[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
rniwa at webkit.org
rniwa at webkit.org
Wed Dec 22 17:51:42 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 64fdd3feb5133e8e83fa5c8e1b844a398acff5e3
Author: rniwa at webkit.org <rniwa at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Dec 1 19:50:55 2010 +0000
2010-12-01 Ryosuke Niwa <rniwa at webkit.org>
Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
chrome.dll!WebCore::RangeBoundaryPoint::toPosition ReadAV at NULL (cf0d0f28bc56f2591cc74f71b46036ea)
https://bugs.webkit.org/show_bug.cgi?id=47808
The crash was caused by moveParagraphWithClones' not copying the entire paragraph
when called by doApplyForSingleParagraph, which was induced by a bug in
cloneParagraphUnderNewElement which ended the cloning process early when the start node
and the end node didn't share the same parent node. Fixed the bug in cloneParagraphUnderNewElement
by calling traverseNextSibling(outerNode) instead of nextSibling().
Also added an early exit to InsertListCommand::doApply when lastSelectionRange is null.
Tests: editing/execCommand/switch-multiple-list-items-crash.html
editing/execCommand/switch-multiple-list-items.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
2010-12-01 Ryosuke Niwa <rniwa at webkit.org>
Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
chrome.dll!WebCore::RangeBoundaryPoint::toPosition ReadAV at NULL (cf0d0f28bc56f2591cc74f71b46036ea)
https://bugs.webkit.org/show_bug.cgi?id=47808
Added tests to ensure WebKit can switch the type of multiple list items without a crash.
* editing/execCommand/switch-multiple-list-items-crash-expected.txt: Added.
* editing/execCommand/switch-multiple-list-items-crash.html: Added.
* editing/execCommand/switch-multiple-list-items-expected.txt: Added.
* editing/execCommand/switch-multiple-list-items.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73052 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7b4b6d8..896e82b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-12-01 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
+
+ chrome.dll!WebCore::RangeBoundaryPoint::toPosition ReadAV at NULL (cf0d0f28bc56f2591cc74f71b46036ea)
+ https://bugs.webkit.org/show_bug.cgi?id=47808
+
+ Added tests to ensure WebKit can switch the type of multiple list items without a crash.
+
+ * editing/execCommand/switch-multiple-list-items-crash-expected.txt: Added.
+ * editing/execCommand/switch-multiple-list-items-crash.html: Added.
+ * editing/execCommand/switch-multiple-list-items-expected.txt: Added.
+ * editing/execCommand/switch-multiple-list-items.html: Added.
+
2010-12-01 Anton Muhin <antonm at chromium.org>
Not reviewed, upstreaming test suppression.
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt
new file mode 100644
index 0000000..22741bb
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt
@@ -0,0 +1,2 @@
+This test ensures WebKit does not crash when switching the type of a list with multiple list items.
+PASS
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html
new file mode 100644
index 0000000..5dab1c0
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html
@@ -0,0 +1,19 @@
+<html><head><script>
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function go() {
+ document.execCommand("selectall");
+ document.designMode="on";
+ document.execCommand("InsertLineBreak");
+ document.execCommand("insertimage");
+ document.execCommand("InsertOrderedList");
+ document.execCommand("inserthtml", false, "z");
+ document.execCommand("InsertHorizontalRule");
+ document.execCommand("selectall");
+ document.execCommand("createlink", false, "z");
+ document.execCommand("insertunorderedlist");
+ document.body.innerHTML = 'This test ensures WebKit does not crash when switching the type of a list with multiple list items.<br>PASS';
+}
+</script></head><body onload="go();"></body></html>
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt b/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt
new file mode 100644
index 0000000..50a6990
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt
@@ -0,0 +1,13 @@
+This tests switching the list type of multiple list items at once. WebKit should not crash.
