Title: [92139] trunk
- Revision
- 92139
- Author
- rn...@webkit.org
- Date
- 2011-08-01 14:08:17 -0700 (Mon, 01 Aug 2011)
Log Message
Search field in designMode causes a crash
https://bugs.webkit.org/show_bug.cgi?id=65362
Reviewed by Dimitri Glazkov.
Source/WebCore:
The crashed was caused by editing code inadvertently deleting search and cancel buttons in the design mode.
Fixed the bug by avoid inheriting user-modify property from the shadow host.
Test: editing/input/search-field-crash-in-designmode.html
* css/CSSStyleSelector.cpp:
(WebCore::isAtShadowBoundary): Moved.
(WebCore::CSSStyleSelector::styleForElement): Overrides -webkit-user-modify by the initial value after m_style
inherited the values from m_parentStyle but before applying matched rules.
* dom/Node.cpp:
(WebCore::Node::rendererIsEditable): Ignore page's editability inside a shadow DOM.
LayoutTests:
Add a test to ensure WebKit doesn't crash when a user tries to delete inside
an empty search field in the design mode.
* editing/input/search-field-crash-in-designmode-expected.txt: Added.
* editing/input/search-field-crash-in-designmode.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (92138 => 92139)
--- trunk/LayoutTests/ChangeLog 2011-08-01 20:40:04 UTC (rev 92138)
+++ trunk/LayoutTests/ChangeLog 2011-08-01 21:08:17 UTC (rev 92139)
@@ -1,3 +1,16 @@
+2011-08-01 Ryosuke Niwa <rn...@webkit.org>
+
+ Search field in designMode causes a crash
+ https://bugs.webkit.org/show_bug.cgi?id=65362
+
+ Reviewed by Dimitri Glazkov.
+
+ Add a test to ensure WebKit doesn't crash when a user tries to delete inside
+ an empty search field in the design mode.
+
+ * editing/input/search-field-crash-in-designmode-expected.txt: Added.
+ * editing/input/search-field-crash-in-designmode.html: Added.
+
2011-07-28 Abhishek Arya <infe...@chromium.org>
Regression(82144): Crash in TrailingObjects::updateMidpointsForTrailingBoxes
Added: trunk/LayoutTests/editing/input/search-field-crash-in-designmode-expected.txt (0 => 92139)
--- trunk/LayoutTests/editing/input/search-field-crash-in-designmode-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/input/search-field-crash-in-designmode-expected.txt 2011-08-01 21:08:17 UTC (rev 92139)
@@ -0,0 +1,3 @@
+This test ensures WebKit does not crash when user modifies the contents of search fields in the design mode. WebKit should not crash and you should see PASS below:
+
+ PASS
Added: trunk/LayoutTests/editing/input/search-field-crash-in-designmode.html (0 => 92139)
--- trunk/LayoutTests/editing/input/search-field-crash-in-designmode.html (rev 0)
+++ trunk/LayoutTests/editing/input/search-field-crash-in-designmode.html 2011-08-01 21:08:17 UTC (rev 92139)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test ensures WebKit does not crash when user modifies the contents of search fields in the design mode.
+WebKit should not crash and you should see PASS below:</p>
+<input type="search">
+<script>
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.designMode = 'on';
+document.getElementsByTagName('input')[0].focus();
+document.execCommand('delete', false, null);
+
+document.write('PASS');
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (92138 => 92139)
--- trunk/Source/WebCore/ChangeLog 2011-08-01 20:40:04 UTC (rev 92138)
+++ trunk/Source/WebCore/ChangeLog 2011-08-01 21:08:17 UTC (rev 92139)
@@ -1,3 +1,22 @@
+2011-08-01 Ryosuke Niwa <rn...@webkit.org>
+
+ Search field in designMode causes a crash
+ https://bugs.webkit.org/show_bug.cgi?id=65362
+
+ Reviewed by Dimitri Glazkov.
+
+ The crashed was caused by editing code inadvertently deleting search and cancel buttons in the design mode.
+ Fixed the bug by avoid inheriting user-modify property from the shadow host.
+
+ Test: editing/input/search-field-crash-in-designmode.html
+
+ * css/CSSStyleSelector.cpp:
+ (WebCore::isAtShadowBoundary): Moved.
+ (WebCore::CSSStyleSelector::styleForElement): Overrides -webkit-user-modify by the initial value after m_style
+ inherited the values from m_parentStyle but before applying matched rules.
+ * dom/Node.cpp:
+ (WebCore::Node::rendererIsEditable): Ignore page's editability inside a shadow DOM.
+
2011-08-01 Marco Peereboom <ma...@peereboom.us>
[Soup] Set default max-conns to a more sane default value and fix comment
Modified: trunk/Source/WebCore/css/CSSStyleSelector.cpp (92138 => 92139)
--- trunk/Source/WebCore/css/CSSStyleSelector.cpp 2011-08-01 20:40:04 UTC (rev 92138)
+++ trunk/Source/WebCore/css/CSSStyleSelector.cpp 2011-08-01 21:08:17 UTC (rev 92139)
@@ -1299,6 +1299,15 @@
return documentStyle.release();
}
+static inline bool isAtShadowBoundary(Element* element)
+{
+ if (!element)
+ return false;
+
+ ContainerNode* parentNode = element->parentNode();
+ return parentNode && parentNode->isShadowRoot();
+}
+
// If resolveForRootDefault is true, style based on user agent style sheet only. This is used in media queries, where
// relative units are interpreted according to document root element style, styled only with UA stylesheet
@@ -1353,6 +1362,10 @@
m_style->font().update(0);
}
+ // Don't propagate user-modify into shadow DOM
+ if (isAtShadowBoundary(e))
+ m_style->setUserModify(RenderStyle::initialUserModify());
+
if (e->isLink()) {
m_style->setIsLink(true);
m_style->setInsideLink(m_elementLinkState);
@@ -1803,15 +1816,6 @@
}
}
-static inline bool isAtShadowBoundary(Element* element)
-{
- if (!element)
- return false;
-
- ContainerNode* parentNode = element->parentNode();
- return parentNode && parentNode->isShadowRoot();
-}
-
void CSSStyleSelector::adjustRenderStyle(RenderStyle* style, RenderStyle* parentStyle, Element *e)
{
// Cache our original display.
Modified: trunk/Source/WebCore/dom/Node.cpp (92138 => 92139)
--- trunk/Source/WebCore/dom/Node.cpp 2011-08-01 20:40:04 UTC (rev 92138)
+++ trunk/Source/WebCore/dom/Node.cpp 2011-08-01 21:08:17 UTC (rev 92139)
@@ -781,7 +781,7 @@
bool Node::rendererIsEditable(EditableLevel editableLevel) const
{
- if (document()->frame() && document()->frame()->page() && document()->frame()->page()->isEditable())
+ if (document()->frame() && document()->frame()->page() && document()->frame()->page()->isEditable() && !shadowTreeRootNode())
return true;
// Ideally we'd call ASSERT(!needsStyleRecalc()) here, but
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
