Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Mar 2012 20:03:28 +0000 (20:03 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Mar 2012 20:03:28 +0000 (20:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=81959

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/execCommand/apply-style-command-crash.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange): RefPtr the weak
node iterator |node|.
* editing/ApplyStyleCommand.h:
(ApplyStyleCommand): convert |startNode| and |pastEndNode| into PassRefPtr.

LayoutTests:

* editing/execCommand/apply-style-command-crash-expected.txt: Added.
* editing/execCommand/apply-style-command-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112012 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/execCommand/apply-style-command-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/editing/ApplyStyleCommand.cpp
Source/WebCore/editing/ApplyStyleCommand.h

index 839347d66b88e3c81c481ddc4c76ca895e42e51e..90529e19be480bd1f0a142f6ca626ed3d3249579 100644 (file)
@@ -1,3 +1,13 @@
+2012-03-24  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
+        https://bugs.webkit.org/show_bug.cgi?id=81959
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/execCommand/apply-style-command-crash-expected.txt: Added.
+        * editing/execCommand/apply-style-command-crash.html: Added.
+
 2012-03-24  Pavel Feldman  <pfeldman@chromium.org>
 
         Not reviewed: restoring chromium's expectations for effect-custom-parameters-expected.png.
diff --git a/LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt b/LayoutTests/editing/execCommand/apply-style-command-crash-expected.txt
new file mode 100644 (file)
index 0000000..42e8ea3
--- /dev/null
@@ -0,0 +1 @@
+PASS. WebKit didn't crash
diff --git a/LayoutTests/editing/execCommand/apply-style-command-crash.html b/LayoutTests/editing/execCommand/apply-style-command-crash.html
new file mode 100755 (executable)
index 0000000..6cf8f67
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE html>\r
+<html>\r
+<head>\r
+<script>\r
+if (window.layoutTestController) {\r
+    layoutTestController.dumpAsText();\r
+    layoutTestController.waitUntilDone();\r
+}\r
+\r
+onload = function() {\r
+    x.innerHTML += '';\r
+}\r
+\r
+setTimeout(function() {\r
+    document.designMode = 'on';\r
+    document.execCommand('selectall');\r
+    document.execCommand('bold');\r
+    document.body.offsetTop;\r
+    document.body.innerHTML = "PASS. WebKit didn't crash";\r
+    if (window.layoutTestController)\r
+        layoutTestController.notifyDone();\r
+}, 0)\r
+</script>\r
+</head>\r
+<body>\r
+<div id="x">\r
+<iframe src="data:"></iframe>\r
+<div>\r
+<input></input>\r
+</div>\r
+</ul>\r
+</body>\r
+</html>\r
+\r
index 748cac8e4c32c5cf0c48ea87b3010691590b3520..52f29495c18cf07a4d826d78868403f3665e0a05 100644 (file)
@@ -1,3 +1,18 @@
+2012-03-24  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in ApplyStyleCommand::applyInlineStyleToNodeRange.
+        https://bugs.webkit.org/show_bug.cgi?id=81959
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: editing/execCommand/apply-style-command-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange): RefPtr the weak
+        node iterator |node|.
+        * editing/ApplyStyleCommand.h:
+        (ApplyStyleCommand): convert |startNode| and |pastEndNode| into PassRefPtr.
+
 2012-03-24  Jesus Sanchez-Palencia  <jesus.palencia@openbossa.org>
 
         Unreviewed, build fix since we use "-Werror=unused-but-set-variable".
index 7c6347c411e62f3d27eb1171c1b7f3555ce5ea2f..dcd978c0d17d8b30928b94c9e2d11c132c79b19e 100644 (file)
@@ -704,12 +704,13 @@ static bool containsNonEditableRegion(Node* node)
     return false;
 }
 
-void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, Node* node, Node* pastEndNode)
+void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, PassRefPtr<Node> startNode, PassRefPtr<Node> pastEndNode)
 {
     if (m_removeOnly)
         return;
 
-    for (RefPtr<Node> next; node && node != pastEndNode; node = next.get()) {
+    RefPtr<Node> node = startNode;
+    for (RefPtr<Node> next; node && node != pastEndNode; node = next) {
         next = node->traverseNextNode();
 
         if (!node->renderer() || !node->rendererIsEditable())
@@ -719,10 +720,10 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, Node* n
             // This is a plaintext-only region. Only proceed if it's fully selected.
             // pastEndNode is the node after the last fully selected node, so if it's inside node then
             // node isn't fully selected.
-            if (pastEndNode && pastEndNode->isDescendantOf(node))
+            if (pastEndNode && pastEndNode->isDescendantOf(node.get()))
                 break;
             // Add to this element's inline style and skip over its contents.
-            HTMLElement* element = toHTMLElement(node);
+            HTMLElement* element = toHTMLElement(node.get());
             RefPtr<StylePropertySet> inlineStyle = element->ensureInlineStyle()->copy();
             inlineStyle->merge(style->style());
             setNodeAttribute(element, styleAttr, inlineStyle->asText());
@@ -730,13 +731,13 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, Node* n
             continue;
         }
         
-        if (isBlock(node))
+        if (isBlock(node.get()))
             continue;
         
         if (node->childNodeCount()) {
-            if (node->contains(pastEndNode) || containsNonEditableRegion(node) || !node->parentNode()->rendererIsEditable())
+            if (node->contains(pastEndNode.get()) || containsNonEditableRegion(node.get()) || !node->parentNode()->rendererIsEditable())
                 continue;
-            if (editingIgnoresContent(node)) {
+            if (editingIgnoresContent(node.get())) {
                 next = node->traverseNextSibling();
                 continue;
             }
@@ -745,7 +746,7 @@ void ApplyStyleCommand::applyInlineStyleToNodeRange(EditingStyle* style, Node* n
         RefPtr<Node> runStart = node;
         RefPtr<Node> runEnd = node;
         Node* sibling = node->nextSibling();
-        while (sibling && sibling != pastEndNode && !sibling->contains(pastEndNode)
+        while (sibling && sibling != pastEndNode && !sibling->contains(pastEndNode.get())
                && (!isBlock(sibling) || sibling->hasTagName(brTag))
                && !containsNonEditableRegion(sibling)) {
             runEnd = sibling;
index 6b6e6fdefb369d32349b2031019f6faee9329d60..58bc19b9e7b1b34b8b17768cca8209e0d22f2d2c 100644 (file)
@@ -94,7 +94,7 @@ private:
     void applyRelativeFontStyleChange(EditingStyle*);
     void applyInlineStyle(EditingStyle*);
     void fixRangeAndApplyInlineStyle(EditingStyle*, const Position& start, const Position& end);
-    void applyInlineStyleToNodeRange(EditingStyle*, Node* startNode, Node* pastEndNode);
+    void applyInlineStyleToNodeRange(EditingStyle*, PassRefPtr<Node> startNode, PassRefPtr<Node> pastEndNode);
     void addBlockStyle(const StyleChange&, HTMLElement*);
     void addInlineStyleIfNeeded(EditingStyle*, PassRefPtr<Node> start, PassRefPtr<Node> end, EAddStyledElement = AddStyledElement);
     void splitTextAtStart(const Position& start, const Position& end);