[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
adele at apple.com
adele at apple.com
Wed Dec 22 15:23:20 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit a13e6850fb040955c8cd71fc2edd70b51c6565e4
Author: adele at apple.com <adele at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 2 17:59:04 2010 +0000
WebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=48814
<rdar://problem/8546143> Attempting to redo typing in apple.com/startpage search field causes infinite recursion in TextControlInnerTextElement::defaultEventHandler
Reviewed by Kent Tamura.
Test: editing/undo/redo-after-detach.html
* rendering/TextControlInnerElements.cpp: (WebCore::TextControlInnerTextElement::defaultEventHandler):
A TextControlInnerTextElement will almost always have a shadowAncestorNode, the HTMLInputElement. In this case,
after the renderer was destroyed, this shadow node was kept alive by the EditCommand, even though its not hooked up
anymore to the shadow DOM. EditCommands can sometimes operate on stale selections and are expected to fail silently.
So here we prevent the infinite loop during event dispatch, and the rest of the redo operation will fail silently.
LayoutTests: Test for https://bugs.webkit.org/show_bug.cgi?id=48814
<rdar://problem/8546143> Attempting to redo typing in apple.com/startpage search field causes infinite recursion in TextControlInnerTextElement::defaultEventHandler
Reviewed by Kent Tamura.
* editing/undo/redo-after-detach-expected.txt: Added.
* editing/undo/redo-after-detach.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71131 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3ba5fa3..83658cb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-02 Adele Peterson <adele at apple.com>
+
+ Reviewed by Kent Tamura.
+
+ Test for https://bugs.webkit.org/show_bug.cgi?id=48814
+ <rdar://problem/8546143> Attempting to redo typing in apple.com/startpage search field causes infinite recursion in TextControlInnerTextElement::defaultEventHandler
+
+ * editing/undo/redo-after-detach-expected.txt: Added.
+ * editing/undo/redo-after-detach.html: Added.
+
2010-11-02 Adam Roben <aroben at apple.com>
Skip another test that fails in WebKit2
diff --git a/LayoutTests/editing/undo/redo-after-detach-expected.txt b/LayoutTests/editing/undo/redo-after-detach-expected.txt
new file mode 100644
index 0000000..65ee40d
--- /dev/null
+++ b/LayoutTests/editing/undo/redo-after-detach-expected.txt
@@ -0,0 +1,3 @@
+This tests that we don't crash when redoing an editing command after the search field has been detached and reattached.
+
+
diff --git a/LayoutTests/editing/undo/redo-after-detach.html b/LayoutTests/editing/undo/redo-after-detach.html
new file mode 100644
index 0000000..3773ef4
--- /dev/null
+++ b/LayoutTests/editing/undo/redo-after-detach.html
@@ -0,0 +1,23 @@
+<html>
+ <head>
+ <script>
+ function test()
+ {
+ document.getElementById("tf").setAttribute("results", 0);
+ document.execCommand("Redo");
+ }
+ </script>
+ </head>
+ <body onload="test()">
+ This tests that we don't crash when redoing an editing command after the search field has been detached and reattached.<br>
+ <input type="search" id="tf"><br>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ document.getElementById("tf").focus();
+ document.execCommand("InsertText", false, "test");
+ document.execCommand("Undo");
+ </script>
+ </body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c0ec4fe..be522a7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-02 Adele Peterson <adele at apple.com>
+
+ Reviewed by Kent Tamura.
+
+ Fix for https://bugs.webkit.org/show_bug.cgi?id=48814
+ <rdar://problem/8546143> Attempting to redo typing in apple.com/startpage search field causes infinite recursion in TextControlInnerTextElement::defaultEventHandler
+
+ Test: editing/undo/redo-after-detach.html
+
+ * rendering/TextControlInnerElements.cpp: (WebCore::TextControlInnerTextElement::defaultEventHandler):
+ A TextControlInnerTextElement will almost always have a shadowAncestorNode, the HTMLInputElement. In this case,
+ after the renderer was destroyed, this shadow node was kept alive by the EditCommand, even though its not hooked up
+ anymore to the shadow DOM. EditCommands can sometimes operate on stale selections and are expected to fail silently.
+ So here we prevent the infinite loop during event dispatch, and the rest of the redo operation will fail silently.
+
2010-11-02 Chris Marrin <cmarrin at apple.com>
Reviewed by Adam Roben.
diff --git a/WebCore/rendering/TextControlInnerElements.cpp b/WebCore/rendering/TextControlInnerElements.cpp
index d9a1a73..6495d04 100644
--- a/WebCore/rendering/TextControlInnerElements.cpp
+++ b/WebCore/rendering/TextControlInnerElements.cpp
@@ -147,7 +147,11 @@ void TextControlInnerTextElement::defaultEventHandler(Event* event)
// Then we would add one to the text field's inner div, and we wouldn't need this subclass.
// Or possibly we could just use a normal event listener.
if (event->isBeforeTextInsertedEvent() || event->type() == eventNames().webkitEditableContentChangedEvent) {
- if (Node* shadowAncestor = shadowAncestorNode())
+ Node* shadowAncestor = shadowAncestorNode();
+ // A TextControlInnerTextElement can be its own shadow ancestor if its been detached, but kept alive by an EditCommand.
+ // In this case, an undo/redo can cause events to be sent to the TextControlInnerTextElement.
+ // To prevent an infinite loop, we must check for this case before sending the event up the chain.
+ if (shadowAncestor && shadowAncestor != this)
shadowAncestor->defaultEventHandler(event);
}
if (event->defaultHandled())
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list