Changeset 135193 in webkit

Timestamp:

Nov 19, 2012, 1:43:28 PM (13 years ago)

Author:

inferno@chromium.org

Message:

Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
​https://bugs.webkit.org/show_bug.cgi?id=100150

Reviewed by Ryosuke Niwa.

Source/WebCore:

RefPtr startDummySpanAncestor and endDummySpanAncestor since
they can go away inside fixRangeAndApplyInlineStyle call.

Test: editing/style/apply-style-crash.html

• editing/ApplyStyleCommand.cpp:

(WebCore::ApplyStyleCommand::applyInlineStyle):

LayoutTests:

• editing/style/apply-style-crash-expected.txt: Added.
• editing/style/apply-style-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/style/apply-style-crash-expected.txt (added)
• LayoutTests/editing/style/apply-style-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/ApplyStyleCommand.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-11-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
+        https://bugs.webkit.org/show_bug.cgi?id=100150
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/style/apply-style-crash-expected.txt: Added.
+        * editing/style/apply-style-crash.html: Added.
+
 2012-11-19  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-11-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
+        https://bugs.webkit.org/show_bug.cgi?id=100150
+
+        Reviewed by Ryosuke Niwa.
+
+        RefPtr startDummySpanAncestor and endDummySpanAncestor since
+        they can go away inside fixRangeAndApplyInlineStyle call.
+
+        Test: editing/style/apply-style-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyle):
+
 2012-11-19  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/editing/ApplyStyleCommand.cpp

@@ -539 +539 @@
 void ApplyStyleCommand::applyInlineStyle(EditingStyle* style)
 {
-    Node* startDummySpanAncestor = 0;
-    Node* endDummySpanAncestor = 0;
+    RefPtr<Node> startDummySpanAncestor = 0;
+    RefPtr<Node> endDummySpanAncestor = 0;
 
     // update document layout once before removing styles
@@ -665 +665 @@
 
     // Remove dummy style spans created by splitting text elements.
-    cleanupUnstyledAppleStyleSpans(startDummySpanAncestor);
+    cleanupUnstyledAppleStyleSpans(startDummySpanAncestor.get());
     if (endDummySpanAncestor != startDummySpanAncestor)
-        cleanupUnstyledAppleStyleSpans(endDummySpanAncestor);
+        cleanupUnstyledAppleStyleSpans(endDummySpanAncestor.get());
 }