Changeset 92139 in webkit


Ignore:
Timestamp:
Aug 1, 2011 2:08:17 PM (13 years ago)
Author:
rniwa@webkit.org
Message:

Search field in designMode causes a crash
https://bugs.webkit.org/show_bug.cgi?id=65362

Reviewed by Dimitri Glazkov.

Source/WebCore:

The crashed was caused by editing code inadvertently deleting search and cancel buttons in the design mode.
Fixed the bug by avoid inheriting user-modify property from the shadow host.

Test: editing/input/search-field-crash-in-designmode.html

  • css/CSSStyleSelector.cpp:

(WebCore::isAtShadowBoundary): Moved.
(WebCore::CSSStyleSelector::styleForElement): Overrides -webkit-user-modify by the initial value after m_style
inherited the values from m_parentStyle but before applying matched rules.

  • dom/Node.cpp:

(WebCore::Node::rendererIsEditable): Ignore page's editability inside a shadow DOM.

LayoutTests:

Add a test to ensure WebKit doesn't crash when a user tries to delete inside
an empty search field in the design mode.

  • editing/input/search-field-crash-in-designmode-expected.txt: Added.
  • editing/input/search-field-crash-in-designmode.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r92132 r92139  
     12011-08-01  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Search field in designMode causes a crash
     4        https://bugs.webkit.org/show_bug.cgi?id=65362
     5
     6        Reviewed by Dimitri Glazkov.
     7
     8        Add a test to ensure WebKit doesn't crash when a user tries to delete inside
     9        an empty search field in the design mode.
     10
     11        * editing/input/search-field-crash-in-designmode-expected.txt: Added.
     12        * editing/input/search-field-crash-in-designmode.html: Added.
     13
    1142011-07-28  Abhishek Arya  <inferno@chromium.org>
    215
  • trunk/Source/WebCore/ChangeLog

    r92138 r92139  
     12011-08-01  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Search field in designMode causes a crash
     4        https://bugs.webkit.org/show_bug.cgi?id=65362
     5
     6        Reviewed by Dimitri Glazkov.
     7
     8        The crashed was caused by editing code inadvertently deleting search and cancel buttons in the design mode.
     9        Fixed the bug by avoid inheriting user-modify property from the shadow host.
     10
     11        Test: editing/input/search-field-crash-in-designmode.html
     12
     13        * css/CSSStyleSelector.cpp:
     14        (WebCore::isAtShadowBoundary): Moved.
     15        (WebCore::CSSStyleSelector::styleForElement): Overrides -webkit-user-modify by the initial value after m_style
     16        inherited the values from m_parentStyle but before applying matched rules.
     17        * dom/Node.cpp:
     18        (WebCore::Node::rendererIsEditable): Ignore page's editability inside a shadow DOM.
     19
    1202011-08-01  Marco Peereboom  <marco@peereboom.us>
    221
  • trunk/Source/WebCore/css/CSSStyleSelector.cpp

    r92106 r92139  
    13001300}
    13011301
     1302static inline bool isAtShadowBoundary(Element* element)
     1303{
     1304    if (!element)
     1305        return false;
     1306
     1307    ContainerNode* parentNode = element->parentNode();
     1308    return parentNode && parentNode->isShadowRoot();
     1309}
     1310
    13021311// If resolveForRootDefault is true, style based on user agent style sheet only. This is used in media queries, where
    13031312// relative units are interpreted according to document root element style, styled only with UA stylesheet
     
    13531362        m_style->font().update(0);
    13541363    }
     1364
     1365    // Don't propagate user-modify into shadow DOM
     1366    if (isAtShadowBoundary(e))
     1367        m_style->setUserModify(RenderStyle::initialUserModify());
    13551368
    13561369    if (e->isLink()) {
     
    18021815            style->setMarginBottom(Length(intrinsicMargin, Fixed));
    18031816    }
    1804 }
    1805 
    1806 static inline bool isAtShadowBoundary(Element* element)
    1807 {
    1808     if (!element)
    1809         return false;
    1810 
    1811     ContainerNode* parentNode = element->parentNode();
    1812     return parentNode && parentNode->isShadowRoot();
    18131817}
    18141818
  • trunk/Source/WebCore/dom/Node.cpp

    r91955 r92139  
    782782bool Node::rendererIsEditable(EditableLevel editableLevel) const
    783783{
    784     if (document()->frame() && document()->frame()->page() && document()->frame()->page()->isEditable())
     784    if (document()->frame() && document()->frame()->page() && document()->frame()->page()->isEditable() && !shadowTreeRootNode())
    785785        return true;
    786786
Note: See TracChangeset for help on using the changeset viewer.