Title: [91908] trunk
- Revision
- 91908
- Author
- [email protected]
- Date
- 2011-07-27 22:24:41 -0700 (Wed, 27 Jul 2011)
Log Message
Calling window.find immediately after mutating the document crashes WebKit.
https://bugs.webkit.org/show_bug.cgi?id=65296
Reviewed by Darin Adler.
Source/WebCore:
Don't forget to layout first.
Test: editing/text-iterator/find-after-mutation.html
* editing/TextIterator.cpp:
(WebCore::findPlainText):
LayoutTests:
Added a test to ensure WebKit doesn't crash when searching for string after mutating the document.
* editing/text-iterator/find-after-mutation-expected.txt: Added.
* editing/text-iterator/find-after-mutation.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (91907 => 91908)
--- trunk/LayoutTests/ChangeLog 2011-07-28 05:22:51 UTC (rev 91907)
+++ trunk/LayoutTests/ChangeLog 2011-07-28 05:24:41 UTC (rev 91908)
@@ -1,3 +1,15 @@
+2011-07-27 Ryosuke Niwa <[email protected]>
+
+ Calling window.find immediately after mutating the document crashes WebKit.
+ https://bugs.webkit.org/show_bug.cgi?id=65296
+
+ Reviewed by Darin Adler.
+
+ Added a test to ensure WebKit doesn't crash when searching for string after mutating the document.
+
+ * editing/text-iterator/find-after-mutation-expected.txt: Added.
+ * editing/text-iterator/find-after-mutation.html: Added.
+
2011-07-27 Ben Wells <[email protected]>
Remove skia special case for outline rendering code
Added: trunk/LayoutTests/editing/text-iterator/find-after-mutation-expected.txt (0 => 91908)
--- trunk/LayoutTests/editing/text-iterator/find-after-mutation-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/text-iterator/find-after-mutation-expected.txt 2011-07-28 05:24:41 UTC (rev 91908)
@@ -0,0 +1 @@
+PASS - WebKit did not crash
Added: trunk/LayoutTests/editing/text-iterator/find-after-mutation.html (0 => 91908)
--- trunk/LayoutTests/editing/text-iterator/find-after-mutation.html (rev 0)
+++ trunk/LayoutTests/editing/text-iterator/find-after-mutation.html 2011-07-28 05:24:41 UTC (rev 91908)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function runTest() {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ document.body.offsetHeight;
+ document.body.innerHTML = " ";
+ window.find('a');
+
+ document.body.innerHTML = 'PASS - WebKit did not crash';
+}
+</script>
+</head>
+<body _onload_="runTest()">
+a
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (91907 => 91908)
--- trunk/Source/WebCore/ChangeLog 2011-07-28 05:22:51 UTC (rev 91907)
+++ trunk/Source/WebCore/ChangeLog 2011-07-28 05:24:41 UTC (rev 91908)
@@ -1,3 +1,17 @@
+2011-07-27 Ryosuke Niwa <[email protected]>
+
+ Calling window.find immediately after mutating the document crashes WebKit.
+ https://bugs.webkit.org/show_bug.cgi?id=65296
+
+ Reviewed by Darin Adler.
+
+ Don't forget to layout first.
+
+ Test: editing/text-iterator/find-after-mutation.html
+
+ * editing/TextIterator.cpp:
+ (WebCore::findPlainText):
+
2011-07-27 Ben Wells <[email protected]>
Remove skia special case for outline rendering code
Modified: trunk/Source/WebCore/editing/TextIterator.cpp (91907 => 91908)
--- trunk/Source/WebCore/editing/TextIterator.cpp 2011-07-28 05:22:51 UTC (rev 91907)
+++ trunk/Source/WebCore/editing/TextIterator.cpp 2011-07-28 05:24:41 UTC (rev 91908)
@@ -2571,6 +2571,9 @@
PassRefPtr<Range> findPlainText(const Range* range, const String& target, FindOptions options)
{
+ // CharacterIterator requires renderers to be up-to-date
+ range->ownerDocument()->updateLayout();
+
// First, find the text.
size_t matchStart;
size_t matchLength;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
