Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 May 2015 21:39:50 +0000 (21:39 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 May 2015 21:39:50 +0000 (21:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=119068

Reviewed by Enrica Casucci.

Source/WebCore:

The bug was caused by makeInsertedContentRoundTrippableWithHTMLTreeBuilder not updating
nodes kept tracked by insertedNodes and moveNodeOutOfAncestor stumbling upon it.

Fixed the bug by updating insertedNodes in makeInsertedContentRoundTrippableWithHTMLTreeBuilder.

Test: editing/inserting/insert-table-in-paragraph-crash.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
(WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor):
* editing/ReplaceSelectionCommand.h:

LayoutTests:

Added a test based on https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744

* editing/inserting/insert-table-in-paragraph-crash-expected.txt: Added.
* editing/inserting/insert-table-in-paragraph-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184355 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/ReplaceSelectionCommand.cpp
Source/WebCore/editing/ReplaceSelectionCommand.h

index 92e6e86..c92e97f 100644 (file)
@@ -1,3 +1,15 @@
+2015-05-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=119068
+
+        Reviewed by Enrica Casucci.
+
+        Added a test based on https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744
+
+        * editing/inserting/insert-table-in-paragraph-crash-expected.txt: Added.
+        * editing/inserting/insert-table-in-paragraph-crash.html: Added.
+
 2015-05-14  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Mac] Expose more font weights for -apple-system
diff --git a/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt b/LayoutTests/editing/inserting/insert-table-in-paragraph-crash-expected.txt
new file mode 100644 (file)
index 0000000..dffb9dd
--- /dev/null
@@ -0,0 +1,6 @@
+This tests pasting a table element wrapped in p. WebKit should not crash.
+| <table>
+|   <tbody>
+|     <tr>
+|       <td>
+|         "stats"
diff --git a/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html b/LayoutTests/editing/inserting/insert-table-in-paragraph-crash.html
new file mode 100644 (file)
index 0000000..f0cd2f8
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE>
+<html>
+<body>
+<div id="editor" contenteditable="true"></div>
+<script src="../../resources/dump-as-markup.js"></script>
+<script>
+
+Markup.description('This tests pasting a table element wrapped in p. WebKit should not crash.');
+
+var editor = document.getElementById('editor');
+
+editor.focus();
+document.execCommand('InsertHTML', false, '<p><table><tbody><tr><td>stats</td></tr></tbody></table></p>');
+
+Markup.dump(editor);
+
+</script>
+</body>
+</html>
index 21f0ab6..bef66de 100644 (file)
@@ -1,3 +1,22 @@
+2015-05-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=119068
+
+        Reviewed by Enrica Casucci.
+
+        The bug was caused by makeInsertedContentRoundTrippableWithHTMLTreeBuilder not updating
+        nodes kept tracked by insertedNodes and moveNodeOutOfAncestor stumbling upon it.
+
+        Fixed the bug by updating insertedNodes in makeInsertedContentRoundTrippableWithHTMLTreeBuilder.
+
+        Test: editing/inserting/insert-table-in-paragraph-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
+        (WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor):
+        * editing/ReplaceSelectionCommand.h:
+
 2015-05-14  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Mac] Expose more font weights for -apple-system
index fd57455..2e25eef 100644 (file)
@@ -635,7 +635,7 @@ void ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuild
             if (auto* paragraphElement = enclosingElementWithTag(positionInParentBeforeNode(node.get()), pTag)) {
                 auto* parent = paragraphElement->parentNode();
                 if (parent && parent->hasEditableStyle())
-                    moveNodeOutOfAncestor(node, paragraphElement);
+                    moveNodeOutOfAncestor(node, paragraphElement, insertedNodes);
             }
         }
 
@@ -643,7 +643,7 @@ void ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuild
             auto* headerElement = highestEnclosingNodeOfType(positionInParentBeforeNode(node.get()), isHeaderElement);
             if (headerElement) {
                 if (headerElement->parentNode() && headerElement->parentNode()->isContentRichlyEditable())
-                    moveNodeOutOfAncestor(node, headerElement);
+                    moveNodeOutOfAncestor(node, headerElement, insertedNodes);
                 else {
                     HTMLElement* newSpanElement = replaceElementWithSpanPreservingChildrenAndAttributes(downcast<HTMLElement>(node.get()));
                     insertedNodes.didReplaceNode(node.get(), newSpanElement);
@@ -653,7 +653,7 @@ void ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuild
     }
 }
 
-void ReplaceSelectionCommand::moveNodeOutOfAncestor(PassRefPtr<Node> prpNode, PassRefPtr<Node> prpAncestor)
+void ReplaceSelectionCommand::moveNodeOutOfAncestor(PassRefPtr<Node> prpNode, PassRefPtr<Node> prpAncestor, InsertedNodes& insertedNodes)
 {
     RefPtr<Node> node = prpNode;
     RefPtr<Node> ancestor = prpAncestor;
@@ -671,8 +671,10 @@ void ReplaceSelectionCommand::moveNodeOutOfAncestor(PassRefPtr<Node> prpNode, Pa
         removeNode(node);
         insertNodeBefore(node, nodeToSplitTo);
     }
-    if (!ancestor->firstChild())
+    if (!ancestor->firstChild()) {
+        insertedNodes.willRemoveNode(ancestor.get());
         removeNode(ancestor.release());
+    }
 }
 
 static inline bool hasRenderedText(const Text& text)
index 9cfdfc7..73620fd 100644 (file)
@@ -96,7 +96,7 @@ private:
     
     void removeRedundantStylesAndKeepStyleSpanInline(InsertedNodes&);
     void makeInsertedContentRoundTrippableWithHTMLTreeBuilder(InsertedNodes&);
-    void moveNodeOutOfAncestor(PassRefPtr<Node>, PassRefPtr<Node> ancestor);
+    void moveNodeOutOfAncestor(PassRefPtr<Node>, PassRefPtr<Node> ancestor, InsertedNodes&);
     void handleStyleSpans(InsertedNodes&);
     void handlePasteAsQuotationNode();