Changeset 66032 in webkit

Timestamp:

Aug 25, 2010 12:19:26 PM (14 years ago)

Author:

rniwa@webkit.org

Message:

2010-08-25 Ryosuke Niwa <​rniwa@webkit.org>

Reviewed by Darin Adler.

Various designmode=&quot;on&quot;/&quot;off&quot; &amp; execCommand(&quot;Undo&quot;) NULL pointer crashes
​https://bugs.webkit.org/show_bug.cgi?id=32823

The bug was caused by changeSelectionAfterCommand which updates the selection
without checking the whether new selection is valid or not.

Fixed changeSelectionAfterCommand so that it won't update the selection
when either end of the new selection is orphaned. Also fixed various editing commands
to exit early if either end of the selection is orphaned.

Tests: editing/undo/orphaned-selection-crash-bug32823-1.html

editing/undo/orphaned-selection-crash-bug32823-2.html
editing/undo/orphaned-selection-crash-bug32823-3.html
editing/undo/orphaned-selection-crash-bug32823-4.html

• editing/Editor.cpp: (WebCore::Editor::changeSelectionAfterCommand): No longer sets orphaned selection.
• editing/VisibleSelection.h: (WebCore::VisibleSelection::isNonOrphanedRange): Added. (WebCore::VisibleSelection::isNonOrphanedCaretOrRange): Added.
• editing/DeleteSelectionCommand.cpp: (WebCore::DeleteSelectionCommand::doApply): Added an early exist. See above.
• editing/FormatBlockCommand.cpp: (WebCore::FormatBlockCommand::doApply): Ditto.
• editing/IndentOutdentCommand.cpp: (WebCore::IndentOutdentCommand::doApply): Ditto.
• editing/InsertLineBreakCommand.cpp: (WebCore::InsertLineBreakCommand::doApply): Ditto.
• editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApply): Ditto.
• editing/InsertParagraphSeparatorCommand.cpp: (WebCore::InsertParagraphSeparatorCommand::doApply): Ditto.
• editing/InsertTextCommand.cpp: (WebCore::InsertTextCommand::input): Ditto.
• editing/MoveSelectionCommand.cpp: (WebCore::MoveSelectionCommand::doApply): Ditto.
• editing/RemoveFormatCommand.cpp: (WebCore::RemoveFormatCommand::doApply): Ditto.
• editing/ReplaceSelectionCommand.cpp: (WebCore::ReplaceSelectionCommand::doApply): Ditto.
• editing/TypingCommand.cpp: (WebCore::TypingCommand::doApply): Ditto.
• editing/UnlinkCommand.cpp: (WebCore::UnlinkCommand::doApply): Ditto.

2010-08-25 Ryosuke Niwa <​rniwa@webkit.org>

Reviewed by Darin Adler.

Various designmode="on"/"off" & execCommand("Undo") NULL pointer crashes
​https://bugs.webkit.org/show_bug.cgi?id=32823

These tests ensure WebKit doesn't crash when undoing some editing commands failed
and either end of endingSelection() became orphaned.
All tests are copied from the bug to prevent regression.

