[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
enrica at apple.com
enrica at apple.com
Wed Dec 22 14:08:08 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit c5b8c17d3f8e352ff80b64f4c72a0f8a3f7c9520
Author: enrica at apple.com <enrica at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Oct 4 23:30:23 2010 +0000
Crash at WebCore::nextCandidate + 27
https://bugs.webkit.org/show_bug.cgi?id=47118
<rdar://problem/7282934>
Reviewed by Darin Adler.
WebCore:
When we canonicalize a Position to create a VisiblePosition, the position
is passed by reference. In canonicalPosition we call updateLayoutIgnorePendingStylesheets
that can produce a lot of side effects, including changing the selection.
This becomes a serious problem whne the position passed as reference is one of
the selection endpoints.
Test: editing/selection/focus-crash.html
* editing/VisiblePosition.cpp:
(WebCore::VisiblePosition::canonicalPosition):
LayoutTests:
* editing/resources/iframebody.html: Added.
* editing/selection/focus-crash-expected.txt: Added.
* editing/selection/focus-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69051 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 98b6420..2d2dd66 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-10-04 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash at WebCore::nextCandidate + 27
+ https://bugs.webkit.org/show_bug.cgi?id=47118
+ <rdar://problem/7282934>
+
+ * editing/resources/iframebody.html: Added.
+ * editing/selection/focus-crash-expected.txt: Added.
+ * editing/selection/focus-crash.html: Added.
+
2010-10-04 Alexey Proskuryakov <ap at apple.com>
Reviewed by Adam Barth.
diff --git a/LayoutTests/editing/resources/iframebody.html b/LayoutTests/editing/resources/iframebody.html
new file mode 100644
index 0000000..3b15b02
--- /dev/null
+++ b/LayoutTests/editing/resources/iframebody.html
@@ -0,0 +1,6 @@
+<html>
+<head>
+</head>
+<body id='frameedit' contenteditable style="border: solid red 1px">
+</body>
+</html>
diff --git a/LayoutTests/editing/selection/focus-crash-expected.txt b/LayoutTests/editing/selection/focus-crash-expected.txt
new file mode 100644
index 0000000..bd626aa
--- /dev/null
+++ b/LayoutTests/editing/selection/focus-crash-expected.txt
@@ -0,0 +1,2 @@
+To run this test manually, click the "Crash me" button.
+SUCCEEDED
diff --git a/LayoutTests/editing/selection/focus-crash.html b/LayoutTests/editing/selection/focus-crash.html
new file mode 100644
index 0000000..b0cb936
--- /dev/null
+++ b/LayoutTests/editing/selection/focus-crash.html
@@ -0,0 +1,44 @@
+<html><head>
+<title>Focus crash</title>
+</head>
+<body onload="load()">
+To run this test manually, click the "Crash me" button.
+<div id='container'>
+ <iframe id='testframe' style="width: 100%; height:200px;" src="../resources/iframebody.html"></iframe>
+</div>
+<input id='testbutton' type="button" value="Crash me" onclick="crash()">
+<ul id="console"></ul>
+<script>
+
+function load()
+{
+ document.getElementById('testframe').contentWindow.document.body.focus();
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ if (eventSender) {
+ var button = document.getElementById('testbutton');
+ eventSender.mouseMoveTo(button.offsetLeft + 10, button.offsetTop + 5)
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+}
+
+function crash()
+{
+ var focuselem = document.getElementById('testframe').contentWindow;
+ var elem = document.getElementById('container');
+ elem.style.display = 'none';
+ focuselem.focus();
+ log("SUCCEEDED");
+}
+
+function log(str) {
+ var li = document.createElement("li");
+ li.appendChild(document.createTextNode(str));
+ var console = document.getElementById("console");
+ console.appendChild(li);
+}
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ba51038..2350f36 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-10-04 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash at WebCore::nextCandidate + 27
+ https://bugs.webkit.org/show_bug.cgi?id=47118
+ <rdar://problem/7282934>
+
+ When we canonicalize a Position to create a VisiblePosition, the position
+ is passed by reference. In canonicalPosition we call updateLayoutIgnorePendingStylesheets
+ that can produce a lot of side effects, including changing the selection.
+ This becomes a serious problem whne the position passed as reference is one of
+ the selection endpoints.
+
+ Test: editing/selection/focus-crash.html
+
+ * editing/VisiblePosition.cpp:
+ (WebCore::VisiblePosition::canonicalPosition):
+
2010-10-04 Alexey Proskuryakov <ap at apple.com>
Reviewed by Adam Barth.
diff --git a/WebCore/editing/VisiblePosition.cpp b/WebCore/editing/VisiblePosition.cpp
index a1f9918..1e68538 100644
--- a/WebCore/editing/VisiblePosition.cpp
+++ b/WebCore/editing/VisiblePosition.cpp
@@ -439,8 +439,13 @@ static Position canonicalizeCandidate(const Position& candidate)
return candidate;
}
-Position VisiblePosition::canonicalPosition(const Position& position)
+Position VisiblePosition::canonicalPosition(const Position& passedPosition)
{
+ // The updateLayout call below can do so much that even the position passed
+ // in to us might get changed as a side effect. Specifically, there are code
+ // paths that pass selection endpoints, and updateLayout can change the selection.
+ Position position = passedPosition;
+
// FIXME (9535): Canonicalizing to the leftmost candidate means that if we're at a line wrap, we will
// ask renderers to paint downstream carets for other renderers.
// To fix this, we need to either a) add code to all paintCarets to pass the responsibility off to
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list