Title: [121996] releases/WebKitGTK/webkit-1.8
- Revision
- 121996
- Author
- mrobin...@webkit.org
- Date
- 2012-07-06 13:01:36 -0700 (Fri, 06 Jul 2012)
Log Message
Merge 116545 - Crash in ReplaceSelectionCommand::performTrivialReplace
https://bugs.webkit.org/show_bug.cgi?id=85943
Patch by Abhishek Arya <infe...@chromium.org> on 2012-05-09
Reviewed by Ryosuke Niwa.
Source/WebCore:
RefPtr nodeAfterInsertionPos to guard against mutation events.
Test: editing/inserting/insert-html-crash.html
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::performTrivialReplace):
LayoutTests:
* editing/inserting/insert-html-crash-expected.txt: Added.
* editing/inserting/insert-html-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121995 => 121996)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:01:27 UTC (rev 121995)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:01:36 UTC (rev 121996)
@@ -1,3 +1,13 @@
+2012-05-09 Abhishek Arya <infe...@chromium.org>
+
+ Crash in ReplaceSelectionCommand::performTrivialReplace
+ https://bugs.webkit.org/show_bug.cgi?id=85943
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/inserting/insert-html-crash-expected.txt: Added.
+ * editing/inserting/insert-html-crash.html: Added.
+
2012-05-10 Abhishek Arya <infe...@chromium.org>
Crash due to floats not removed from first-letter element.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash-expected.txt (0 => 121996)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash-expected.txt 2012-07-06 20:01:36 UTC (rev 121996)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash.html (0 => 121996)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash.html 2012-07-06 20:01:36 UTC (rev 121996)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+
+if (window.layoutTestController)
+ layoutTestController.waitUntilDone();
+
+document.addEventListener("DOMCharacterDataModified", function() {
+ document.body.innerHTML = "PASS. WebKit didn't crash.";
+ gc();
+ finishJSTest();
+}, true);
+
+document.write("A<br>");
+document.designMode = "on";
+document.execCommand("SelectAll");
+document.execCommand("InsertHTML", false, 4);
+</script>
+<script src=""
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/editing/inserting/insert-html-crash.html
___________________________________________________________________
Added: svn:executable
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121995 => 121996)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:01:27 UTC (rev 121995)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:01:36 UTC (rev 121996)
@@ -1,3 +1,17 @@
+2012-05-09 Abhishek Arya <infe...@chromium.org>
+
+ Crash in ReplaceSelectionCommand::performTrivialReplace
+ https://bugs.webkit.org/show_bug.cgi?id=85943
+
+ Reviewed by Ryosuke Niwa.
+
+ RefPtr nodeAfterInsertionPos to guard against mutation events.
+
+ Test: editing/inserting/insert-html-crash.html
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::performTrivialReplace):
+
2012-05-10 Abhishek Arya <infe...@chromium.org>
Crash due to floats not removed from first-letter element.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceSelectionCommand.cpp (121995 => 121996)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2012-07-06 20:01:27 UTC (rev 121995)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2012-07-06 20:01:36 UTC (rev 121996)
@@ -1335,7 +1335,7 @@
if (nodeToSplitToAvoidPastingIntoInlineNodesWithStyle(endingSelection().start()))
return false;
- Node* nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
+ RefPtr<Node> nodeAfterInsertionPos = endingSelection().end().downstream().anchorNode();
Text* textNode = toText(fragment.firstChild());
// Our fragment creation code handles tabs, spaces, and newlines, so we don't have to worry about those here.
@@ -1344,8 +1344,9 @@
if (end.isNull())
return false;
- if (nodeAfterInsertionPos && nodeAfterInsertionPos->hasTagName(brTag) && shouldRemoveEndBR(nodeAfterInsertionPos, positionBeforeNode(nodeAfterInsertionPos)))
- removeNodeAndPruneAncestors(nodeAfterInsertionPos);
+ if (nodeAfterInsertionPos && nodeAfterInsertionPos->parentNode() && nodeAfterInsertionPos->hasTagName(brTag)
+ && shouldRemoveEndBR(nodeAfterInsertionPos.get(), positionBeforeNode(nodeAfterInsertionPos.get())))
+ removeNodeAndPruneAncestors(nodeAfterInsertionPos.get());
VisibleSelection selectionAfterReplace(m_selectReplacement ? start : end, end);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