+
+One, Two, and Three should all be in a single ol, each followed by a single br.:
+| <ol>
+| <li>
+| "<#selection-anchor>One"
+| <br>
+| <li>
+| "Two"
+| <br>
+| <li>
+| "Three<#selection-focus>"
+| <br>
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items.html b/LayoutTests/editing/execCommand/switch-multiple-list-items.html
new file mode 100644
index 0000000..c97d76e
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/dump-as-markup.js"></script>
+<div contenteditable="true"><ul><li>One<br></li><li>Two<br></li><li>Three<br></li></ul></div>
+<script>
+
+Markup.description('This tests switching the list type of multiple list items at once. WebKit should not crash.');
+
+var div = document.getElementsByTagName('div')[0];
+window.getSelection().selectAllChildren(div);
+document.execCommand('InsertOrderedList', false, null);
+
+Markup.dump(div, 'One, Two, and Three should all be in a single ol, each followed by a single br.');
+
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 5c61c26..38d4690 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-12-01 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
+
+ chrome.dll!WebCore::RangeBoundaryPoint::toPosition ReadAV at NULL (cf0d0f28bc56f2591cc74f71b46036ea)
+ https://bugs.webkit.org/show_bug.cgi?id=47808
+
+ The crash was caused by moveParagraphWithClones' not copying the entire paragraph
+ when called by doApplyForSingleParagraph, which was induced by a bug in
+ cloneParagraphUnderNewElement which ended the cloning process early when the start node
+ and the end node didn't share the same parent node. Fixed the bug in cloneParagraphUnderNewElement
+ by calling traverseNextSibling(outerNode) instead of nextSibling().
+
+ Also added an early exit to InsertListCommand::doApply when lastSelectionRange is null.
+
+ Tests: editing/execCommand/switch-multiple-list-items-crash.html
+ editing/execCommand/switch-multiple-list-items.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::doApply):
+
2010-12-01 Kevin Ollivier <kevino at theolliviers.com>
[wx] Build fixes after recent trunk changes.
diff --git a/WebCore/editing/CompositeEditCommand.cpp b/WebCore/editing/CompositeEditCommand.cpp
index 06cfd2b..602ca0f 100644
--- a/WebCore/editing/CompositeEditCommand.cpp
+++ b/WebCore/editing/CompositeEditCommand.cpp
@@ -776,8 +776,8 @@ void CompositeEditCommand::cloneParagraphUnderNewElement(Position& start, Positi
outerNode = outerNode->parentNode();
topNode = topNode->parentNode();
}
-
- for (Node* n = start.node()->traverseNextSibling(outerNode); n; n = n->nextSibling()) {
+
+ for (Node* n = start.node()->traverseNextSibling(outerNode); n; n = n->traverseNextSibling(outerNode)) {
if (n->parentNode() != start.node()->parentNode())
lastNode = topNode->lastChild();
diff --git a/WebCore/editing/InsertListCommand.cpp b/WebCore/editing/InsertListCommand.cpp
index f90d5d3..bb3cd93 100644
--- a/WebCore/editing/InsertListCommand.cpp
+++ b/WebCore/editing/InsertListCommand.cpp
@@ -156,6 +156,11 @@ void InsertListCommand::doApply()
doApplyForSingleParagraph(forceCreateList, listTag, currentSelection.get());
if (endOfSelection.isNull() || endOfSelection.isOrphan() || startOfLastParagraph.isNull() || startOfLastParagraph.isOrphan()) {
RefPtr<Range> lastSelectionRange = TextIterator::rangeFromLocationAndLength(document()->documentElement(), indexForEndOfSelection, 0, true);
+ // If lastSelectionRange is null, then some contents have been deleted from the document.
+ // This should never happen and if it did, exit early immediately because we've lost the loop invariant.
+ ASSERT(lastSelectionRange);
+ if (!lastSelectionRange)
+ return;
endOfSelection = lastSelectionRange->startPosition();
startOfLastParagraph = startOfParagraph(endOfSelection);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list