• editing/undo/orphaned-selection-crash-bug32823-1-expected.txt: Added.
• editing/undo/orphaned-selection-crash-bug32823-1.html: Added.
• editing/undo/orphaned-selection-crash-bug32823-2-expected.txt: Added.
• editing/undo/orphaned-selection-crash-bug32823-2.html: Added.
• editing/undo/orphaned-selection-crash-bug32823-3-expected.txt: Added.
• editing/undo/orphaned-selection-crash-bug32823-3.html: Added.
• editing/undo/orphaned-selection-crash-bug32823-4-expected.txt: Added.
• editing/undo/orphaned-selection-crash-bug32823-4.html: Added.
• editing/undo/redo-split-text-with-removal-expected.txt: Caret is restored.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-1-expected.txt (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-1.html (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-2-expected.txt (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-2.html (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-3-expected.txt (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-3.html (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-4-expected.txt (added)
• LayoutTests/editing/undo/orphaned-selection-crash-bug32823-4.html (added)
• LayoutTests/editing/undo/redo-split-text-with-removal-expected.txt (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/editing/DeleteSelectionCommand.cpp (modified) (1 diff)
• WebCore/editing/Editor.cpp (modified) (1 diff)
• WebCore/editing/FormatBlockCommand.cpp (modified) (1 diff)
• WebCore/editing/IndentOutdentCommand.cpp (modified) (1 diff)
• WebCore/editing/InsertLineBreakCommand.cpp (modified) (1 diff)
• WebCore/editing/InsertListCommand.cpp (modified) (1 diff)
• WebCore/editing/InsertParagraphSeparatorCommand.cpp (modified) (1 diff)
• WebCore/editing/InsertTextCommand.cpp (modified) (1 diff)
• WebCore/editing/MoveSelectionCommand.cpp (modified) (1 diff)
• WebCore/editing/RemoveFormatCommand.cpp (modified) (1 diff)
• WebCore/editing/ReplaceSelectionCommand.cpp (modified) (1 diff)
• WebCore/editing/TypingCommand.cpp (modified) (1 diff)
• WebCore/editing/UnlinkCommand.cpp (modified) (1 diff)
• WebCore/editing/VisibleSelection.h (modified) (1 diff)
• WebCore/editing/htmlediting.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-08-25  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Various designmode="on"/"off" & execCommand("Undo") NULL pointer crashes
+        https://bugs.webkit.org/show_bug.cgi?id=32823
+
+        These tests ensure WebKit doesn't crash when undoing some editing commands failed
+        and either end of endingSelection() became orphaned.
+        All tests are copied from the bug to prevent regression.
+
+        * editing/undo/orphaned-selection-crash-bug32823-1-expected.txt: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-1.html: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-2-expected.txt: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-2.html: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-3-expected.txt: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-3.html: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-4-expected.txt: Added.
+        * editing/undo/orphaned-selection-crash-bug32823-4.html: Added.
+        * editing/undo/redo-split-text-with-removal-expected.txt: Caret is restored.
+
 2010-08-25  Ojan Vafai  <ojan@chromium.org>
 

trunk/LayoutTests/editing/undo/redo-split-text-with-removal-expected.txt

@@ -16 +16 @@
 after redo:
 | <div>
-|   "hello"
+|   "<#selection-caret>hello"

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-08-25  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Various designmode=&quot;on&quot;/&quot;off&quot; &amp; execCommand(&quot;Undo&quot;) NULL pointer crashes
+        https://bugs.webkit.org/show_bug.cgi?id=32823
+
+        The bug was caused by changeSelectionAfterCommand which updates the selection
+        without checking the whether new selection is valid or not.
+
+        Fixed changeSelectionAfterCommand so that it won't update the selection
+        when either end of the new selection is orphaned. Also fixed various editing commands
+        to exit early if either end of the selection is orphaned.
+
+        Tests: editing/undo/orphaned-selection-crash-bug32823-1.html
+               editing/undo/orphaned-selection-crash-bug32823-2.html
+               editing/undo/orphaned-selection-crash-bug32823-3.html
+               editing/undo/orphaned-selection-crash-bug32823-4.html
+
+        * editing/Editor.cpp:
+        (WebCore::Editor::changeSelectionAfterCommand): No longer sets orphaned selection.
+        * editing/VisibleSelection.h:
+        (WebCore::VisibleSelection::isNonOrphanedRange): Added.
+        (WebCore::VisibleSelection::isNonOrphanedCaretOrRange): Added.
+        * editing/DeleteSelectionCommand.cpp:
+        (WebCore::DeleteSelectionCommand::doApply): Added an early exist. See above.
+        * editing/FormatBlockCommand.cpp:
+        (WebCore::FormatBlockCommand::doApply): Ditto.
+        * editing/IndentOutdentCommand.cpp:
+        (WebCore::IndentOutdentCommand::doApply): Ditto.
+        * editing/InsertLineBreakCommand.cpp:
+        (WebCore::InsertLineBreakCommand::doApply): Ditto.
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::doApply): Ditto.
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply): Ditto.
+        * editing/InsertTextCommand.cpp:
+        (WebCore::InsertTextCommand::input): Ditto.
+        * editing/MoveSelectionCommand.cpp:
+        (WebCore::MoveSelectionCommand::doApply): Ditto.
+        * editing/RemoveFormatCommand.cpp:
+        (WebCore::RemoveFormatCommand::doApply): Ditto.
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply): Ditto.
+        * editing/TypingCommand.cpp:
+        (WebCore::TypingCommand::doApply): Ditto.
+        * editing/UnlinkCommand.cpp:
+        (WebCore::UnlinkCommand::doApply): Ditto.
+
 2010-08-25  Simon Fraser  <simon.fraser@apple.com>
 

