Title: [150402] trunk
- Revision
- 150402
- Author
- rn...@webkit.org
- Date
- 2013-05-20 20:18:22 -0700 (Mon, 20 May 2013)
Log Message
Null pointer deference in WebCore::AppendNodeCommand::create
https://bugs.webkit.org/show_bug.cgi?id=116479
Source/WebCore:
Reviewed by Andreas Kling.
Merge https://chromium.googlesource.com/chromium/blink/+/5cb43002a44f67a60ecf5a7ed76de2d0bcf89eb2
DeleteSelection::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss() make style and link elements
to be the direct children of the editable root. However, these style and link elements are not necessary editable
and WebKit crashes when they are not.
Test: editing/deleting/delete-uneditable-style.html
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss):
LayoutTests:
Reviewed by Andreas Kling.
Add a regression test.
* editing/deleting/delete-uneditable-style-expected.txt: Added.
* editing/deleting/delete-uneditable-style.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (150401 => 150402)
--- trunk/LayoutTests/ChangeLog 2013-05-21 03:13:12 UTC (rev 150401)
+++ trunk/LayoutTests/ChangeLog 2013-05-21 03:18:22 UTC (rev 150402)
@@ -1,5 +1,17 @@
2013-05-20 Ryosuke Niwa <rn...@webkit.org>
+ Null pointer deference in WebCore::AppendNodeCommand::create
+ https://bugs.webkit.org/show_bug.cgi?id=116479
+
+ Reviewed by Andreas Kling.
+
+ Add a regression test.
+
+ * editing/deleting/delete-uneditable-style-expected.txt: Added.
+ * editing/deleting/delete-uneditable-style.html: Added.
+
+2013-05-20 Ryosuke Niwa <rn...@webkit.org>
+
REGRESSION(r150386): [WK2] loader/go-back-cached-main-resource.html fails
https://bugs.webkit.org/show_bug.cgi?id=116491
Added: trunk/LayoutTests/editing/deleting/delete-uneditable-style-expected.txt (0 => 150402)
--- trunk/LayoutTests/editing/deleting/delete-uneditable-style-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-uneditable-style-expected.txt 2013-05-21 03:18:22 UTC (rev 150402)
@@ -0,0 +1,6 @@
+Test that having a non-editable style and link elements does not cause a crash
+| <span>
+| id="end"
+| "<#selection-caret>end"
+| "
+"
Added: trunk/LayoutTests/editing/deleting/delete-uneditable-style.html (0 => 150402)
--- trunk/LayoutTests/editing/deleting/delete-uneditable-style.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-uneditable-style.html 2013-05-21 03:18:22 UTC (rev 150402)
@@ -0,0 +1,33 @@
+<!DOCTYPE>
+<html>
+<body>
+<script src=""
+<div contentEditable id="test">
+ <span id="start">start</span>
+ editable-1
+ <div contentEditable="false">
+ <style>#end { color: red; }</style>
+ <link type="foo" href=""
+ uneditable
+ </div>
+ editable-2
+<span id="end">end</span>
+</div>
+<script>
+Markup.description('Test that having a non-editable style and link elements does not cause a crash');
+
+function $(id) { return document.getElementById(id); }
+
+var range = document.createRange();
+range.setStart($('start'));
+range.setEnd($('end'), NaN);
+
+getSelection().addRange(range);
+
+document.execCommand('Delete', null, '');
+
+Markup.dump('test');
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (150401 => 150402)
--- trunk/Source/WebCore/ChangeLog 2013-05-21 03:13:12 UTC (rev 150401)
+++ trunk/Source/WebCore/ChangeLog 2013-05-21 03:18:22 UTC (rev 150402)
@@ -1,3 +1,21 @@
+2013-05-20 Ryosuke Niwa <rn...@webkit.org>
+
+ Null pointer deference in WebCore::AppendNodeCommand::create
+ https://bugs.webkit.org/show_bug.cgi?id=116479
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/5cb43002a44f67a60ecf5a7ed76de2d0bcf89eb2
+
+ DeleteSelection::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss() make style and link elements
+ to be the direct children of the editable root. However, these style and link elements are not necessary editable
+ and WebKit crashes when they are not.
+
+ Test: editing/deleting/delete-uneditable-style.html
+
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss):
+
2013-05-20 Beth Dakin <bda...@apple.com>
Scrollbars still show sometimes even when WKPageSetSuppressScrollbarAnimations()
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (150401 => 150402)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2013-05-21 03:13:12 UTC (rev 150401)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2013-05-21 03:18:22 UTC (rev 150402)
@@ -426,8 +426,10 @@
if ((node->hasTagName(styleTag) && !(toElement(node.get())->hasAttribute(scopedAttr))) || node->hasTagName(linkTag)) {
nextNode = NodeTraversal::nextSkippingChildren(node.get());
RefPtr<ContainerNode> rootEditableElement = node->rootEditableElement();
- removeNode(node);
- appendNode(node, rootEditableElement);
+ if (rootEditableElement) {
+ removeNode(node);
+ appendNode(node, rootEditableElement);
+ }
}
node = nextNode;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
