Changeset 24792 in webkit


Ignore:
Timestamp:
Jul 30, 2007 8:54:56 PM (17 years ago)
Author:
justing
Message:

LayoutTests:

Reviewed by Darin.


<rdar://problem/5369009>
Crash due to infinite recursion in moveParagraphs deleting line from a Mail message

  • editing/deleting/5369009-expected.checksum: Added.
  • editing/deleting/5369009-expected.png: Added.
  • editing/deleting/5369009-expected.txt: Added.
  • editing/deleting/5369009.html: Added.

WebCore:

Reviewed by Darin.

<rdar://problem/5369009> Crash due to infinite recursion in moveParagraphs on delete


After the delete, we moved content into the previous block, and a style
rule turned a style span in the moved content into a block, throwing
moveParagraphs into infinite recursion, as it continually tried and failed
to get the style span into the same paragraph as the content just before it.


Added a method to ReplaceSelectionCommand to keep inserted style spans
from turning into blocks because of style rules. Will add code to prevent
other kinds of content from changing appearance because of style rules,
post-Leopard (5371536). Also added a bool to ReplaceSelectionCommand's
constructor to guard against infinite recursion.

  • editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::moveParagraphs):
  • editing/JSEditor.cpp:
  • editing/ReplaceSelectionCommand.cpp: (WebCore::ReplaceSelectionCommand::ReplaceSelectionCommand): (WebCore::ReplaceSelectionCommand::negateStyleRulesThatEffectAppearance): (WebCore::ReplaceSelectionCommand::doApply):
  • editing/ReplaceSelectionCommand.h:
Location:
trunk
Files:
4 added
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r24781 r24792  
     12007-07-30  Justin Garcia  <justin.garcia@apple.com>
     2
     3        Reviewed by Darin.
     4       
     5        <rdar://problem/5369009>
     6        Crash due to infinite recursion in moveParagraphs deleting line from a Mail message
     7
     8        * editing/deleting/5369009-expected.checksum: Added.
     9        * editing/deleting/5369009-expected.png: Added.
     10        * editing/deleting/5369009-expected.txt: Added.
     11        * editing/deleting/5369009.html: Added.
     12
    1132007-07-30  Sam Weinig  <sam@webkit.org>
    214

  • trunk/WebCore/ChangeLog

    r24789 r24792  
     12007-07-30  Justin Garcia  <justin.garcia@apple.com>
     2
     3        Reviewed by Darin.
     4
     5        <rdar://problem/5369009> Crash due to infinite recursion in moveParagraphs on delete
     6       
     7        After the delete, we moved content into the previous block, and a style
     8        rule turned a style span in the moved content into a block, throwing
     9        moveParagraphs into infinite recursion, as it continually tried and failed
     10        to get the style span into the same paragraph as the content just before it.
     11       
     12        Added a method to ReplaceSelectionCommand to keep inserted style spans
     13        from turning into blocks because of style rules.  Will add code to prevent
     14        other kinds of content from changing appearance because of style rules,
     15        post-Leopard (5371536). Also added a bool to ReplaceSelectionCommand's
     16        constructor to guard against infinite recursion.
     17
     18        * editing/CompositeEditCommand.cpp:
     19        (WebCore::CompositeEditCommand::moveParagraphs):
     20        * editing/JSEditor.cpp:
     21        * editing/ReplaceSelectionCommand.cpp:
     22        (WebCore::ReplaceSelectionCommand::ReplaceSelectionCommand):
     23        (WebCore::ReplaceSelectionCommand::negateStyleRulesThatEffectAppearance):
     24        (WebCore::ReplaceSelectionCommand::doApply):
     25        * editing/ReplaceSelectionCommand.h:
     26
    1272007-07-30  Anders Carlsson  <andersca@apple.com>
    228

  • trunk/WebCore/editing/CompositeEditCommand.cpp

    r21078 r24792  
    784784   
    785785    setEndingSelection(destination);
    786     applyCommandToComposite(new ReplaceSelectionCommand(document(), fragment.get(), true, false, !preserveStyle, false));
     786    applyCommandToComposite(new ReplaceSelectionCommand(document(), fragment.get(), true, false, !preserveStyle, false, true));
    787787   
    788788    if (preserveSelection && startIndex != -1) {

  • trunk/WebCore/editing/JSEditor.cpp

    r24330 r24792  
    295295   
    296296    applyCommand(new ReplaceSelectionCommand(frame->document(), fragment.release(),
    297         false, false, false, true, EditActionUnspecified));
     297        false, false, false, true, false, EditActionUnspecified));
    298298    return true;
    299299}

