Title: [148321] branches/safari-536.30-branch/Source/WebCore
- Revision
- 148321
- Author
- rn...@webkit.org
- Date
- 2013-04-12 17:15:14 -0700 (Fri, 12 Apr 2013)
Log Message
Merged r136619. <rdar://problem/13335066>
Modified Paths
Diff
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148320 => 148321)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 00:09:23 UTC (rev 148320)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 00:15:14 UTC (rev 148321)
@@ -1,5 +1,27 @@
2013-04-12 Ryosuke Niwa <rn...@webkit.org>
+ Merge 136619.
+
+ 2012-12-04 Abhishek Arya <infe...@chromium.org>
+
+ Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode
+ https://bugs.webkit.org/show_bug.cgi?id=103515
+
+ Reviewed by Ryosuke Niwa.
+
+ |current| is weak node pointer that iterates in the hierarchy chain
+ between |highestAncestor| and |targetNode|. Script executed as part
+ of iframe onload event can blow away the nodes and we no longer have
+ |targetNode| in our descendants chain. So, we RefPtr |current| and bail
+ out when |targetNode| stops being a part of descendant chain.
+
+ Test blocked on https://bugs.webkit.org/show_bug.cgi?id=104044.
+
+ * editing/ApplyStyleCommand.cpp:
+ (WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode):
+
+2013-04-12 Ryosuke Niwa <rn...@webkit.org>
+
Merge 117463.
2012-05-17 Caio Marcelo de Oliveira Filho <caio.olive...@openbossa.org>
Modified: branches/safari-536.30-branch/Source/WebCore/editing/ApplyStyleCommand.cpp (148320 => 148321)
--- branches/safari-536.30-branch/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-04-13 00:09:23 UTC (rev 148320)
+++ branches/safari-536.30-branch/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-04-13 00:15:14 UTC (rev 148321)
@@ -970,24 +970,22 @@
return;
// The outer loop is traversing the tree vertically from highestAncestor to targetNode
- Node* current = highestAncestor;
+ RefPtr<Node> current = highestAncestor;
// Along the way, styled elements that contain targetNode are removed and accumulated into elementsToPushDown.
// Each child of the removed element, exclusing ancestors of targetNode, is then wrapped by clones of elements in elementsToPushDown.
Vector<RefPtr<Element> > elementsToPushDown;
- while (current != targetNode) {
- ASSERT(current);
- ASSERT(current->contains(targetNode));
+ while (current && current != targetNode && current->contains(targetNode)) {
NodeVector currentChildren;
- getChildNodes(current, currentChildren);
+ getChildNodes(current.get(), currentChildren);
RefPtr<StyledElement> styledElement;
- if (current->isStyledElement() && isStyledInlineElementToRemove(static_cast<Element*>(current))) {
- styledElement = static_cast<StyledElement*>(current);
+ if (current->isStyledElement() && isStyledInlineElementToRemove(static_cast<Element*>(current.get()))) {
+ styledElement = static_cast<StyledElement*>(current.get());
elementsToPushDown.append(styledElement);
}
RefPtr<EditingStyle> styleToPushDown = EditingStyle::create();
if (current->isHTMLElement())
- removeInlineStyleFromElement(style, toHTMLElement(current), RemoveIfNeeded, styleToPushDown.get());
+ removeInlineStyleFromElement(style, toHTMLElement(current.get()), RemoveIfNeeded, styleToPushDown.get());
// The inner loop will go through children on each level
// FIXME: we should aggregate inline child elements together so that we don't wrap each child separately.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
