Crash when setting text direction via MakeTextWritingDirection* editing commands.
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jul 2015 01:37:40 +0000 (01:37 +0000)
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jul 2015 01:37:40 +0000 (01:37 +0000)
<https://webkit.org/b/146665>
<rdar://problem/20835477>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Fix two buggy clients of enclosingBlock(node) that would fail if the returned
element is the same as the node passed in.

Test: editing/style/change-text-direction-crash.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
(WebCore::ApplyStyleCommand::removeEmbeddingUpToEnclosingBlock):

LayoutTests:

Add a test that covers some very simple MakeTextWritingDirection* command usage.

* editing/style/change-text-direction-crash-expected.txt: Added.
* editing/style/change-text-direction-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186393 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/style/change-text-direction-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/style/change-text-direction-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/ApplyStyleCommand.cpp

index 0e4ecea..44e1f0f 100644 (file)
@@ -1,3 +1,16 @@
+2015-07-06  Andreas Kling  <akling@apple.com>
+
+        Crash when setting text direction via MakeTextWritingDirection* editing commands.
+        <https://webkit.org/b/146665>
+        <rdar://problem/20835477>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a test that covers some very simple MakeTextWritingDirection* command usage.
+
+        * editing/style/change-text-direction-crash-expected.txt: Added.
+        * editing/style/change-text-direction-crash.html: Added.
+
 2015-07-06  Simon Fraser  <simon.fraser@apple.com>
 
         Revert use of SVG <mask> elements for -webkit-mask-image (r176798, r177494, r186180)
diff --git a/LayoutTests/editing/style/change-text-direction-crash-expected.txt b/LayoutTests/editing/style/change-text-direction-crash-expected.txt
new file mode 100644 (file)
index 0000000..4f8bbf8
--- /dev/null
@@ -0,0 +1,33 @@
+This test verifies that programmatically setting the text direction using editing commands doesn't crash.
+
+MakeTextWritingDirectionLeftToRight:
+| "foo"
+| <div>
+|   <span>
+|     id="bar"
+|     style="unicode-bidi: embed;"
+|     "<#selection-anchor>aתbc"
+| <div>
+|   <#selection-focus>
+|   "baz"
+
+MakeTextWritingDirectionRightToLeft:
+| "foo"
+| <div>
+|   <span>
+|     id="bar"
+|     style="unicode-bidi: embed; direction: rtl;"
+|     "<#selection-anchor>aתbc"
+| <div>
+|   <#selection-focus>
+|   "baz"
+
+MakeTextWritingDirectionNatural:
+| "foo"
+| <div>
+|   <span>
+|     id="bar"
+|     "<#selection-anchor>aתbc"
+| <div>
+|   <#selection-focus>
+|   "baz"
diff --git a/LayoutTests/editing/style/change-text-direction-crash.html b/LayoutTests/editing/style/change-text-direction-crash.html
new file mode 100644 (file)
index 0000000..76afc19
--- /dev/null
@@ -0,0 +1,27 @@
+<html>
+<script src="../../resources/dump-as-markup.js"></script>
+<body>
+</body>
+<script>
+Markup.description("This test verifies that programmatically setting the text direction using editing commands doesn't crash.");
+
+function testCommand(command) {
+    document.body.innerHTML = '<div id="foo" contenteditable>foo<div><span id="bar">aתbc</span></div><div>baz</div></div>';
+
+    var range = document.createRange();
+    var barSpan = document.getElementById("bar");
+    range.setStartBefore(barSpan);
+    range.setEndAfter(barSpan.parentNode)
+    var sel = window.getSelection();
+    sel.removeAllRanges();
+    sel.addRange(range);
+
+    window.testRunner.execCommand(command, false, true);
+    Markup.dump("foo", command);
+}
+
+testCommand("MakeTextWritingDirectionLeftToRight");
+testCommand("MakeTextWritingDirectionRightToLeft");
+testCommand("MakeTextWritingDirectionNatural");
+</script>
+</html>
index f0a1045..b713187 100644 (file)
@@ -1,3 +1,20 @@
+2015-07-06  Andreas Kling  <akling@apple.com>
+
+        Crash when setting text direction via MakeTextWritingDirection* editing commands.
+        <https://webkit.org/b/146665>
+        <rdar://problem/20835477>
+
+        Reviewed by Ryosuke Niwa.
+
+        Fix two buggy clients of enclosingBlock(node) that would fail if the returned
+        element is the same as the node passed in.
+
+        Test: editing/style/change-text-direction-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
+        (WebCore::ApplyStyleCommand::removeEmbeddingUpToEnclosingBlock):
+
 2015-07-06  Simon Fraser  <simon.fraser@apple.com>
 
         Revert use of  SVG <mask> elements for -webkit-mask-image (r176798, r177494)
index 990552b..89b83c7 100644 (file)
@@ -443,8 +443,8 @@ HTMLElement* ApplyStyleCommand::splitAncestorsWithUnicodeBidi(Node* node, bool b
 {
     // We are allowed to leave the highest ancestor with unicode-bidi unsplit if it is unicode-bidi: embed and direction: allowedDirection.
     // In that case, we return the unsplit ancestor. Otherwise, we return 0.
-    Node* block = enclosingBlock(node);
-    if (!block)
+    Element* block = enclosingBlock(node);
+    if (!block || block == node)
         return 0;
 
     Node* highestAncestorWithUnicodeBidi = 0;
@@ -492,8 +492,8 @@ HTMLElement* ApplyStyleCommand::splitAncestorsWithUnicodeBidi(Node* node, bool b
 
 void ApplyStyleCommand::removeEmbeddingUpToEnclosingBlock(Node* node, Node* unsplitAncestor)
 {
-    Node* block = enclosingBlock(node);
-    if (!block)
+    Element* block = enclosingBlock(node);
+    if (!block || block == node)
         return;
 
     Node* parent = nullptr;