  • trunk/WebCore/editing/ReplaceSelectionCommand.cpp

    r23986 r24792  
    3131#include "CSSComputedStyleDeclaration.h"
    3232#include "CSSPropertyNames.h"
     33#include "CSSValueKeywords.h"
    3334#include "Document.h"
    3435#include "DocumentFragment.h"
     
    275276
    276277ReplaceSelectionCommand::ReplaceSelectionCommand(Document* document, PassRefPtr<DocumentFragment> fragment,
    277         bool selectReplacement, bool smartReplace, bool matchStyle, bool preventNesting,
     278        bool selectReplacement, bool smartReplace, bool matchStyle, bool preventNesting, bool movingParagraph,
    278279        EditAction editAction)
    279280    : CompositeEditCommand(document),
     
    283284      m_documentFragment(fragment),
    284285      m_preventNesting(preventNesting),
     286      m_movingParagraph(movingParagraph),
    285287      m_editAction(editAction)
    286288{
     
    344346           // be a no-op and cause infinite recursion.
    345347           !isBlock(fromNode) && !isBlock(toNode);
     348}
     349
     350// Style rules that match just inserted elements could change their appearance, like
     351// a div inserted into a document with div { display:inline; }.
     352void ReplaceSelectionCommand::negateStyleRulesThatAffectAppearance()
     353{
     354    for (RefPtr<Node> node = m_firstNodeInserted.get(); node; node = node->traverseNextNode()) {
     355        // FIXME: <rdar://problem/5371536> Style rules that match pasted content can change it's appearance
     356        if (isStyleSpan(node.get())) {
     357            HTMLElement* e = static_cast<HTMLElement*>(node.get());
     358            // There are other styles that style rules can give to style spans,
     359            // but these are the two important ones because they'll prevent
     360            // inserted content from appearing in the right paragraph.
     361            if (isBlock(e))
     362                e->getInlineStyleDecl()->setProperty(CSS_PROP_DISPLAY, CSS_VAL_INLINE);
     363            if (e->renderer() && e->renderer()->style()->floating() != FNONE)
     364                e->getInlineStyleDecl()->setProperty(CSS_PROP_FLOAT, CSS_VAL_NONE);
     365        }
     366        if (node == m_lastLeafInserted)
     367            break;
     368    }
    346369}
    347370
     
    585608    }
    586609   
     610    negateStyleRulesThatAffectAppearance();
     611   
    587612    removeRedundantStyles(mailBlockquoteEnclosingSelectionStart);
    588613   
     
    603628       
    604629    if (shouldMergeStart(selectionStartWasStartOfParagraph, fragment.hasInterchangeNewlineAtStart())) {
     630        // Bail to avoid infinite recursion.
     631        if (m_movingParagraph) {
     632            ASSERT_NOT_REACHED();
     633            return;
     634        }
    605635        VisiblePosition destination = startOfInsertedContent.previous();
    606636        VisiblePosition startOfParagraphToMove = startOfInsertedContent;
     
    643673           
    644674    } else if (shouldMergeEnd(selectionEndWasEndOfParagraph)) {
    645    
     675        // Bail to avoid infinite recursion.
     676        if (m_movingParagraph) {
     677            ASSERT_NOT_REACHED();
     678            return;
     679        }
    646680        // Merging two paragraphs will destroy the moved one's block styles.  Always move forward to preserve
    647681        // the block style of the paragraph already in the document, unless the paragraph to move would include the

  • trunk/WebCore/editing/ReplaceSelectionCommand.h

    r20960 r24792  
    7070public:
    7171    ReplaceSelectionCommand(Document*, PassRefPtr<DocumentFragment>,
    72         bool selectReplacement = true, bool smartReplace = false, bool matchStyle = false, bool preventNesting = true,
     72        bool selectReplacement = true, bool smartReplace = false, bool matchStyle = false, bool preventNesting = true, bool movingParagraph = false,
    7373        EditAction = EditActionPaste);
    7474   
     
    9090    bool shouldMerge(const VisiblePosition&, const VisiblePosition&);
    9191   
     92    void negateStyleRulesThatAffectAppearance();
    9293    void removeRedundantStyles(Node*);
    9394   
     
    107108    RefPtr<DocumentFragment> m_documentFragment;
    108109    bool m_preventNesting;
     110    bool m_movingParagraph;
    109111    EditAction m_editAction;
    110112};
Note: See TracChangeset for help on using the changeset viewer.