WebCore:
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Mar 2009 14:46:42 +0000 (14:46 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Mar 2009 14:46:42 +0000 (14:46 +0000)
2009-03-10  Darin Adler  <darin@apple.com>

        Reviewed by Dan Bernstein.

        Bug 23564: REGRESSION (r39230-39286): crash loading page that changes <input> display type and then calls innerHTML
        https://bugs.webkit.org/show_bug.cgi?id=23564
        rdar://problem/6537238

        Test: fast/dom/HTMLElement/innerHTML-selection-crash.html

        * editing/markup.cpp: (WebCore::createMarkup): Added updateLayoutIgnorePendingStylesheets
        call to the one of the two overloads of this function that wasn't calling it. This fixes
        this crash and other possible crashes inside innerHTML.

LayoutTests:

2009-03-10  Darin Adler  <darin@apple.com>

        Reviewed by Dan Bernstein.

        Bug 23564: REGRESSION (r39230-39286): crash loading page that changes <input> display type and then calls innerHTML
        https://bugs.webkit.org/show_bug.cgi?id=23564
        rdar://problem/6537238

        * fast/dom/HTMLElement/innerHTML-selection-crash-expected.txt: Added.
        * fast/dom/HTMLElement/innerHTML-selection-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@41552 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/editing/markup.cpp

index c0a9ccc..24a3575 100644 (file)
@@ -1,3 +1,14 @@
+2009-03-10  Darin Adler  <darin@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Bug 23564: REGRESSION (r39230-39286): crash loading page that changes <input> display type and then calls innerHTML
+        https://bugs.webkit.org/show_bug.cgi?id=23564
+        rdar://problem/6537238
+
+        * fast/dom/HTMLElement/innerHTML-selection-crash-expected.txt: Added.
+        * fast/dom/HTMLElement/innerHTML-selection-crash.html: Added.
+
 2009-03-10  Oliver Hunt  <oliver@apple.com>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash-expected.txt b/LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash-expected.txt
new file mode 100644 (file)
index 0000000..e02680c
--- /dev/null
@@ -0,0 +1,5 @@
+This tests that calling innerHTML doesn't crash when the selection endpoint is inside a text field's shadow DOM tree.
+
+If the test doesn't crash, then it passes.
+
+PASS: There was no crash.
diff --git a/LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash.html b/LayoutTests/fast/dom/HTMLElement/innerHTML-selection-crash.html
new file mode 100644 (file)
index 0000000..9ff249b
--- /dev/null
@@ -0,0 +1,20 @@
+<p>This tests that calling innerHTML doesn't crash when the selection endpoint is inside a text field's shadow DOM tree.</p>
+
+<p>If the test doesn't crash, then it passes.</p>
+
+<input id="field" type="text" value="some text">
+<script>
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.getElementById('field').setAttribute('style', 'display: inline');
+document.getElementById('field').focus();
+document.body.offsetLeft;
+document.getElementById('field').setAttribute('style', 'display: block');
+document.body.innerHTML;
+document.getElementById('field').setAttribute('style', 'display: none');
+
+document.write("<p>PASS: There was no crash.</p>");
+
+</script>
index 078f117..b5c9a22 100644 (file)
@@ -1,3 +1,17 @@
+2009-03-10  Darin Adler  <darin@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Bug 23564: REGRESSION (r39230-39286): crash loading page that changes <input> display type and then calls innerHTML
+        https://bugs.webkit.org/show_bug.cgi?id=23564
+        rdar://problem/6537238
+
+        Test: fast/dom/HTMLElement/innerHTML-selection-crash.html
+
+        * editing/markup.cpp: (WebCore::createMarkup): Added updateLayoutIgnorePendingStylesheets
+        call to the one of the two overloads of this function that wasn't calling it. This fixes
+        this crash and other possible crashes inside innerHTML.
+
 2009-03-10  Alexey Proskuryakov  <ap@webkit.org>
 
         Reviewed by Darin Adler.
index 436abf9..9c03082 100644 (file)
@@ -1035,6 +1035,8 @@ String createMarkup(const Node* node, EChildrenOnly includeChildren, Vector<Node
         deleteButton->disable();
     }
 
+    document->updateLayoutIgnorePendingStylesheets();
+
     appendMarkup(result, const_cast<Node*>(node), includeChildren, nodes);
 
     if (deleteButton)