Title: [103441] branches/safari-534.54-branch
- Revision
- 103441
- Author
- lforsch...@apple.com
- Date
- 2011-12-21 13:49:25 -0800 (Wed, 21 Dec 2011)
Log Message
Merged r94511.
Modified Paths
Added Paths
Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103440 => 103441)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 21:45:37 UTC (rev 103440)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 21:49:25 UTC (rev 103441)
@@ -1,5 +1,22 @@
2011-12-21 Lucas Forschler <lforsch...@apple.com>
+ Merge 94511
+
+ 2011-09-04 Abhishek Arya <infe...@chromium.org>
+
+ Crash in Range::processAncestorsAndTheirSiblings.
+ https://bugs.webkit.org/show_bug.cgi?id=67556
+
+ Reviewed by Ryosuke Niwa.
+
+ Tests that we do not crash when removing contents of
+ a range from the document.
+
+ * fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt: Added.
+ * fast/dom/Range/range-delete-contents-event-fire-crash.html: Added.
+
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
Merge 94508
2011-09-04 Dan Bernstein <m...@apple.com>
Copied: branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt (from rev 94511, trunk/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt) (0 => 103441)
--- branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt 2011-12-21 21:49:25 UTC (rev 103441)
@@ -0,0 +1,2 @@
+
+PASS
Copied: branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html (from rev 94511, trunk/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html) (0 => 103441)
--- branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html 2011-12-21 21:49:25 UTC (rev 103441)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<div id="test1">
+<input id="test2"/>
+<input id="test3"/>
+<ol></ol>
+</div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ var range = document.createRange();
+ var test1 = document.getElementById("test1");
+ var test2 = document.getElementById("test2");
+ var test3 = document.getElementById("test3");
+
+ range.setStartBefore(test2);
+ range.selectNodeContents(test3);
+ range.setEndAfter(test1);
+ range.commonAncestorContainer;
+ range.deleteContents();
+}
+
+document.addEventListener("DOMSubtreeModified", runTest, true);
+document.body.appendChild(document.createTextNode("PASS"));
+</script>
+</html>
\ No newline at end of file
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103440 => 103441)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 21:45:37 UTC (rev 103440)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 21:49:25 UTC (rev 103441)
@@ -1,5 +1,25 @@
2011-12-21 Lucas Forschler <lforsch...@apple.com>
+ Merge 94511
+
+ 2011-09-04 Abhishek Arya <infe...@chromium.org>
+
+ Crash in Range::processAncestorsAndTheirSiblings.
+ https://bugs.webkit.org/show_bug.cgi?id=67556
+
+ Reviewed by Ryosuke Niwa.
+
+ Create a temporary RefPtr Node vector to keep all the ancestor's
+ childs so that we don't access removed child nodes.
+
+ Test: fast/dom/Range/range-delete-contents-event-fire-crash.html
+
+ * dom/Range.cpp:
+ (WebCore::Range::processContents):
+ (WebCore::Range::processAncestorsAndTheirSiblings):
+
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
Merge 94508
2011-09-04 Dan Bernstein <m...@apple.com>
Modified: branches/safari-534.54-branch/Source/WebCore/dom/Range.cpp (103440 => 103441)
--- branches/safari-534.54-branch/Source/WebCore/dom/Range.cpp 2011-12-21 21:45:37 UTC (rev 103440)
+++ branches/safari-534.54-branch/Source/WebCore/dom/Range.cpp 2011-12-21 21:49:25 UTC (rev 103441)
@@ -56,6 +56,8 @@
DEFINE_DEBUG_ONLY_GLOBAL(WTF::RefCountedLeakCounter, rangeCounter, ("Range"));
+typedef Vector<RefPtr<Node> > NodeVector;
+
inline Range::Range(PassRefPtr<Document> ownerDocument)
: m_ownerDocument(ownerDocument)
, m_start(m_ownerDocument)
@@ -670,8 +672,6 @@
PassRefPtr<DocumentFragment> Range::processContents(ActionType action, ExceptionCode& ec)
{
- typedef Vector<RefPtr<Node> > NodeVector;
-
RefPtr<DocumentFragment> fragment;
if (action == EXTRACT_CONTENTS || action == CLONE_CONTENTS)
fragment = DocumentFragment::create(m_ownerDocument.get());
@@ -885,9 +885,14 @@
// FIXME: This assertion may fail if DOM is modified during mutation event
// FIXME: Share code with Range::processNodes
ASSERT(!firstChildInAncestorToProcess || firstChildInAncestorToProcess->parentNode() == ancestor);
- RefPtr<Node> next;
- for (Node* child = firstChildInAncestorToProcess.get(); child; child = next.get()) {
- next = direction == ProcessContentsForward ? child->nextSibling() : child->previousSibling();
+
+ NodeVector nodes;
+ for (Node* child = firstChildInAncestorToProcess.get(); child;
+ child = (direction == ProcessContentsForward) ? child->nextSibling() : child->previousSibling())
+ nodes.append(child);
+
+ for (NodeVector::const_iterator it = nodes.begin(); it != nodes.end(); it++) {
+ Node* child = it->get();
switch (action) {
case DELETE_CONTENTS:
ancestor->removeChild(child, ec);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
