[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
rniwa at webkit.org
rniwa at webkit.org
Wed Dec 22 15:27:33 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit bc908feb85b26e53c53428a7c13add25d09a041a
Author: rniwa at webkit.org <rniwa at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Nov 4 00:14:01 2010 +0000
2010-11-01 Ryosuke Niwa <rniwa at webkit.org>
Reviewed by Darin Adler.
Crash in ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle
https://bugs.webkit.org/show_bug.cgi?id=48581
The crash was caused by RemoveNodePreservingChildrenCommand's calling removeNode
on m_node without checking that m_node has a parent and it's still in the document.
Fixed the crash by adding an early exit in CompositeEditCommand::removeNode and
deploying RefPtr in several places of ApplyStyleCommand.cpp.
Test: editing/style/iframe-onload-crash.html
* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange):
(WebCore::ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle):
(WebCore::ApplyStyleCommand::removeInlineStyleFromElement):
* editing/ApplyStyleCommand.h:
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::removeNode):
2010-10-29 Ryosuke Niwa <rniwa at webkit.org>
Reviewed by Darin Adler.
Crash in ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle
https://bugs.webkit.org/show_bug.cgi?id=48581
Added a test to ensure removeStyleFromRunBeforeApplyingStyle doesn't crash.
* editing/style/iframe-onload-crash-expected.txt: Added.
* editing/style/iframe-onload-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71288 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9db967c..40de942 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-10-29 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Crash in ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle
+ https://bugs.webkit.org/show_bug.cgi?id=48581
+
+ Added a test to ensure removeStyleFromRunBeforeApplyingStyle doesn't crash.
+
+ * editing/style/iframe-onload-crash-expected.txt: Added.
+ * editing/style/iframe-onload-crash.html: Added.
+
2010-11-02 Zhenyao Mo <zmo at google.com>
Reviewed by Kenneth Russell.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/editing/style/iframe-onload-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/editing/style/iframe-onload-crash-expected.txt
diff --git a/LayoutTests/editing/style/iframe-onload-crash.html b/LayoutTests/editing/style/iframe-onload-crash.html
new file mode 100644
index 0000000..70331ca
--- /dev/null
+++ b/LayoutTests/editing/style/iframe-onload-crash.html
@@ -0,0 +1,10 @@
+<meta><input><h6><nobr></nobr><datagrid><ins><button><em><iframe onload="
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.designMode='on';
+document.execCommand('selectall');
+document.execCommand('italic');
+document.execCommand('RemoveFormat');
+document.execCommand('inserthtml', false);
+document.body.innerHTML='PASS';">x
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c7442cc..2d9df14 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2010-11-01 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Crash in ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle
+ https://bugs.webkit.org/show_bug.cgi?id=48581
+
+ The crash was caused by RemoveNodePreservingChildrenCommand's calling removeNode
+ on m_node without checking that m_node has a parent and it's still in the document.
+ Fixed the crash by adding an early exit in CompositeEditCommand::removeNode and
+ deploying RefPtr in several places of ApplyStyleCommand.cpp.
+
+ Test: editing/style/iframe-onload-crash.html
+
+ * editing/ApplyStyleCommand.cpp:
+ (WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange):
+ (WebCore::ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle):
+ (WebCore::ApplyStyleCommand::removeInlineStyleFromElement):
+ * editing/ApplyStyleCommand.h:
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::removeNode):
+
2010-11-03 Jia Pu <jpu at apple.com>
Reviewed by Darin Adler.
diff --git a/WebCore/editing/ApplyStyleCommand.cpp b/WebCore/editing/ApplyStyleCommand.cpp
index 8862da7..7a2c6ea 100644
--- a/WebCore/editing/ApplyStyleCommand.cpp
+++ b/WebCore/editing/ApplyStyleCommand.cpp
@@ -1150,9 +1150,9 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(CSSMutableStyleDeclaration*
if (m_removeOnly)
return;
- for (Node* next; node && node != pastEndNode; node = next) {
+ for (RefPtr<Node> next; node && node != pastEndNode; node = next.get()) {
next = node->traverseNextNode();
-
+
if (!node->renderer() || !node->isContentEditable())
continue;
@@ -1183,7 +1183,8 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(CSSMutableStyleDeclaration*
}
}
- Node* runEnd = node;
+ RefPtr<Node> runStart = node;
+ RefPtr<Node> runEnd = node;
Node* sibling = node->nextSibling();
while (sibling && sibling != pastEndNode && !sibling->contains(pastEndNode)
&& (!isBlock(sibling) || sibling->hasTagName(brTag))
@@ -1193,9 +1194,9 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(CSSMutableStyleDeclaration*
}
next = runEnd->traverseNextSibling();
- if (!removeStyleFromRunBeforeApplyingStyle(style, node, runEnd))
+ if (!removeStyleFromRunBeforeApplyingStyle(style, runStart, runEnd))
continue;
- addInlineStyleIfNeeded(style, node, runEnd, AddStyledElement);
+ addInlineStyleIfNeeded(style, runStart.get(), runEnd.get(), AddStyledElement);
}
}
@@ -1205,12 +1206,12 @@ bool ApplyStyleCommand::isStyledInlineElementToRemove(Element* element) const
|| (m_isInlineElementToRemoveFunction && m_isInlineElementToRemoveFunction(element));
}
-bool ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDeclaration* style, Node*& runStart, Node*& runEnd)
+bool ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDeclaration* style, RefPtr<Node>& runStart, RefPtr<Node>& runEnd)
{
ASSERT(runStart && runEnd && runStart->parentNode() == runEnd->parentNode());
- Node* pastEndNode = runEnd->traverseNextSibling();
+ RefPtr<Node> pastEndNode = runEnd->traverseNextSibling();
bool needToApplyStyle = false;
- for (Node* node = runStart; node && node != pastEndNode; node = node->traverseNextNode()) {
+ for (Node* node = runStart.get(); node && node != pastEndNode.get(); node = node->traverseNextNode()) {
if (node->childNodeCount())
continue;
// We don't consider m_isInlineElementToRemoveFunction here because we never apply style when m_isInlineElementToRemoveFunction is specified
@@ -1223,16 +1224,16 @@ bool ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDec
if (!needToApplyStyle)
return false;
- Node* next;
- for (Node* node = runStart; node && node != pastEndNode; node = next) {
+ RefPtr<Node> next = runStart;
+ for (RefPtr<Node> node = next; node && node->inDocument() && node != pastEndNode; node = next) {
next = node->traverseNextNode();
if (!node->isHTMLElement())
continue;
-
- Node* previousSibling = node->previousSibling();
- Node* nextSibling = node->nextSibling();
- ContainerNode* parent = node->parentNode();
- removeInlineStyleFromElement(style, static_cast<HTMLElement*>(node), RemoveAlways);
+
+ RefPtr<Node> previousSibling = node->previousSibling();
+ RefPtr<Node> nextSibling = node->nextSibling();
+ RefPtr<ContainerNode> parent = node->parentNode();
+ removeInlineStyleFromElement(style, static_cast<HTMLElement*>(node.get()), RemoveAlways);
if (!node->inDocument()) {
// FIXME: We might need to update the start and the end of current selection here but need a test.
