WebCore:
authorantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Aug 2007 00:11:58 +0000 (00:11 +0000)
committerantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Aug 2007 00:11:58 +0000 (00:11 +0000)
        Reviewed by Darin.

        Fix for <rdar://problem/5433726>
        Mail crash at WebCore::Frame::styleForSelectionStart() when deleting a selection in a HTML message (http://www.yahoo.com/)

        Test: editing/style/temporary-span-crash.html

        * page/Frame.cpp:
        (WebCore::Frame::styleForSelectionStart):
        Temporary span created here might not have renderer if document has style sheet that makes it display:none.
        Set display:inline explicitly in spans style attribute. This temporary span does not need to get its display
        value from actual document style sheets. Null check the renderer too to be sure.

LayoutTests:

        Reviewed by Darin.

        Test for <rdar://problem/5433726>
        Mail crash at WebCore::Frame::styleForSelectionStart() when deleting a selection in a HTML message (http://www.yahoo.com/)

        * editing/style/temporary-span-crash-expected.txt: Added.
        * editing/style/temporary-span-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@25255 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/style/temporary-span-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/style/temporary-span-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/page/Frame.cpp

index c66ab8b78d62b890bfd39c7f38c6b64b0a38892e..6f7b01046ab9f05345e594f5a4dbfd7cbaa8e1ab 100644 (file)
@@ -1,3 +1,13 @@
+2007-08-26  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Test for <rdar://problem/5433726>
+        Mail crash at WebCore::Frame::styleForSelectionStart() when deleting a selection in a HTML message (http://www.yahoo.com/)
+
+        * editing/style/temporary-span-crash-expected.txt: Added.
+        * editing/style/temporary-span-crash.html: Added.
+
 2007-08-25  David Kilzer  <ddkilzer@apple.com>
 
         Reviewed by NOBODY (fixes layout tests).
diff --git a/LayoutTests/editing/style/temporary-span-crash-expected.txt b/LayoutTests/editing/style/temporary-span-crash-expected.txt
new file mode 100644 (file)
index 0000000..171ecda
--- /dev/null
@@ -0,0 +1,3 @@
+Editing code creates temporary SPANs in some situations. Check we don't crash if we have style span { display: none }
+
+----------
diff --git a/LayoutTests/editing/style/temporary-span-crash.html b/LayoutTests/editing/style/temporary-span-crash.html
new file mode 100644 (file)
index 0000000..6071193
--- /dev/null
@@ -0,0 +1,19 @@
+<style>
+span { display: none }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<body contenteditable>
+<p>Editing code creates temporary SPANs in some situations. Check we don't crash if we have style span { display: none }
+<p>
+<b id=b>select me fully </b><i id=i>select me partially ----------</i>
+<script>
+var selection = window.getSelection();
+var b = document.getElementById('b');
+var i = document.getElementById('i');
+selection.setBaseAndExtent(b, 0, i.firstChild, 20);
+document.execCommand("Delete");
+</script>
+</body>
index 126bb545367f66f1a5696db527514b74b1332fab..c058a95b1796e284a63e30c2d466abee99915be2 100644 (file)
@@ -1,3 +1,19 @@
+2007-08-26  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Fix for <rdar://problem/5433726>
+        Mail crash at WebCore::Frame::styleForSelectionStart() when deleting a selection in a HTML message (http://www.yahoo.com/)
+
+        Test: editing/style/temporary-span-crash.html
+
+        * page/Frame.cpp:
+        (WebCore::Frame::styleForSelectionStart):
+        Temporary span created here might not have renderer if document has style sheet that makes it display:none.
+        Set display:inline explicitly in spans style attribute. This temporary span does not need to get its display 
+        value from actual document style sheets. Null check the renderer too to be sure.
+
+
 2007-08-24  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Adele.
index 9407d4b4a3177697935bff35c7e07ea3a95bc88d..cc183f2a511cd98208ece1e540b4766a0b08cb2f 100644 (file)
@@ -1555,7 +1555,8 @@ RenderStyle *Frame::styleForSelectionStart(Node *&nodeToRemove) const
     RefPtr<Element> styleElement = document()->createElementNS(xhtmlNamespaceURI, "span", ec);
     ASSERT(ec == 0);
     
-    styleElement->setAttribute(styleAttr, d->m_typingStyle->cssText().impl(), ec);
+    String styleText = d->m_typingStyle->cssText() + " display: inline";
+    styleElement->setAttribute(styleAttr, styleText.impl(), ec);
     ASSERT(ec == 0);
     
     styleElement->appendChild(document()->createEditingTextNode(""), ec);
@@ -1565,7 +1566,7 @@ RenderStyle *Frame::styleForSelectionStart(Node *&nodeToRemove) const
     ASSERT(ec == 0);
     
     nodeToRemove = styleElement.get();    
-    return styleElement->renderer()->style();
+    return styleElement->renderer() ? styleElement->renderer()->style() : 0;
 }
 
 void Frame::setSelectionFromNone()