Changeset 201667 in webkit
- Timestamp:
- Jun 3, 2016 4:01:49 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r201666 r201667 1 2016-06-03 Ryosuke Niwa <rniwa@webkit.org> 2 3 Crash under VisibleSelection::firstRange() 4 https://bugs.webkit.org/show_bug.cgi?id=158241 5 6 Reviewed by Enrica Casucci. 7 8 Added a regression test. 9 10 * fast/shadow-dom/selection-at-shadow-root-crash-expected.txt: Added. 11 * fast/shadow-dom/selection-at-shadow-root-crash.html: Added. 12 1 13 2016-06-03 Zalan Bujtas <zalan@apple.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r201666 r201667 1 2016-06-03 Ryosuke Niwa <rniwa@webkit.org> 2 3 Crash under VisibleSelection::firstRange() 4 https://bugs.webkit.org/show_bug.cgi?id=158241 5 6 Reviewed by Enrica Casucci. 7 8 The crash was commonly caused by parentAnchoredEquivalent returning null when the anchored node was a shadow root. 9 Fixed it by returning a shadow root in parentAnchoredEquivalent. 10 11 Also guard against other kinds of crashes by adding a null check in VisibleSelection::firstRange() since we've seen 12 a crash in the same code path outside of a shadow tree. 13 14 This patch also fixes other Position methods to stop using nonShadowBoundaryParentNode in place of parentNode as 15 that would cause a similar crash and/or a bug elsewhere. 16 17 Test: fast/shadow-dom/selection-at-shadow-root-crash.html 18 19 * accessibility/AXObjectCache.cpp: 20 (AXObjectCache::startCharacterOffsetOfParagraph): Fixed a bug uncovered by the assertion fix in Position::Position. 21 This code was sometimes creating a position inside a BR, which is wrong. 22 (AXObjectCache::endCharacterOffsetOfParagraph): Ditto. 23 * dom/Position.cpp: 24 (WebCore::Position::Position): Fixed an assertion which was checking that this constructor wasn't being called 25 with m_anchorNode set to an element editing ignores content of. ||ing it with isShadowRoot() made this assertion 26 useless because it's true whenever m_anchorNode is not a shadow root. 27 (WebCore::Position::containerNode): Use parentNode() instead of findParent() which calls nonShadowBoundaryParentNode 28 since Position should 29 (WebCore::Position::parentAnchoredEquivalent): Fixed the bug by letting this function return a shadow root. 30 (WebCore::Position::previous): Use parentNode() instead of findParent(). 31 (WebCore::Position::next): Ditto. 32 (WebCore::Position::atStartOfTree): Ditto. 33 (WebCore::Position::atEndOfTree): Ditto. 34 (WebCore::Position::findParent): Deleted. 35 * dom/Position.h: 36 * editing/VisibleSelection.cpp: 37 (VisibleSelection::firstRange): Added a null check. 38 1 39 2016-06-03 Zalan Bujtas <zalan@apple.com> 2 40 -
trunk/Source/WebCore/accessibility/AXObjectCache.cpp
r201443 r201667 2330 2330 auto* startBlock = enclosingBlock(startNode); 2331 2331 int offset = characterOffset.startIndex + characterOffset.offset; 2332 Position p(startNode, offset, Position::PositionIsOffsetInAnchor); 2333 auto* highestRoot = highestEditableRoot(p); 2332 auto* highestRoot = highestEditableRoot(firstPositionInOrBeforeNode(startNode)); 2334 2333 Position::AnchorType type = Position::PositionIsOffsetInAnchor; 2335 2334 … … 2353 2352 Node* stayInsideBlock = enclosingBlock(startNode); 2354 2353 int offset = characterOffset.startIndex + characterOffset.offset; 2355 Position p(startNode, offset, Position::PositionIsOffsetInAnchor); 2356 Node* highestRoot = highestEditableRoot(p); 2354 Node* highestRoot = highestEditableRoot(firstPositionInOrBeforeNode(startNode)); 2357 2355 Position::AnchorType type = Position::PositionIsOffsetInAnchor; 2358 2356 -
