Changeset 92966 in webkit

Timestamp:

Aug 12, 2011, 9:27:57 AM (14 years ago)

Author:

inferno@chromium.org

Message:

Crash in WebCore::editingIgnoresContent
​https://bugs.webkit.org/show_bug.cgi?id=66125

Reviewed by Ryosuke Niwa.

Source/WebCore:

RefPtr a few nodes in case they get blown away in
dispatchEvent calls.

Test: editing/selection/select-start-remove-root-crash.html

• editing/FrameSelection.cpp:

(WebCore::FrameSelection::selectAll):

• editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplacementFragment::ReplacementFragment):

LayoutTests:

Tests that we do not crash when we blow away the root
during the firing of selectstart event in selection.

• editing/selection/select-start-remove-root-crash-expected.txt: Added.
• editing/selection/select-start-remove-root-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/selection/select-start-remove-root-crash-expected.txt (added)
• LayoutTests/editing/selection/select-start-remove-root-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/FrameSelection.cpp (modified) (3 diffs)
• Source/WebCore/editing/ReplaceSelectionCommand.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-08-12  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in WebCore::editingIgnoresContent
+        https://bugs.webkit.org/show_bug.cgi?id=66125
+
+        Reviewed by Ryosuke Niwa.
+
+        Tests that we do not crash when we blow away the root
+        during the firing of selectstart event in selection.
+
+        * editing/selection/select-start-remove-root-crash-expected.txt: Added.
+        * editing/selection/select-start-remove-root-crash.html: Added.
+
 2011-08-12  Yury Semikhatsky  <yurys@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-08-12  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in WebCore::editingIgnoresContent
+        https://bugs.webkit.org/show_bug.cgi?id=66125
+
+        Reviewed by Ryosuke Niwa.
+
+        RefPtr a few nodes in case they get blown away in
+        dispatchEvent calls.
+
+        Test: editing/selection/select-start-remove-root-crash.html
+
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::selectAll):
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplacementFragment::ReplacementFragment):
+
 2011-08-11  Pavel Podivilov  <podivilov@chromium.org>
 

trunk/Source/WebCore/editing/FrameSelection.cpp

@@ -1432 +1432 @@
     }
 
-    Node* root = 0;
+    RefPtr<Node> root = 0;
     Node* selectStartTarget = 0;
     if (isContentEditable()) {
@@ -1439 +1439 @@
             selectStartTarget = shadowRoot->shadowAncestorNode();
         else
-            selectStartTarget = root;
+            selectStartTarget = root.get();
     } else {
         root = m_selection.nonBoundaryShadowTreeRootNode();
@@ -1455 +1455 @@
         return;
 
-    VisibleSelection newSelection(VisibleSelection::selectionFromContentsOfNode(root));
+    VisibleSelection newSelection(VisibleSelection::selectionFromContentsOfNode(root.get()));
 
     if (shouldChangeSelection(newSelection))

trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

@@ -140 +140 @@
         return;
     
-    Element* editableRoot = selection.rootEditableElement();
+    RefPtr<Element> editableRoot = selection.rootEditableElement();
     ASSERT(editableRoot);
     if (!editableRoot)
@@ -155 +155 @@
     }
 
-    Node* styleNode = selection.base().deprecatedNode();
-    RefPtr<StyledElement> holder = insertFragmentForTestRendering(styleNode);
+    RefPtr<Node> styleNode = selection.base().deprecatedNode();
+    RefPtr<StyledElement> holder = insertFragmentForTestRendering(styleNode.get());
     if (!holder) {
         removeInterchangeNodes(m_fragment.get());
@@ -176 +176 @@
         if (!m_fragment->firstChild())
             return;
-        holder = insertFragmentForTestRendering(styleNode);
+        holder = insertFragmentForTestRendering(styleNode.get());
     }