlternative, alternative));
     // Recalculate pragraphRangeContainingCorrection, since SpellingCorrectionCommand modified the DOM, such that the original paragraphRangeContainingCorrection is no longer valid. Radar: 10305315 Bugzilla: 89526
-    paragraphRangeContainingCorrection = TextIterator::rangeFromLocationAndLength(m_frame.document(), paragraphStartIndex, correctionStartOffsetInParagraph + alternative.length());
+    paragraphRangeContainingCorrection = TextIterator::rangeFromLocationAndLength(&rootNode, paragraphStartIndex, correctionStartOffsetInParagraph + alternative.length());
     
     setEnd(paragraphRangeContainingCorrection.get(), m_frame.selection().selection().start());
     RefPtr<Range> replacementRange = TextIterator::subrange(paragraphRangeContainingCorrection.get(), correctionStartOffsetInParagraph, alternative.length());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes