dispatchEvent call can execute javascript and blow away endRoot from underneath
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 May 2013 19:34:31 +0000 (19:34 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 May 2013 19:34:31 +0000 (19:34 +0000)
https://bugs.webkit.org/show_bug.cgi?id=116483

Source/WebCore:

Reviewed by Andreas Kling.

Merge https://chromium.googlesource.com/chromium/blink/+/798cba0af9b2aff21e475e2e08ea3ca5e97dfc2c.

Test: editing/undo/undo-after-event-edited.html

* editing/Editor.cpp:
(WebCore::dispatchEditableContentChangedEvents):

LayoutTests:

Reviewed by Andreas Kling.

Add a regression test.

* editing/undo/undo-after-event-edited-expected.txt: Added.
* editing/undo/undo-after-event-edited.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@150469 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/undo/undo-after-event-edited-expected.txt [new file with mode: 0644]
LayoutTests/editing/undo/undo-after-event-edited.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/Editor.cpp

index 5948f4dbe093070e3b7d123da907c3e98268b14e..635fed462d9a7099c32702970131e6c5758e6245 100644 (file)
@@ -1,3 +1,15 @@
+2013-05-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        dispatchEvent call can execute javascript and blow away endRoot from underneath
+        https://bugs.webkit.org/show_bug.cgi?id=116483
+
+        Reviewed by Andreas Kling.
+
+        Add a regression test.
+
+        * editing/undo/undo-after-event-edited-expected.txt: Added.
+        * editing/undo/undo-after-event-edited.html: Added.
+
 2013-05-21  Ryosuke Niwa  <rniwa@webkit.org>
 
         media/track/track-cue-rendering-snap-to-lines-not-set.html is failing
diff --git a/LayoutTests/editing/undo/undo-after-event-edited-expected.txt b/LayoutTests/editing/undo/undo-after-event-edited-expected.txt
new file mode 100644 (file)
index 0000000..b41c4bb
--- /dev/null
@@ -0,0 +1 @@
+Pass. Test didn't crash.
diff --git a/LayoutTests/editing/undo/undo-after-event-edited.html b/LayoutTests/editing/undo/undo-after-event-edited.html
new file mode 100644 (file)
index 0000000..a85de58
--- /dev/null
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+* { display:run-in; }
+.collapse { visibility:collapse; }
+</style>
+<script>
+
+if (window.testRunner) {
+    window.testRunner.dumpAsText();
+    window.testRunner.waitUntilDone();
+}
+
+document.designMode = "on";
+var scriptElements = document.getElementsByTagName("script");
+scriptElements[0].parentNode.removeChild(scriptElements[0]);
+var eventHandlerActive = false;
+
+document.addEventListener("webkitEditableContentChanged", function () {
+    if (eventHandlerActive)
+        return;
+    eventHandlerActive = true;
+    var srcElement = event.srcElement;
+    document.execCommand('InsertText',false,'dummy text');
+    srcElement.textContent = "Pass. Test didn't crash.";
+    eventHandlerActive = false;
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, true);
+
+document.addEventListener("DOMCharacterDataModified", function () {
+    document.execCommand('InsertParagraph',false,false);
+}, false);
+
+setTimeout(function() {
+  document.execCommand("SelectAll", false)
+  var documentFragment = getSelection().getRangeAt(0).extractContents();
+  document.execCommand('Undo', false);
+}, 1);
+
+</script>
+</head>
+<body>
+<table class="collapse">
+<caption>
+original text
+</caption>
+</table>
+</body>
+</html>
index d3ee56bfe473323ac520fe4a9b75fd155e1a0d27..5b275ba17ce3cde200d46dff317f98e2a383c798 100644 (file)
@@ -1,3 +1,17 @@
+2013-05-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        dispatchEvent call can execute javascript and blow away endRoot from underneath
+        https://bugs.webkit.org/show_bug.cgi?id=116483
+
+        Reviewed by Andreas Kling.
+        
+        Merge https://chromium.googlesource.com/chromium/blink/+/798cba0af9b2aff21e475e2e08ea3ca5e97dfc2c.
+
+        Test: editing/undo/undo-after-event-edited.html
+
+        * editing/Editor.cpp:
+        (WebCore::dispatchEditableContentChangedEvents):
+
 2013-05-21  Antti Koivisto  <antti@apple.com>
 
         Remove ContentDistribution
index c259339c22e9fbe10ba331fef05465ecc77aca7c..ee3f1afc688d2d78397c619e1b239763bd68a53d 100644 (file)
@@ -831,8 +831,10 @@ void Editor::outdent()
     applyCommand(IndentOutdentCommand::create(m_frame->document(), IndentOutdentCommand::Outdent));
 }
 
-static void dispatchEditableContentChangedEvents(Element* startRoot, Element* endRoot)
+static void dispatchEditableContentChangedEvents(RefPtr<Element> prpStartRoot, PassRefPtr<Element> prpEndRoot)
 {
+    RefPtr<Element> startRoot = prpStartRoot;
+    RefPtr<Element> endRoot = prpEndRoot;
     if (startRoot)
         startRoot->dispatchEvent(Event::create(eventNames().webkitEditableContentChangedEvent, false, false), IGNORE_EXCEPTION);
     if (endRoot && endRoot != startRoot)