Changeset 73279 in webkit

Timestamp:

Dec 3, 2010 11:26:22 AM (13 years ago)

Author:

rniwa@webkit.org

Message:

2010-12-03 Ryosuke Niwa <​rniwa@webkit.org>

Reviewed by Darin Adler.

REGRESSION: Crash when deleting text after textarea's value is modified on input event
​https://bugs.webkit.org/show_bug.cgi?id=49962

The crash was caused by TypingCommand::deleteKeyPressed's reusing a typing command for
textarea's shadow DOM after its input event handler rewrote the value set by the typing command.
Because the reused typing command's ending selection was pointing at a shadow node
that has been detached from the document when the event handler set the new value,
rootEditableElement of the ending selection was null and caused the crash.

Fixed the bug by updating the ending selection of the last typing command when it differsfrom
that of the current selection held by the SelectionController in TypingCommand::deleteKeyPressed.
Also fixed similar bugs in forwardDeleteKeyPressed and insertText, and insertTextRunWithoutNewlines.

Tests: editing/input/set-value-on-input-and-delete.html

editing/input/set-value-on-input-and-forward-delete.html
editing/input/set-value-on-input-and-type-input.html
editing/input/set-value-on-input-and-type-textarea.html

• editing/InsertTextCommand.h: Added TypingCommand as a friend because it needs to update selection.
• editing/TypingCommand.cpp: (WebCore::TypingCommand::deleteKeyPressed): Updates the last typing command's selection as needed. (WebCore::TypingCommand::forwardDeleteKeyPressed): Ditto. (WebCore::TypingCommand::insertText): Ditto. (WebCore::TypingCommand::updateSelectionIfDifferentFromCurrentSelection): Added. (WebCore::TypingCommand::insertTextRunWithoutNewlines): Updates InsertTextCommand's selection as needed.
• editing/TypingCommand.h:

2010-12-03 Ryosuke Niwa <​rniwa@webkit.org>

Reviewed by Darin Adler.

REGRESSION: Crash when deleting text after textarea's value is modified on input event
​https://bugs.webkit.org/show_bug.cgi?id=49962

Added tests to ensure inserting and deleting a character inside input or textarea
succeeds even if the value of those elements have been rewritten by its input event handler.

• editing/input/set-value-on-input-and-delete-expected.txt: Added.
• editing/input/set-value-on-input-and-delete.html: Added.
• editing/input/set-value-on-input-and-forward-delete-expected.txt: Added.
• editing/input/set-value-on-input-and-forward-delete.html: Added.
• editing/input/set-value-on-input-and-type-input-expected.txt: Added.
• editing/input/set-value-on-input-and-type-input.html: Added.
• editing/input/set-value-on-input-and-type-textarea-expected.txt: Added.
• editing/input/set-value-on-input-and-type-textarea.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/input/set-value-on-input-and-delete-expected.txt (added)
• LayoutTests/editing/input/set-value-on-input-and-delete.html (added)
• LayoutTests/editing/input/set-value-on-input-and-forward-delete-expected.txt (added)
• LayoutTests/editing/input/set-value-on-input-and-forward-delete.html (added)
• LayoutTests/editing/input/set-value-on-input-and-type-input-expected.txt (added)
• LayoutTests/editing/input/set-value-on-input-and-type-input.html (added)
• LayoutTests/editing/input/set-value-on-input-and-type-textarea-expected.txt (added)
• LayoutTests/editing/input/set-value-on-input-and-type-textarea.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/editing/InsertTextCommand.h (modified) (1 diff)
• WebCore/editing/TypingCommand.cpp (modified) (6 diffs)
• WebCore/editing/TypingCommand.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-12-03  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        REGRESSION: Crash when deleting text after textarea's value is modified on input event
+        https://bugs.webkit.org/show_bug.cgi?id=49962
+
+        Added tests to ensure inserting and deleting a character inside input or textarea
+        succeeds even if the value of those elements have been rewritten by its input event handler.
+
+        * editing/input/set-value-on-input-and-delete-expected.txt: Added.
+        * editing/input/set-value-on-input-and-delete.html: Added.
+        * editing/input/set-value-on-input-and-forward-delete-expected.txt: Added.
+        * editing/input/set-value-on-input-and-forward-delete.html: Added.
+        * editing/input/set-value-on-input-and-type-input-expected.txt: Added.
+        * editing/input/set-value-on-input-and-type-input.html: Added.
+        * editing/input/set-value-on-input-and-type-textarea-expected.txt: Added.
+        * editing/input/set-value-on-input-and-type-textarea.html: Added.
+
 2010-12-03  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-12-03  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        REGRESSION: Crash when deleting text after textarea's value is modified on input event
+        https://bugs.webkit.org/show_bug.cgi?id=49962
+
+        The crash was caused by TypingCommand::deleteKeyPressed's reusing a typing command for
+        textarea's shadow DOM after its input event handler rewrote the value set by the typing command.
+        Because the reused typing command's ending selection was pointing at a shadow node
+        that has been detached from the document when the event handler set the new value,
+        rootEditableElement of the ending selection was null and caused the crash.
+
+        Fixed the bug by updating the ending selection of the last typing command when it differsfrom
+        that of the current selection held by the SelectionController in TypingCommand::deleteKeyPressed.
+        Also fixed similar bugs in forwardDeleteKeyPressed and insertText, and insertTextRunWithoutNewlines.
+
+        Tests: editing/input/set-value-on-input-and-delete.html
+               editing/input/set-value-on-input-and-forward-delete.html
+               editing/input/set-value-on-input-and-type-input.html
+               editing/input/set-value-on-input-and-type-textarea.html
+
+        * editing/InsertTextCommand.h: Added TypingCommand as a friend because it needs to update selection.
+        * editing/TypingCommand.cpp:
+        (WebCore::TypingCommand::deleteKeyPressed): Updates the last typing command's selection as needed.
+        (WebCore::TypingCommand::forwardDeleteKeyPressed): Ditto.
+        (WebCore::TypingCommand::insertText): Ditto.
+        (WebCore::TypingCommand::updateSelectionIfDifferentFromCurrentSelection): Added.
+        (WebCore::TypingCommand::insertTextRunWithoutNewlines): Updates InsertTextCommand's selection as needed.
+        * editing/TypingCommand.h:
+
 2010-12-03  Daniel Cheng  <dcheng@chromium.org>
 

