Title: [191604] trunk
- Revision
- 191604
- Author
- [email protected]
- Date
- 2015-10-26 15:03:55 -0700 (Mon, 26 Oct 2015)
Log Message
Null dereference loading Blink layout test editing/execCommand/insert-html-to-document-element-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149294
<rdar://problem/22746657>
Patch by Jiewen Tan <[email protected]> on 2015-10-26
Reviewed by Darin Adler.
Source/WebCore:
This is a merge of Blink r175019:
https://codereview.chromium.org/300143012
Test: editing/execCommand/insert-html-to-document-element-crash.html
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline):
check nullable value |element->parentNode()| before using it.
LayoutTests:
* editing/execCommand/insert-html-to-document-element-crash-expected.txt: Added.
* editing/execCommand/insert-html-to-document-element-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (191603 => 191604)
--- trunk/LayoutTests/ChangeLog 2015-10-26 22:01:03 UTC (rev 191603)
+++ trunk/LayoutTests/ChangeLog 2015-10-26 22:03:55 UTC (rev 191604)
@@ -1,5 +1,16 @@
2015-10-26 Jiewen Tan <[email protected]>
+ Null dereference loading Blink layout test editing/execCommand/insert-html-to-document-element-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=149294
+ <rdar://problem/22746657>
+
+ Reviewed by Darin Adler.
+
+ * editing/execCommand/insert-html-to-document-element-crash-expected.txt: Added.
+ * editing/execCommand/insert-html-to-document-element-crash.html: Added.
+
+2015-10-26 Jiewen Tan <[email protected]>
+
Null dereference loading Blink layout test editing/execCommand/indent-nested-blockquotes-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149291
<rdar://problem/22746473>
Added: trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash-expected.txt (0 => 191604)
--- trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash-expected.txt 2015-10-26 22:03:55 UTC (rev 191604)
@@ -0,0 +1 @@
+Pass if not crash.
Added: trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash.html (0 => 191604)
--- trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-html-to-document-element-crash.html 2015-10-26 22:03:55 UTC (rev 191604)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+_onload_ = function() {
+ // Make documentElement to P element without HTML and BODY.
+ var htmlElement = document.documentElement;
+ var target = document.getElementById('target');
+ document.replaceChild(target, htmlElement);
+
+ document.designMode = 'on';
+ window.getSelection().collapse(target, 0);
+ document.execCommand('InsertHTML', false, '<pre></pre>');
+
+ // Here, document.documentElement is null.
+ document.write('Pass if not crash.');
+};
+</script>
+</head>
+<body>
+<p id="target"></p>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (191603 => 191604)
--- trunk/Source/WebCore/ChangeLog 2015-10-26 22:01:03 UTC (rev 191603)
+++ trunk/Source/WebCore/ChangeLog 2015-10-26 22:03:55 UTC (rev 191604)
@@ -1,5 +1,22 @@
2015-10-26 Jiewen Tan <[email protected]>
+ Null dereference loading Blink layout test editing/execCommand/insert-html-to-document-element-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=149294
+ <rdar://problem/22746657>
+
+ Reviewed by Darin Adler.
+
+ This is a merge of Blink r175019:
+ https://codereview.chromium.org/300143012
+
+ Test: editing/execCommand/insert-html-to-document-element-crash.html
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline):
+ check nullable value |element->parentNode()| before using it.
+
+2015-10-26 Jiewen Tan <[email protected]>
+
Null dereference loading Blink layout test editing/execCommand/indent-nested-blockquotes-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149291
<rdar://problem/22746473>
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (191603 => 191604)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2015-10-26 22:01:03 UTC (rev 191603)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2015-10-26 22:03:55 UTC (rev 191604)
@@ -528,7 +528,7 @@
setNodeAttribute(element, styleAttr, newInlineStyle->style()->asText());
// FIXME: Tolerate differences in id, class, and style attributes.
- if (isNonTableCellHTMLBlockElement(element) && areIdenticalElements(element, element->parentNode())
+ if (element->parentNode() && isNonTableCellHTMLBlockElement(element) && areIdenticalElements(element, element->parentNode())
&& VisiblePosition(firstPositionInNode(element->parentNode())) == VisiblePosition(firstPositionInNode(element))
&& VisiblePosition(lastPositionInNode(element->parentNode())) == VisiblePosition(lastPositionInNode(element))) {
insertedNodes.willRemoveNodePreservingChildren(element);
@@ -536,7 +536,7 @@
continue;
}
- if (element->parentNode()->hasRichlyEditableStyle())
+ if (element->parentNode() && element->parentNode()->hasRichlyEditableStyle())
removeNodeAttribute(element, contenteditableAttr);
// WebKit used to not add display: inline and float: none on copy.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
