Title: [277163] trunk
- Revision
- 277163
- Author
- commit-qu...@webkit.org
- Date
- 2021-05-07 01:08:40 -0700 (Fri, 07 May 2021)
Log Message
Crash in InsertTextCommand::positionInsideTextNode
https://bugs.webkit.org/show_bug.cgi?id=223753
Patch by Frédéric Wang <fw...@igalia.com> on 2021-05-07
Reviewed by Ryosuke Niwa.
Source/WebCore:
Test: editing/deleting/selection-on-empty-table-row.html
This is a follow-up of bug 213514, where removePreviouslySelectedEmptyTableRows was
modified to ensure the selection is properly updated after deleting the last row. This
patch does the same for other rows.
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::removePreviouslySelectedEmptyTableRows): Update comment
about calling raw removeNode and move it to the top of the function. Replace all the calls
to CompositeEditCommand::removeNode with CompositeEditCommand::removeNodeUpdatingStates so
that the selection is adjusted.
LayoutTests:
Add regression test.
* editing/deleting/selection-on-empty-table-row-expected.txt: Added.
* editing/deleting/selection-on-empty-table-row.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (277162 => 277163)
--- trunk/LayoutTests/ChangeLog 2021-05-07 07:44:31 UTC (rev 277162)
+++ trunk/LayoutTests/ChangeLog 2021-05-07 08:08:40 UTC (rev 277163)
@@ -1,3 +1,15 @@
+2021-05-07 Frédéric Wang <fw...@igalia.com>
+
+ Crash in InsertTextCommand::positionInsideTextNode
+ https://bugs.webkit.org/show_bug.cgi?id=223753
+
+ Reviewed by Ryosuke Niwa.
+
+ Add regression test.
+
+ * editing/deleting/selection-on-empty-table-row-expected.txt: Added.
+ * editing/deleting/selection-on-empty-table-row.html: Added.
+
2021-05-06 Fujii Hironori <hironori.fu...@sony.com>
[WinCairo] Unreviewed test gardening
Added: trunk/LayoutTests/editing/deleting/selection-on-empty-table-row-expected.txt (0 => 277163)
--- trunk/LayoutTests/editing/deleting/selection-on-empty-table-row-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/selection-on-empty-table-row-expected.txt 2021-05-07 08:08:40 UTC (rev 277163)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
Added: trunk/LayoutTests/editing/deleting/selection-on-empty-table-row.html (0 => 277163)
--- trunk/LayoutTests/editing/deleting/selection-on-empty-table-row.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/selection-on-empty-table-row.html 2021-05-07 08:08:40 UTC (rev 277163)
@@ -0,0 +1,20 @@
+<style>
+ :empty {
+ -webkit-appearance: checkbox;
+ }
+</style>
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log('This test passes if it does not crash.');
+ document.body.appendChild(document.createElement('iframe'));
+ let n0 = document.createElement('tr');
+ document.body.appendChild(n0);
+ n0.appendChild(document.createElement('div'));
+ document.body.appendChild(document.createElement('tr'));
+ document.execCommand('SelectAll');
+ document.designMode = 'on';
+ document.execCommand('InsertText', false, '');
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (277162 => 277163)
--- trunk/Source/WebCore/ChangeLog 2021-05-07 07:44:31 UTC (rev 277162)
+++ trunk/Source/WebCore/ChangeLog 2021-05-07 08:08:40 UTC (rev 277163)
@@ -1,3 +1,22 @@
+2021-05-07 Frédéric Wang <fw...@igalia.com>
+
+ Crash in InsertTextCommand::positionInsideTextNode
+ https://bugs.webkit.org/show_bug.cgi?id=223753
+
+ Reviewed by Ryosuke Niwa.
+
+ Test: editing/deleting/selection-on-empty-table-row.html
+
+ This is a follow-up of bug 213514, where removePreviouslySelectedEmptyTableRows was
+ modified to ensure the selection is properly updated after deleting the last row. This
+ patch does the same for other rows.
+
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::removePreviouslySelectedEmptyTableRows): Update comment
+ about calling raw removeNode and move it to the top of the function. Replace all the calls
+ to CompositeEditCommand::removeNode with CompositeEditCommand::removeNodeUpdatingStates so
+ that the selection is adjusted.
+
2021-05-07 Said Abou-Hallawa <s...@apple.com>
[GPU Process] Closing the GPU Process should clear all the back pointers from ItemBuffer to RemoteRenderingBackendProxy
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (277162 => 277163)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-05-07 07:44:31 UTC (rev 277162)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-05-07 08:08:40 UTC (rev 277163)
@@ -846,15 +846,14 @@
void DeleteSelectionCommand::removePreviouslySelectedEmptyTableRows()
{
+ // DeleteSelectionCommand::removeNode does not remove rows but only empties them in preparation for this function.
+ // Instead, DeleteSelectionCommand::removeNodeUpdatingStates is used below, which calls a raw CompositeEditCommand::removeNode and adjusts selection.
if (m_endTableRow && m_endTableRow->isConnected() && m_endTableRow != m_startTableRow) {
auto row = makeRefPtr(m_endTableRow->previousSibling());
while (row && row != m_startTableRow) {
auto previousRow = makeRefPtr(row->previousSibling());
- if (isTableRowEmpty(row.get())) {
- // Use a raw removeNode, instead of DeleteSelectionCommand's, because
- // that won't remove rows, it only empties them in preparation for this function.
- CompositeEditCommand::removeNode(*row);
- }
+ if (isTableRowEmpty(row.get()))
+ removeNodeUpdatingStates(*row, DoNotAssumeContentIsAlwaysEditable);
row = WTFMove(previousRow);
}
}
@@ -865,7 +864,7 @@
while (row && row != m_endTableRow) {
auto nextRow = makeRefPtr(row->nextSibling());
if (isTableRowEmpty(row.get()))
- CompositeEditCommand::removeNode(*row);
+ removeNodeUpdatingStates(*row, DoNotAssumeContentIsAlwaysEditable);
row = WTFMove(nextRow);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
