Changeset 63851 in webkit


Ignore:
Timestamp:
Jul 21, 2010 1:23:37 PM (14 years ago)
Author:
abarth@webkit.org
Message:

2010-07-21 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Fix the last tree HTML5 tree builder crashes
https://bugs.webkit.org/show_bug.cgi?id=42773

This patch changes the internal representation of a bookmark to handle
the case where one of the adjecent entries in the list of active
formatting elements is actually a marker.

After this patch, the bookmarking mechanism isn't as general, but it
works for the cases we need in the adoption agency.

Also, after this patch, there aren't any more known crashers in the
HTML5 tree builder. :)

  • html/HTMLFormattingElementList.cpp: (WebCore::HTMLFormattingElementList::bookmarkFor): (WebCore::HTMLFormattingElementList::swapTo):
  • html/HTMLFormattingElementList.h: (WebCore::HTMLFormattingElementList::Bookmark::Bookmark): (WebCore::HTMLFormattingElementList::Bookmark::moveToAfter): (WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved): (WebCore::HTMLFormattingElementList::Bookmark::mark): (WebCore::HTMLFormattingElementList::first):
  • html/HTMLTreeBuilder.cpp: (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
Location:
trunk/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/WebCore/ChangeLog

    r63849 r63851  
     12010-07-21  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Fix the last tree HTML5 tree builder crashes
     6        https://bugs.webkit.org/show_bug.cgi?id=42773
     7
     8        This patch changes the internal representation of a bookmark to handle
     9        the case where one of the adjecent entries in the list of active
     10        formatting elements is actually a marker.
     11
     12        After this patch, the bookmarking mechanism isn't as general, but it
     13        works for the cases we need in the adoption agency.
     14
     15        Also, after this patch, there aren't any more known crashers in the
     16        HTML5 tree builder.  :)
     17
     18        * html/HTMLFormattingElementList.cpp:
     19        (WebCore::HTMLFormattingElementList::bookmarkFor):
     20        (WebCore::HTMLFormattingElementList::swapTo):
     21        * html/HTMLFormattingElementList.h:
     22        (WebCore::HTMLFormattingElementList::Bookmark::Bookmark):
     23        (WebCore::HTMLFormattingElementList::Bookmark::moveToAfter):
     24        (WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved):
     25        (WebCore::HTMLFormattingElementList::Bookmark::mark):
     26        (WebCore::HTMLFormattingElementList::first):
     27        * html/HTMLTreeBuilder.cpp:
     28        (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
     29
    1302010-07-21  Tony Gentilcore  <tonyg@chromium.org>
    231
  • trunk/WebCore/html/HTMLFormattingElementList.cpp

    r63274 r63851  
    7171    size_t index = m_entries.reverseFind(element);
    7272    ASSERT(index != notFound);
    73     Element* elementBefore = (index > 1) ? m_entries[index - 1].element() : 0;
    74     Element* elementAfter = (index < m_entries.size() - 1) ? m_entries[index + 1].element() : 0;
    75     return Bookmark(elementBefore, elementAfter);
     73    return Bookmark(&at(index));
    7674}
    7775
    78 void HTMLFormattingElementList::insertAt(Element* element, const Bookmark& bookmark)
     76void HTMLFormattingElementList::swapTo(Element* oldElement, Element* newElement, const Bookmark& bookmark)
    7977{
    80     size_t beforeIndex = notFound;
    81     if (bookmark.elementBefore()) {
    82         beforeIndex = m_entries.reverseFind(bookmark.elementBefore());
    83         ASSERT(beforeIndex != notFound);
     78    ASSERT(contains(oldElement));
     79    ASSERT(!contains(newElement));
     80    if (!bookmark.hasBeenMoved()) {
     81        ASSERT(bookmark.mark()->element() == oldElement);
     82        bookmark.mark()->replaceElement(newElement);
     83        return;
    8484    }
    85     size_t afterIndex = notFound;
    86     if (bookmark.elementAfter()) {
    87         afterIndex = m_entries.reverseFind(bookmark.elementAfter());
    88         ASSERT(afterIndex != notFound);
    89     }
    90 
    91     if (!bookmark.elementBefore()) {
    92         if (bookmark.elementAfter())
    93             ASSERT(!afterIndex);
    94         m_entries.prepend(element);
    95     } else {
    96         if (bookmark.elementAfter()) {
    97             // Bookmarks are not general purpose.  They're only for the Adoption
    98             // Agency. Assume the bookmarked element was already removed.
    99             ASSERT(beforeIndex + 1 == afterIndex);
    100         }
    101         m_entries.insert(beforeIndex + 1, element);
    102     }
     85    size_t index = bookmark.mark() - first();
     86    ASSERT(index < size());
     87    m_entries.insert(index + 1, newElement);
     88    remove(oldElement);
    10389}
    10490
  • trunk/WebCore/html/HTMLFormattingElementList.h

    r63274 r63851  
    8181    class Bookmark {
    8282    public:
    83         Bookmark(Element* before, Element* after)
    84             : m_before(before)
    85             , m_after(after)
     83        Bookmark(Entry* entry)
     84            : m_hasBeenMoved(false)
     85            , m_mark(entry)
    8686        {
    8787        }
    8888
    89         void moveToAfter(Element* before)
     89        void moveToAfter(Entry* before)
    9090        {
    91             m_before = before;
    92             m_after = 0;
     91            m_hasBeenMoved = true;
     92            m_mark = before;
    9393        }
    9494
    95         Element* elementBefore() const { return m_before; }
    96         Element* elementAfter() const { return m_after; }
     95        bool hasBeenMoved() const { return m_hasBeenMoved; }
     96        Entry* mark() const { return m_mark; }
    9797
    9898    private:
    99         Element* m_before;
    100         Element* m_after;
     99        bool m_hasBeenMoved;
     100        Entry* m_mark;
    101101    };
    102102
     
    112112
    113113    Bookmark bookmarkFor(Element*);
    114     void insertAt(Element*, const Bookmark&);
     114    void swapTo(Element* oldElement, Element* newElement, const Bookmark&);
    115115
    116116    void appendMarker();
     
    126126
    127127private:
     128    Entry* first() { return &at(0); }
     129
    128130    Vector<Entry> m_entries;
    129131};
  • trunk/WebCore/html/HTMLTreeBuilder.cpp

    r63815 r63851  
    16891689            // http://www.w3.org/Bugs/Public/show_bug.cgi?id=10096
    16901690            if (lastNode == furthestBlock)
    1691                 bookmark.moveToAfter(node->element());
     1691                bookmark.moveToAfter(nodeEntry);
    16921692            // 6.6
    16931693            // Use appendChild instead of parserAddChild to handle possible reparenting.
     
    17261726        }
    17271727        // 11
    1728         m_tree.activeFormattingElements()->remove(formattingElement);
    1729         m_tree.activeFormattingElements()->insertAt(newElement.get(), bookmark);
     1728        m_tree.activeFormattingElements()->swapTo(formattingElement, newElement.get(), bookmark);
    17301729        // 12
    17311730        m_tree.openElements()->remove(formattingElement);
Note: See TracChangeset for help on using the changeset viewer.