trunk/Source/WebCore/dom/Position.cpp
r201205 r201667 128 128 , m_isLegacyEditingPosition(false) 129 129 { 130 ASSERT(!m_anchorNode || !editingIgnoresContent(*m_anchorNode) || !m_anchorNode->isShadowRoot());130 ASSERT(!m_anchorNode || !editingIgnoresContent(*m_anchorNode)); 131 131 ASSERT(!m_anchorNode || !m_anchorNode->isPseudoElement()); 132 132 ASSERT(anchorType == PositionIsOffsetInAnchor); … … 171 171 case PositionIsBeforeAnchor: 172 172 case PositionIsAfterAnchor: 173 return findParent(*m_anchorNode);173 return m_anchorNode->parentNode(); 174 174 } 175 175 ASSERT_NOT_REACHED(); … … 232 232 // FIXME: This should only be necessary for legacy positions, but is also needed for positions before and after Tables 233 233 if (m_offset <= 0 && (m_anchorType != PositionIsAfterAnchor && m_anchorType != PositionIsAfterChildren)) { 234 if ( findParent(*m_anchorNode) && (editingIgnoresContent(*m_anchorNode) || isRenderedTable(m_anchorNode.get())))234 if (m_anchorNode->parentNode() && (editingIgnoresContent(*m_anchorNode) || isRenderedTable(m_anchorNode.get()))) 235 235 return positionInParentBeforeNode(m_anchorNode.get()); 236 236 return Position(m_anchorNode.get(), 0, PositionIsOffsetInAnchor); … … 345 345 } 346 346 347 ContainerNode* parent = findParent(*node);347 ContainerNode* parent = node->parentNode(); 348 348 if (!parent) 349 349 return *this; … … 392 392 } 393 393 394 ContainerNode* parent = findParent(*node);394 ContainerNode* parent = node->parentNode(); 395 395 if (!parent) 396 396 return *this; … … 494 494 495 495 Node* container = containerNode(); 496 if (container && findParent(*container))496 if (container && container->parentNode()) 497 497 return false; 498 498 … … 519 519 520 520 Node* container = containerNode(); 521 if (container && findParent(*container))521 if (container && container->parentNode()) 522 522 return false; 523 523 … … 954 954 } 955 955 956 ContainerNode* Position::findParent(const Node& node)957 {958 return node.nonShadowBoundaryParentNode();959 }960 961 956 #if ENABLE(USERSELECT_ALL) 962 957 bool Position::nodeIsUserSelectAll(const Node* node) -
trunk/Source/WebCore/dom/Position.h
r195237 r201667 200 200 static Node* rootUserSelectAllForNode(Node*) { return 0; } 201 201 #endif 202 static ContainerNode* findParent(const Node&); 203 202 204 203 void debugPosition(const char* msg = "") const; 205 204 -
trunk/Source/WebCore/editing/VisiblePosition.cpp
r201205 r201667 588 588 // If the html element is editable, descending into its body will look like a descent 589 589 // from non-editable to editable content since rootEditableElement() always stops at the body. 590 if ((editingRoot && editingRoot->hasTagName(htmlTag)) || position.deprecatedNode()->isDocumentNode())590 if ((editingRoot && editingRoot->hasTagName(htmlTag)) || (node && (node->isDocumentNode() || node->isShadowRoot()))) 591 591 return next.isNotNull() ? next : prev; 592 592 -
trunk/Source/WebCore/editing/VisibleSelection.cpp
r200931 r201667 130 130 Position start = m_start.parentAnchoredEquivalent(); 131 131 Position end = m_end.parentAnchoredEquivalent(); 132 if (start.isNull() || end.isNull()) 133 return nullptr; 132 134 return Range::create(start.anchorNode()->document(), start, end); 133 135 }
Note: See TracChangeset
for help on using the changeset viewer.