trunk/WebCore/editing/InsertTextCommand.h

@@ -55 +55 @@
 
     unsigned m_charactersAdded;
+
+    friend class TypingCommand;
 };
 

trunk/WebCore/editing/TypingCommand.cpp

@@ -92 +92 @@
     EditCommand* lastEditCommand = frame->editor()->lastEditCommand();
     if (granularity == CharacterGranularity && isOpenForMoreTypingCommand(lastEditCommand)) {
+        updateSelectionIfDifferentFromCurrentSelection(static_cast<TypingCommand*>(lastEditCommand), frame);
         static_cast<TypingCommand*>(lastEditCommand)->deleteKeyPressed(granularity, killRing);
         return;
@@ -111 +112 @@
     EditCommand* lastEditCommand = frame->editor()->lastEditCommand();
     if (granularity == CharacterGranularity && isOpenForMoreTypingCommand(lastEditCommand)) {
+        updateSelectionIfDifferentFromCurrentSelection(static_cast<TypingCommand*>(lastEditCommand), frame);
         static_cast<TypingCommand*>(lastEditCommand)->forwardDeleteKeyPressed(granularity, killRing);
         return;
@@ -120 +122 @@
 }
 
+void TypingCommand::updateSelectionIfDifferentFromCurrentSelection(TypingCommand* typingCommand, Frame* frame)
+{
+    ASSERT(frame);
+    VisibleSelection currentSelection = frame->selection()->selection();
+    if (currentSelection == typingCommand->endingSelection())
+        return;
+    
+    typingCommand->setStartingSelection(currentSelection);
+    typingCommand->setEndingSelection(currentSelection);
+}
+    
+
 void TypingCommand::insertText(Document* document, const String& text, bool selectInsertedText, bool insertedTextIsComposition)
 {
@@ -130 +144 @@
 }
 
+// FIXME: We shouldn't need to take selectionForInsertion. It should be identical to SelectionController's current selection.
 void TypingCommand::insertText(Document* document, const String& text, const VisibleSelection& selectionForInsertion, bool selectInsertedText, bool insertedTextIsComposition)
 {
@@ -164 +179 @@
     if (isOpenForMoreTypingCommand(lastEditCommand.get())) {
         TypingCommand* lastTypingCommand = static_cast<TypingCommand*>(lastEditCommand.get());
-        if (changeSelection) {
+        if (lastTypingCommand->endingSelection() != selectionForInsertion) {
             lastTypingCommand->setStartingSelection(selectionForInsertion);
             lastTypingCommand->setEndingSelection(selectionForInsertion);
         }
         lastTypingCommand->insertText(newText, selectInsertedText);
-        if (changeSelection) {
-            lastTypingCommand->setEndingSelection(currentSelection);
-            frame->selection()->setSelection(currentSelection);
-        }
         return;
     }
@@ -371 +382 @@
         command = InsertTextCommand::create(document());
         applyCommandToComposite(command);
+    }
+    if (endingSelection() != command->endingSelection()) {
+        command->setStartingSelection(endingSelection());
+        command->setEndingSelection(endingSelection());
     }
     command->input(text, selectInsertedText);

trunk/WebCore/editing/TypingCommand.h

@@ -82 +82 @@
     virtual bool preservesTypingStyle() const { return m_preservesTypingStyle; }
 
+    static void updateSelectionIfDifferentFromCurrentSelection(TypingCommand*, Frame*);
+
     void updatePreservesTypingStyle(ETypingCommand);
     void markMisspellingsAfterTyping(ETypingCommand);