[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

rniwa at webkit.org rniwa at webkit.org
Wed Dec 22 17:51:32 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit cf00be4414599e9c86963e2e667e77c8f354fb8b
Author: rniwa at webkit.org <rniwa at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 1 19:28:42 2010 +0000

    2010-12-01  Ryosuke Niwa  <rniwa at webkit.org>
    
            Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
    
            The crash was caused by moveParagraphWithClones' not copying the entire paragraph
            when called by doApplyForSingleParagraph, which was induced by a bug in
            cloneParagraphUnderNewElement which ended the cloning process early when the start node
            and the end node didn't share the same parent node. Fixed the bug in cloneParagraphUnderNewElement
            by calling traverseNextSibling(outerNode) instead of nextSibling().
    
            Also added an early exit to InsertListCommand::doApply when lastSelectionRange is null.
    
            Tests: editing/execCommand/switch-multiple-list-items-crash.html
                   editing/execCommand/switch-multiple-list-items.html
    
            * editing/CompositeEditCommand.cpp:
            (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
            * editing/InsertListCommand.cpp:
            (WebCore::InsertListCommand::doApply):
    2010-12-01  Ryosuke Niwa  <rniwa at webkit.org>
    
            Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
    
            Added tests to ensure WebKit can switch the type of multiple list items without a crash.
    
            * editing/execCommand/switch-multiple-list-items-crash-expected.txt: Added.
            * editing/execCommand/switch-multiple-list-items-crash.html: Added.
            * editing/execCommand/switch-multiple-list-items-expected.txt: Added.
            * editing/execCommand/switch-multiple-list-items.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c9f3609..d0ae715 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-12-01  Ryosuke Niwa  <rniwa at webkit.org>
+
+        Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
+
+        Added tests to ensure WebKit can switch the type of multiple list items without a crash.
+
+        * editing/execCommand/switch-multiple-list-items-crash-expected.txt: Added.
+        * editing/execCommand/switch-multiple-list-items-crash.html: Added.
+        * editing/execCommand/switch-multiple-list-items-expected.txt: Added.
+        * editing/execCommand/switch-multiple-list-items.html: Added.
+
 2010-12-01  Brian Weinstein  <bweinstein at apple.com>
 
         Skip another HTMLProgressElement test on Windows, because it's not turned on for Windows yet. Adding
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt
new file mode 100644
index 0000000..22741bb
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash-expected.txt
@@ -0,0 +1,2 @@
+This test ensures WebKit does not crash when switching the type of a list with multiple list items.
+PASS
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html
new file mode 100644
index 0000000..5dab1c0
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-crash.html
@@ -0,0 +1,19 @@
+<html><head><script>
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function go() {
+    document.execCommand("selectall");
+    document.designMode="on";
+    document.execCommand("InsertLineBreak");
+    document.execCommand("insertimage");
+    document.execCommand("InsertOrderedList");
+    document.execCommand("inserthtml", false, "z");
+    document.execCommand("InsertHorizontalRule");
+    document.execCommand("selectall");
+    document.execCommand("createlink", false, "z");
+    document.execCommand("insertunorderedlist");
+    document.body.innerHTML = 'This test ensures WebKit does not crash when switching the type of a list with multiple list items.<br>PASS';
+}
+</script></head><body onload="go();"></body></html>
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt b/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt
new file mode 100644
index 0000000..50a6990
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items-expected.txt
@@ -0,0 +1,13 @@
+This tests switching the list type of multiple list items at once. WebKit should not crash.
+
+One, Two, and Three should all be in a single ol, each followed by a single br.:
+| <ol>
+|   <li>
+|     "<#selection-anchor>One"
+|     <br>
+|   <li>
+|     "Two"
+|     <br>
+|   <li>
+|     "Three<#selection-focus>"
+|     <br>
diff --git a/LayoutTests/editing/execCommand/switch-multiple-list-items.html b/LayoutTests/editing/execCommand/switch-multiple-list-items.html
new file mode 100644
index 0000000..c97d76e
--- /dev/null
+++ b/LayoutTests/editing/execCommand/switch-multiple-list-items.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/dump-as-markup.js"></script>
+<div contenteditable="true"><ul><li>One<br></li><li>Two<br></li><li>Three<br></li></ul></div>
+<script>
+
+Markup.description('This tests switching the list type of multiple list items at once. WebKit should not crash.');
+
+var div = document.getElementsByTagName('div')[0];
+window.getSelection().selectAllChildren(div);
+document.execCommand('InsertOrderedList', false, null);
+
+Markup.dump(div, 'One, Two, and Three should all be in a single ol, each followed by a single br.');
+
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 92bfbd6..6117fec 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2010-12-01  Ryosuke Niwa  <rniwa at webkit.org>
+
+        Reviewed by Darin Adler, Tony Chang, and unofficially by Enrica Casucci.
+
+        The crash was caused by moveParagraphWithClones' not copying the entire paragraph
+        when called by doApplyForSingleParagraph, which was induced by a bug in
+        cloneParagraphUnderNewElement which ended the cloning process early when the start node
+        and the end node didn't share the same parent node. Fixed the bug in cloneParagraphUnderNewElement
+        by calling traverseNextSibling(outerNode) instead of nextSibling().
+
+        Also added an early exit to InsertListCommand::doApply when lastSelectionRange is null.
+
+        Tests: editing/execCommand/switch-multiple-list-items-crash.html
+               editing/execCommand/switch-multiple-list-items.html
+
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::doApply):
+
 2010-12-01  Grace Kloba  <klobag at chromium.org>
 
         Reviewed by Kenneth Russell.
diff --git a/WebCore/editing/CompositeEditCommand.cpp b/WebCore/editing/CompositeEditCommand.cpp
index 06cfd2b..602ca0f 100644
--- a/WebCore/editing/CompositeEditCommand.cpp
+++ b/WebCore/editing/CompositeEditCommand.cpp
@@ -776,8 +776,8 @@ void CompositeEditCommand::cloneParagraphUnderNewElement(Position& start, Positi
             outerNode = outerNode->parentNode();
             topNode = topNode->parentNode();
         }
-            
-        for (Node* n = start.node()->traverseNextSibling(outerNode); n; n = n->nextSibling()) {
+
+        for (Node* n = start.node()->traverseNextSibling(outerNode); n; n = n->traverseNextSibling(outerNode)) {
             if (n->parentNode() != start.node()->parentNode())
                 lastNode = topNode->lastChild();
 
diff --git a/WebCore/editing/InsertListCommand.cpp b/WebCore/editing/InsertListCommand.cpp
index f90d5d3..bb3cd93 100644
--- a/WebCore/editing/InsertListCommand.cpp
+++ b/WebCore/editing/InsertListCommand.cpp
@@ -156,6 +156,11 @@ void InsertListCommand::doApply()
                 doApplyForSingleParagraph(forceCreateList, listTag, currentSelection.get());
                 if (endOfSelection.isNull() || endOfSelection.isOrphan() || startOfLastParagraph.isNull() || startOfLastParagraph.isOrphan()) {
                     RefPtr<Range> lastSelectionRange = TextIterator::rangeFromLocationAndLength(document()->documentElement(), indexForEndOfSelection, 0, true);
+                    // If lastSelectionRange is null, then some contents have been deleted from the document.
+                    // This should never happen and if it did, exit early immediately because we've lost the loop invariant.
+                    ASSERT(lastSelectionRange);
+                    if (!lastSelectionRange)
+                        return;
                     endOfSelection = lastSelectionRange->startPosition();
                     startOfLastParagraph = startOfParagraph(endOfSelection);
                 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list