trunk/WebCore/editing/DeleteSelectionCommand.cpp

@@ -736 +736 @@
     if (!m_hasSelectionToDelete)
         m_selectionToDelete = endingSelection();
-    
-    if (!m_selectionToDelete.isRange())
+
+    if (!m_selectionToDelete.isNonOrphanedRange())
         return;
 

trunk/WebCore/editing/Editor.cpp

@@ -2943 +2943 @@
 void Editor::changeSelectionAfterCommand(const VisibleSelection& newSelection, bool closeTyping, bool clearTypingStyle)
 {
+    // If the new selection is orphaned, then don't update the selection.
+    if (newSelection.start().isOrphan() || newSelection.end().isOrphan())
+        return;
+
     // If there is no selection change, don't bother sending shouldChangeSelection, but still call setSelection,
     // because there is work that it must do in this situation.

trunk/WebCore/editing/FormatBlockCommand.cpp

@@ -71 +71 @@
 void FormatBlockCommand::doApply()
 {
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
     

trunk/WebCore/editing/IndentOutdentCommand.cpp

@@ -330 +330 @@
 void IndentOutdentCommand::doApply()
 {
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
 

trunk/WebCore/editing/InsertLineBreakCommand.cpp

@@ -91 +91 @@
     deleteSelection();
     VisibleSelection selection = endingSelection();
-    if (selection.isNone())
+    if (!selection.isNonOrphanedCaretOrRange())
         return;
     

trunk/WebCore/editing/InsertListCommand.cpp

@@ -98 +98 @@
 void InsertListCommand::doApply()
 {
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
-    
+
     if (!endingSelection().rootEditableElement())
         return;

trunk/WebCore/editing/InsertParagraphSeparatorCommand.cpp

@@ -149 +149 @@
 {
     bool splitText = false;
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
     

trunk/WebCore/editing/InsertTextCommand.cpp

@@ -112 +112 @@
     ASSERT(text.find('\n') == notFound);
 
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
 

trunk/WebCore/editing/MoveSelectionCommand.cpp

@@ -41 +41 @@
 {
     VisibleSelection selection = endingSelection();
-    ASSERT(selection.isRange());
+    ASSERT(selection.isNonOrphanedRange());
 
     Position pos = m_position;

trunk/WebCore/editing/RemoveFormatCommand.cpp

@@ -50 +50 @@
 {
     Frame* frame = document()->frame();
-    
+
+    if (!frame->selection()->selection().isNonOrphanedCaretOrRange())
+        return;
+
     // Make a plain text string from the selection to remove formatting like tables and lists.
     String string = plainText(frame->selection()->selection().toNormalizedRange().get());

trunk/WebCore/editing/ReplaceSelectionCommand.cpp

@@ -783 +783 @@
     ASSERT(selection.isCaretOrRange());
     ASSERT(selection.start().node());
-    if (selection.isNone() || !selection.start().node())
+    if (!selection.isNonOrphanedCaretOrRange() || !selection.start().node())
         return;
     

trunk/WebCore/editing/TypingCommand.cpp

@@ -245 +245 @@
 void TypingCommand::doApply()
 {
-    if (endingSelection().isNone())
+    if (!endingSelection().isNonOrphanedCaretOrRange())
         return;
         

trunk/WebCore/editing/UnlinkCommand.cpp

@@ -39 +39 @@
 {
     // FIXME: If a caret is inside a link, we should remove it, but currently we don't.
-    if (!endingSelection().isRange())
+    if (!endingSelection().isNonOrphanedRange())
         return;
-        
+
     pushPartiallySelectedAnchorElementsDown();
 

trunk/WebCore/editing/VisibleSelection.h

@@ -74 +74 @@
     bool isRange() const { return selectionType() == RangeSelection; }
     bool isCaretOrRange() const { return selectionType() != NoSelection; }
+    bool isNonOrphanedRange() const { return isRange() && !start().isOrphan() && !end().isOrphan(); }
+    bool isNonOrphanedCaretOrRange() const { return isCaretOrRange() && !start().isOrphan() && !end().isOrphan(); }
 
     bool isBaseFirst() const { return m_baseIsFirst; }

trunk/WebCore/editing/htmlediting.h

@@ -219 +219 @@
 // VisibleSelection
 // -------------------------------------------------------------------------
-    
+
 // Functions returning VisibleSelection
-
 VisibleSelection avoidIntersectionWithNode(const VisibleSelection&, Node*);
 VisibleSelection selectionForParagraphIteration(const VisibleSelection&);