[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-34-g43a6bb2

Gustavo Noronha Silva gustavo.noronha at collabora.co.uk
Wed Oct 7 06:26:27 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit d476773c093564382de02eaa9a3d40ce7065dd7f
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Sep 29 23:10:01 2009 +0000

    2009-09-29  Enrica Casucci  <enrica at apple.com>
    
            Reviewed by Adele Peterson.
    
            Test case for <rdar://problem/7085453>.
    
            * editing/selection/blockquote-crash-expected.txt: Added.
            * editing/selection/blockquote-crash.html: Added.
    2009-09-29  Enrica Casucci  <enrica at apple.com>
    
            Reviewed by Adele Peterson.
    
            Reproducible crash pressing return inside quoted content
            at WebCore::BreakBlockquoteCommand::doApply.
            <rdar://problem/7085453>
            In some case, like the one provided in the test case, m_downStreamEnd
            refers to a node that gets deleted when executing the DeleteSelectionCommand.
            We shouldn't use m_downStreamEnd to recalculate the new m_endPosition when
            pruning is needed, because it may be point to a node that has been deleted, but
            rather rely on removeNode in CompositeEditCommand to update m_endPosition correctly.
    
            Test: editing/selection/blockquote-crash.html
    
            * editing/BreakBlockquoteCommand.cpp:
            (WebCore::BreakBlockquoteCommand::doApply): Added check for invalid position
            to avoid dereferencing a null node pointer.
            * editing/DeleteSelectionCommand.cpp:
            (WebCore::DeleteSelectionCommand::mergeParagraphs): Don't reset m_endPosition
            using the value in m_downStreamEnd when it is necessary to prune the start block.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48910 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/editing/selection/blockquote-crash-expected.txt b/LayoutTests/editing/selection/blockquote-crash-expected.txt
new file mode 100644
index 0000000..ba7237c
--- /dev/null
+++ b/LayoutTests/editing/selection/blockquote-crash-expected.txt
@@ -0,0 +1,5 @@
+
+        <div>This test should not crash</div>
+        
+    
+
diff --git a/LayoutTests/editing/selection/blockquote-crash.html b/LayoutTests/editing/selection/blockquote-crash.html
new file mode 100644
index 0000000..72c7942
--- /dev/null
+++ b/LayoutTests/editing/selection/blockquote-crash.html
@@ -0,0 +1,33 @@
+<html>
+    <head>
+        <style>
+            blockquote {
+                color: blue;
+                border-left: 2px solid blue;
+                padding-left: 5px;
+                margin: 0px;
+            }
+        </style>
+        <script>
+            function test()
+            {
+                if (window.layoutTestController)
+                    layoutTestController.dumpAsText();
+
+                var qt = document.getElementById('qt');
+                var sel = window.getSelection();
+                sel.setPosition(qt, 0);
+                sel.modify("extend", "forward", "line");
+                document.execCommand("InsertNewlineInQuotedContent");
+                
+                document.write("<xmp>" + document.body.innerHTML + "</xmp>");
+            }
+        </script>
+    </head>
+    <body contenteditable onload="test()">
+        <div>This test should not crash</div>
+        <blockquote type="cite" id="qt">triple click me! then hit enter
+            <blockquote type="cite"><div style="min-height: 14px;"></div></blockquote>
+        </blockquote>
+    </body>
+</html>
\ No newline at end of file
diff --git a/WebCore/editing/BreakBlockquoteCommand.cpp b/WebCore/editing/BreakBlockquoteCommand.cpp
index 1ca2d87..2da6047 100644
--- a/WebCore/editing/BreakBlockquoteCommand.cpp
+++ b/WebCore/editing/BreakBlockquoteCommand.cpp
@@ -51,7 +51,16 @@ void BreakBlockquoteCommand::doApply()
     if (endingSelection().isRange())
         deleteSelection(false, false);
     
+    // This is a scenario that should never happen, but we want to
+    // make sure we don't dereference a null pointer below.    
+
+    ASSERT(!endingSelection().isNone());
+    
+    if (endingSelection().isNone())
+        return;
+        
     VisiblePosition visiblePos = endingSelection().visibleStart();
+    
     // pos is a position equivalent to the caret.  We use downstream() so that pos will 
     // be in the first node that we need to move (there are a few exceptions to this, see below).
     Position pos = endingSelection().start().downstream();
diff --git a/WebCore/editing/DeleteSelectionCommand.cpp b/WebCore/editing/DeleteSelectionCommand.cpp
index d94dcd2..fbb5aea 100644
--- a/WebCore/editing/DeleteSelectionCommand.cpp
+++ b/WebCore/editing/DeleteSelectionCommand.cpp
@@ -537,8 +537,6 @@ void DeleteSelectionCommand::mergeParagraphs()
 {
     if (!m_mergeBlocksAfterDelete) {
         if (m_pruneStartBlockIfNecessary) {
-            // Make sure that the ending position isn't inside the block we're about to prune.
-            m_endingPosition = m_downstreamEnd;
             // We aren't going to merge into the start block, so remove it if it's empty.
             prune(m_startBlock);
             // Removing the start block during a deletion is usually an indication that we need

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list