[webkit-changes] [184355] trunk

Thu, 14 May 2015 14:40:22 -0700

Title: [184355] trunk
Revision
184355
Author
[email protected]
Date
2015-05-14 14:39:50 -0700 (Thu, 14 May 2015)

Log Message

Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
https://bugs.webkit.org/show_bug.cgi?id=119068

Reviewed by Enrica Casucci.

Source/WebCore:

The bug was caused by makeInsertedContentRoundTrippableWithHTMLTreeBuilder not updating
nodes kept tracked by insertedNodes and moveNodeOutOfAncestor stumbling upon it.

Fixed the bug by updating insertedNodes in makeInsertedContentRoundTrippableWithHTMLTreeBuilder.

Test: editing/inserting/insert-table-in-paragraph-crash.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
(WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor):
* editing/ReplaceSelectionCommand.h:

LayoutTests:

Added a test based on https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744

* editing/inserting/insert-table-in-paragraph-crash-expected.txt: Added.
* editing/inserting/insert-table-in-paragraph-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (184354 => 184355)


--- trunk/LayoutTests/ChangeLog	2015-05-14 21:32:05 UTC (rev 184354)
+++ trunk/LayoutTests/ChangeLog	2015-05-14 21:39:50 UTC (rev 184355)
@@ -1,3 +1,15 @@
+2015-05-13  Ryosuke Niwa  <[email protected]>
+
+        Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=119068
+
+        Reviewed by Enrica Casucci.
+
+        Added a test based on https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744
+
+        * editing/inserting/insert-table-in-paragraph-crash-expected.txt: Added.
+        * editing/inserting/insert-table-in-paragraph-crash.html: Added.
+
 2015-05-14  Myles C. Maxfield  <[email protected]>
 
         [Mac] Expose more font weights for -apple-system

Added: trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt (0 => 184355)


--- trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt	2015-05-14 21:39:50 UTC (rev 184355)
@@ -0,0 +1,6 @@
+This tests pasting a table element wrapped in p. WebKit should not crash.
+| <table>
+|   <tbody>
+|     <tr>
+|       <td>
+|         "stats"

Added: trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html (0 => 184355)


--- trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html	2015-05-14 21:39:50 UTC (rev 184355)
@@ -0,0 +1,19 @@
+<!DOCTYPE>
+<html>
+<body>
+<div id="editor" contenteditable="true"></div>
+<script src=""
+<script>
+
+Markup.description('This tests pasting a table element wrapped in p. WebKit should not crash.');
+
+var editor = document.getElementById('editor');
+
+editor.focus();
+document.execCommand('InsertHTML', false, '<p><table><tbody><tr><td>stats</td></tr></tbody></table></p>');
+
+Markup.dump(editor);
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (184354 => 184355)


--- trunk/Source/WebCore/ChangeLog	2015-05-14 21:32:05 UTC (rev 184354)
+++ trunk/Source/WebCore/ChangeLog	2015-05-14 21:39:50 UTC (rev 184355)
@@ -1,3 +1,22 @@
+2015-05-13  Ryosuke Niwa  <[email protected]>
+
+        Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=119068
+
+        Reviewed by Enrica Casucci.
+
+        The bug was caused by makeInsertedContentRoundTrippableWithHTMLTreeBuilder not updating
+        nodes kept tracked by insertedNodes and moveNodeOutOfAncestor stumbling upon it.
+
+        Fixed the bug by updating insertedNodes in makeInsertedContentRoundTrippableWithHTMLTreeBuilder.
+
+        Test: editing/inserting/insert-table-in-paragraph-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
+        (WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor):
+        * editing/ReplaceSelectionCommand.h:
+
 2015-05-14  Myles C. Maxfield  <[email protected]>
 
         [Mac] Expose more font weights for -apple-system

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (184354 => 184355)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2015-05-14 21:32:05 UTC (rev 184354)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2015-05-14 21:39:50 UTC (rev 184355)
@@ -635,7 +635,7 @@
             if (auto* paragraphElement = enclosingElementWithTag(positionInParentBeforeNode(node.get()), pTag)) {
                 auto* parent = paragraphElement->parentNode();
                 if (parent && parent->hasEditableStyle())
-                    moveNodeOutOfAncestor(node, paragraphElement);
+                    moveNodeOutOfAncestor(node, paragraphElement, insertedNodes);
             }
         }
 
@@ -643,7 +643,7 @@
             auto* headerElement = highestEnclosingNodeOfType(positionInParentBeforeNode(node.get()), isHeaderElement);
             if (headerElement) {
                 if (headerElement->parentNode() && headerElement->parentNode()->isContentRichlyEditable())
-                    moveNodeOutOfAncestor(node, headerElement);
+                    moveNodeOutOfAncestor(node, headerElement, insertedNodes);
                 else {
                     HTMLElement* newSpanElement = replaceElementWithSpanPreservingChildrenAndAttributes(downcast<HTMLElement>(node.get()));
                     insertedNodes.didReplaceNode(node.get(), newSpanElement);
@@ -653,7 +653,7 @@
     }
 }
 
-void ReplaceSelectionCommand::moveNodeOutOfAncestor(PassRefPtr<Node> prpNode, PassRefPtr<Node> prpAncestor)
+void ReplaceSelectionCommand::moveNodeOutOfAncestor(PassRefPtr<Node> prpNode, PassRefPtr<Node> prpAncestor, InsertedNodes& insertedNodes)
 {
     RefPtr<Node> node = prpNode;
     RefPtr<Node> ancestor = prpAncestor;
@@ -671,8 +671,10 @@
         removeNode(node);
         insertNodeBefore(node, nodeToSplitTo);
     }
-    if (!ancestor->firstChild())
+    if (!ancestor->firstChild()) {
+        insertedNodes.willRemoveNode(ancestor.get());
         removeNode(ancestor.release());
+    }
 }
 
 static inline bool hasRenderedText(const Text& text)

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.h (184354 => 184355)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.h	2015-05-14 21:32:05 UTC (rev 184354)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.h	2015-05-14 21:39:50 UTC (rev 184355)
@@ -96,7 +96,7 @@
     
     void removeRedundantStylesAndKeepStyleSpanInline(InsertedNodes&);
     void makeInsertedContentRoundTrippableWithHTMLTreeBuilder(InsertedNodes&);
-    void moveNodeOutOfAncestor(PassRefPtr<Node>, PassRefPtr<Node> ancestor);
+    void moveNodeOutOfAncestor(PassRefPtr<Node>, PassRefPtr<Node> ancestor, InsertedNodes&);
     void handleStyleSpans(InsertedNodes&);
     void handlePasteAsQuotationNode();
     

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to