WebCore:
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Mar 2009 19:31:22 +0000 (19:31 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Mar 2009 19:31:22 +0000 (19:31 +0000)
2009-03-10  Darin Adler  <darin@apple.com>

        Reviewed by Alexey Proskuryakov.

        Bug 24494: crash when deleting at end of document and merging paragraphs
        https://bugs.webkit.org/show_bug.cgi?id=24494
        rdar://problem/6571537

        Test: editing/deleting/merge-at-end-of-document.html

        * dom/Range.cpp:
        (WebCore::Range::compareBoundaryPoints): Split out assertion. It's better not to
        use && in assertions since we'd like to know which condition is failing.

        * editing/ApplyStyleCommand.cpp:
        (WebCore::ApplyStyleCommand::applyInlineStyleToRange): Added a null check before
        calling compareBoundaryPoints, since a 0 for the node is ambiguous and so the
        function doesn't know which value to return.

LayoutTests:

2009-03-10  Darin Adler  <darin@apple.com>

        Reviewed by Alexey Proskuryakov.

        Bug 24494: crash when deleting at end of document and merging paragraphs
        https://bugs.webkit.org/show_bug.cgi?id=24494
        rdar://problem/6571537

        * editing/deleting/merge-at-end-of-document-expected.txt: Added.
        * editing/deleting/merge-at-end-of-document.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@41562 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/deleting/merge-at-end-of-document-expected.txt [new file with mode: 0644]
LayoutTests/editing/deleting/merge-at-end-of-document.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/Range.cpp
WebCore/editing/ApplyStyleCommand.cpp

index 24a3575..1ddbb3b 100644 (file)
@@ -1,5 +1,16 @@
 2009-03-10  Darin Adler  <darin@apple.com>
 
+        Reviewed by Alexey Proskuryakov.
+
+        Bug 24494: crash when deleting at end of document and merging paragraphs
+        https://bugs.webkit.org/show_bug.cgi?id=24494
+        rdar://problem/6571537
+
+        * editing/deleting/merge-at-end-of-document-expected.txt: Added.
+        * editing/deleting/merge-at-end-of-document.html: Added.
+
+2009-03-10  Darin Adler  <darin@apple.com>
+
         Reviewed by Dan Bernstein.
 
         Bug 23564: REGRESSION (r39230-39286): crash loading page that changes <input> display type and then calls innerHTML
diff --git a/LayoutTests/editing/deleting/merge-at-end-of-document-expected.txt b/LayoutTests/editing/deleting/merge-at-end-of-document-expected.txt
new file mode 100644 (file)
index 0000000..3e12dca
--- /dev/null
@@ -0,0 +1,5 @@
+Test for deletion that involves paragraph merging at the very end of a document.
+
+PASS: Backspace deleted a newline and did not cause a crash.
+
+The test puts the cursor below this paragraph and performs a delete.
diff --git a/LayoutTests/editing/deleting/merge-at-end-of-document.html b/LayoutTests/editing/deleting/merge-at-end-of-document.html
new file mode 100644 (file)
index 0000000..40204c5
--- /dev/null
@@ -0,0 +1,27 @@
+<head>
+<script>
+
+// CAUTION: There must be no newline at the end of this test file.
+// An additional text node after the body would prevent the crash.
+
+function test()
+{
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    document.getSelection().selectAllChildren(document.body);
+    document.getSelection().collapseToEnd();
+    document.execCommand("Delete");
+    var result;
+    if (document.body.innerText === "Test for deletion that involves paragraph merging at the very end of a document.\n\nTEST HAS NOT RUN YET\n\nThe test puts the cursor below this paragraph and performs a delete.")
+        result = "PASS: Backspace deleted a newline and did not cause a crash.";
+    else
+        result = "FAIL: The document's innerText is incorrect.";
+    document.getElementById("result").innerHTML = result;
+}
+
+</script>
+</head>
+<body contenteditable onload="test()">
+<p>Test for deletion that involves paragraph merging at the very end of a document.</p>
+<p id="result">TEST HAS NOT RUN YET</p>
+<pre>The test puts the cursor below this paragraph and performs a delete.</pre><br></body>
\ No newline at end of file
index 5df0b0a..e980b72 100644 (file)
@@ -1,3 +1,22 @@
+2009-03-10  Darin Adler  <darin@apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Bug 24494: crash when deleting at end of document and merging paragraphs
+        https://bugs.webkit.org/show_bug.cgi?id=24494
+        rdar://problem/6571537
+
+        Test: editing/deleting/merge-at-end-of-document.html
+
+        * dom/Range.cpp:
+        (WebCore::Range::compareBoundaryPoints): Split out assertion. It's better not to
+        use && in assertions since we'd like to know which condition is failing.
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyleToRange): Added a null check before
+        calling compareBoundaryPoints, since a 0 for the node is ambiguous and so the
+        function doesn't know which value to return.
+
 2009-03-10  Dirk Schulze  <krit@webkit.org>
 
         Reviewed by Eric Seidel. Math checked by Oliver Hunt.
index f74e09e..8add1cd 100644 (file)
@@ -436,11 +436,14 @@ short Range::compareBoundaryPoints(CompareHow how, const Range* sourceRange, Exc
 
 short Range::compareBoundaryPoints(Node* containerA, int offsetA, Node* containerB, int offsetB)
 {
-    ASSERT(containerA && containerB);
+    ASSERT(containerA);
+    ASSERT(containerB);
+
     if (!containerA)
         return -1;
     if (!containerB)
         return 1;
+
     // see DOM2 traversal & range section 2.5
 
     // case 1: both points have the same container
index 87edefd..d4eb247 100644 (file)
@@ -871,7 +871,7 @@ void ApplyStyleCommand::applyInlineStyleToRange(CSSMutableStyleDeclaration* styl
     if (start.m_offset >= caretMaxOffset(start.node())) {
         node = node->traverseNextNode();
         Position newStart = Position(node, 0);
-        if (Range::compareBoundaryPoints(end, newStart) < 0)
+        if (!node || Range::compareBoundaryPoints(end, newStart) < 0)
             rangeIsEmpty = true;
     }