[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
eric at webkit.org
eric at webkit.org
Thu Oct 29 20:36:34 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 5fbc25ce0bbe0db264447d9f2eddb43981f0e848
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Sep 29 23:10:01 2009 +0000
2009-09-29 Enrica Casucci <enrica at apple.com>
Reviewed by Adele Peterson.
Test case for <rdar://problem/7085453>.
* editing/selection/blockquote-crash-expected.txt: Added.
* editing/selection/blockquote-crash.html: Added.
2009-09-29 Enrica Casucci <enrica at apple.com>
Reviewed by Adele Peterson.
Reproducible crash pressing return inside quoted content
at WebCore::BreakBlockquoteCommand::doApply.
<rdar://problem/7085453>
In some case, like the one provided in the test case, m_downStreamEnd
refers to a node that gets deleted when executing the DeleteSelectionCommand.
We shouldn't use m_downStreamEnd to recalculate the new m_endPosition when
pruning is needed, because it may be point to a node that has been deleted, but
rather rely on removeNode in CompositeEditCommand to update m_endPosition correctly.
Test: editing/selection/blockquote-crash.html
* editing/BreakBlockquoteCommand.cpp:
(WebCore::BreakBlockquoteCommand::doApply): Added check for invalid position
to avoid dereferencing a null node pointer.
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::mergeParagraphs): Don't reset m_endPosition
using the value in m_downStreamEnd when it is necessary to prune the start block.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48910 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f274228..1a57a45 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2009-09-29 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Adele Peterson.
+
+ Test case for <rdar://problem/7085453>.
+
+ * editing/selection/blockquote-crash-expected.txt: Added.
+ * editing/selection/blockquote-crash.html: Added.
+
2009-09-29 Kent Tamura <tkent at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/editing/selection/blockquote-crash-expected.txt b/LayoutTests/editing/selection/blockquote-crash-expected.txt
new file mode 100644
index 0000000..ba7237c
--- /dev/null
+++ b/LayoutTests/editing/selection/blockquote-crash-expected.txt
@@ -0,0 +1,5 @@
+
+ <div>This test should not crash</div>
+
+
+
diff --git a/LayoutTests/editing/selection/blockquote-crash.html b/LayoutTests/editing/selection/blockquote-crash.html
new file mode 100644
index 0000000..72c7942
--- /dev/null
+++ b/LayoutTests/editing/selection/blockquote-crash.html
@@ -0,0 +1,33 @@
+<html>
+ <head>
+ <style>
+ blockquote {
+ color: blue;
+ border-left: 2px solid blue;
+ padding-left: 5px;
+ margin: 0px;
+ }
+ </style>
+ <script>
+ function test()
+ {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var qt = document.getElementById('qt');
+ var sel = window.getSelection();
+ sel.setPosition(qt, 0);
+ sel.modify("extend", "forward", "line");
+ document.execCommand("InsertNewlineInQuotedContent");
+
+ document.write("<xmp>" + document.body.innerHTML + "</xmp>");
+ }
+ </script>
+ </head>
+ <body contenteditable onload="test()">
+ <div>This test should not crash</div>
+ <blockquote type="cite" id="qt">triple click me! then hit enter
+ <blockquote type="cite"><div style="min-height: 14px;"></div></blockquote>
+ </blockquote>
+ </body>
+</html>
\ No newline at end of file
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4ce6138..72d6f6c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2009-09-29 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Adele Peterson.
+
+ Reproducible crash pressing return inside quoted content
+ at WebCore::BreakBlockquoteCommand::doApply.
+ <rdar://problem/7085453>
+ In some case, like the one provided in the test case, m_downStreamEnd
+ refers to a node that gets deleted when executing the DeleteSelectionCommand.
+ We shouldn't use m_downStreamEnd to recalculate the new m_endPosition when
+ pruning is needed, because it may be point to a node that has been deleted, but
+ rather rely on removeNode in CompositeEditCommand to update m_endPosition correctly.
+
+ Test: editing/selection/blockquote-crash.html
+
+ * editing/BreakBlockquoteCommand.cpp:
+ (WebCore::BreakBlockquoteCommand::doApply): Added check for invalid position
+ to avoid dereferencing a null node pointer.
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::mergeParagraphs): Don't reset m_endPosition
+ using the value in m_downStreamEnd when it is necessary to prune the start block.
+
2009-09-29 Alexey Proskuryakov <ap at apple.com>
Reviewed by Brady Eidson.
diff --git a/WebCore/editing/BreakBlockquoteCommand.cpp b/WebCore/editing/BreakBlockquoteCommand.cpp
index 1ca2d87..2da6047 100644
--- a/WebCore/editing/BreakBlockquoteCommand.cpp
+++ b/WebCore/editing/BreakBlockquoteCommand.cpp
@@ -51,7 +51,16 @@ void BreakBlockquoteCommand::doApply()
if (endingSelection().isRange())
deleteSelection(false, false);
+ // This is a scenario that should never happen, but we want to
+ // make sure we don't dereference a null pointer below.
+
+ ASSERT(!endingSelection().isNone());
+
+ if (endingSelection().isNone())
+ return;
+
VisiblePosition visiblePos = endingSelection().visibleStart();
+
// pos is a position equivalent to the caret. We use downstream() so that pos will
// be in the first node that we need to move (there are a few exceptions to this, see below).
Position pos = endingSelection().start().downstream();
diff --git a/WebCore/editing/DeleteSelectionCommand.cpp b/WebCore/editing/DeleteSelectionCommand.cpp
index d94dcd2..fbb5aea 100644
--- a/WebCore/editing/DeleteSelectionCommand.cpp
+++ b/WebCore/editing/DeleteSelectionCommand.cpp
@@ -537,8 +537,6 @@ void DeleteSelectionCommand::mergeParagraphs()
{
if (!m_mergeBlocksAfterDelete) {
if (m_pruneStartBlockIfNecessary) {
- // Make sure that the ending position isn't inside the block we're about to prune.
- m_endingPosition = m_downstreamEnd;
// We aren't going to merge into the start block, so remove it if it's empty.
prune(m_startBlock);
// Removing the start block during a deletion is usually an indication that we need
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list