if (runStart == node)
@@ -1245,7 +1246,7 @@ bool ApplyStyleCommand::removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDec
return true;
}
-bool ApplyStyleCommand::removeInlineStyleFromElement(CSSMutableStyleDeclaration* style, HTMLElement* element, InlineStyleRemovalMode mode, CSSMutableStyleDeclaration* extractedStyle)
+bool ApplyStyleCommand::removeInlineStyleFromElement(CSSMutableStyleDeclaration* style, PassRefPtr<HTMLElement> element, InlineStyleRemovalMode mode, CSSMutableStyleDeclaration* extractedStyle)
{
ASSERT(style);
ASSERT(element);
@@ -1253,7 +1254,7 @@ bool ApplyStyleCommand::removeInlineStyleFromElement(CSSMutableStyleDeclaration*
if (!element->parentNode() || !element->parentNode()->isContentEditable())
return false;
- if (isStyledInlineElementToRemove(element)) {
+ if (isStyledInlineElementToRemove(element.get())) {
if (mode == RemoveNone)
return true;
ASSERT(extractedStyle);
@@ -1264,7 +1265,7 @@ bool ApplyStyleCommand::removeInlineStyleFromElement(CSSMutableStyleDeclaration*
}
bool removed = false;
- if (removeImplicitlyStyledElement(style, element, mode, extractedStyle))
+ if (removeImplicitlyStyledElement(style, element.get(), mode, extractedStyle))
removed = true;
if (!element->inDocument())
@@ -1272,7 +1273,7 @@ bool ApplyStyleCommand::removeInlineStyleFromElement(CSSMutableStyleDeclaration*
// If the node was converted to a span, the span may still contain relevant
// styles which must be removed (e.g. <b style='font-weight: bold'>)
- if (removeCSSStyle(style, element, mode, extractedStyle))
+ if (removeCSSStyle(style, element.get(), mode, extractedStyle))
removed = true;
return removed;
diff --git a/WebCore/editing/ApplyStyleCommand.h b/WebCore/editing/ApplyStyleCommand.h
index 16c5b68..1ebd9f6 100644
--- a/WebCore/editing/ApplyStyleCommand.h
+++ b/WebCore/editing/ApplyStyleCommand.h
@@ -79,8 +79,8 @@ private:
// style-removal helpers
bool isStyledInlineElementToRemove(Element*) const;
- bool removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDeclaration* style, Node*& runStart, Node*& runEnd);
- bool removeInlineStyleFromElement(CSSMutableStyleDeclaration*, HTMLElement*, InlineStyleRemovalMode = RemoveIfNeeded, CSSMutableStyleDeclaration* extractedStyle = 0);
+ bool removeStyleFromRunBeforeApplyingStyle(CSSMutableStyleDeclaration* style, RefPtr<Node>& runStart, RefPtr<Node>& runEnd);
+ bool removeInlineStyleFromElement(CSSMutableStyleDeclaration*, PassRefPtr<HTMLElement>, InlineStyleRemovalMode = RemoveIfNeeded, CSSMutableStyleDeclaration* extractedStyle = 0);
inline bool shouldRemoveInlineStyleFromElement(CSSMutableStyleDeclaration* style, HTMLElement* element) {return removeInlineStyleFromElement(style, element, RemoveNone);}
bool removeImplicitlyStyledElement(CSSMutableStyleDeclaration*, HTMLElement*, InlineStyleRemovalMode, CSSMutableStyleDeclaration* extractedStyle);
void replaceWithSpanOrRemoveIfWithoutAttributes(HTMLElement*&);
diff --git a/WebCore/editing/CompositeEditCommand.cpp b/WebCore/editing/CompositeEditCommand.cpp
index 6f47fb4..f55b86a 100644
--- a/WebCore/editing/CompositeEditCommand.cpp
+++ b/WebCore/editing/CompositeEditCommand.cpp
@@ -206,6 +206,8 @@ void CompositeEditCommand::removeChildrenInRange(PassRefPtr<Node> node, unsigned
void CompositeEditCommand::removeNode(PassRefPtr<Node> node)
{
+ if (!node || !node->parentNode())
+ return;
applyCommandToComposite(RemoveNodeCommand::create(node));
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list