Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103380 => 103381)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 01:50:23 UTC (rev 103380)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 01:52:50 UTC (rev 103381)
@@ -1,5 +1,22 @@
2011-12-20 Lucas Forschler <lforsch...@apple.com>
+ Merge 92966
+
+ 2011-08-12 Abhishek Arya <infe...@chromium.org>
+
+ Crash in WebCore::editingIgnoresContent
+ https://bugs.webkit.org/show_bug.cgi?id=66125
+
+ Reviewed by Ryosuke Niwa.
+
+ Tests that we do not crash when we blow away the root
+ during the firing of selectstart event in selection.
+
+ * editing/selection/select-start-remove-root-crash-expected.txt: Added.
+ * editing/selection/select-start-remove-root-crash.html: Added.
+
+2011-12-20 Lucas Forschler <lforsch...@apple.com>
+
Merge 92798
2011-08-10 Abhishek Arya <infe...@chromium.org>
Copied: branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash-expected.txt (from rev 92966, trunk/LayoutTests/editing/selection/select-start-remove-root-crash-expected.txt) (0 => 103381)
--- branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash-expected.txt 2011-12-21 01:52:50 UTC (rev 103381)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash.html (from rev 92966, trunk/LayoutTests/editing/selection/select-start-remove-root-crash.html) (0 => 103381)
--- branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/editing/selection/select-start-remove-root-crash.html 2011-12-21 01:52:50 UTC (rev 103381)
@@ -0,0 +1,24 @@
+<html>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+ document.write("PASS");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function select()
+{
+ document.execCommand("SelectAll");
+}
+
+window.addEventListener("selectstart", runTest, true);
+window.setInterval(select, 0);
+</script>
+</html>
\ No newline at end of file
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103380 => 103381)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 01:50:23 UTC (rev 103380)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 01:52:50 UTC (rev 103381)
@@ -1,5 +1,26 @@
2011-12-20 Lucas Forschler <lforsch...@apple.com>
+ Merge 92966
+
+ 2011-08-12 Abhishek Arya <infe...@chromium.org>
+
+ Crash in WebCore::editingIgnoresContent
+ https://bugs.webkit.org/show_bug.cgi?id=66125
+
+ Reviewed by Ryosuke Niwa.
+
+ RefPtr a few nodes in case they get blown away in
+ dispatchEvent calls.
+
+ Test: editing/selection/select-start-remove-root-crash.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::selectAll):
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplacementFragment::ReplacementFragment):
+
+2011-12-20 Lucas Forschler <lforsch...@apple.com>
+
Merge 92798
2011-08-10 Abhishek Arya <infe...@chromium.org>
Modified: branches/safari-534.54-branch/Source/WebCore/editing/FrameSelection.cpp (103380 => 103381)
--- branches/safari-534.54-branch/Source/WebCore/editing/FrameSelection.cpp 2011-12-21 01:50:23 UTC (rev 103380)
+++ branches/safari-534.54-branch/Source/WebCore/editing/FrameSelection.cpp 2011-12-21 01:52:50 UTC (rev 103381)
@@ -1455,14 +1455,14 @@
}
}
- Node* root = 0;
+ RefPtr<Node> root = 0;
Node* selectStartTarget = 0;
if (isContentEditable()) {
root = highestEditableRoot(m_selection.start());
if (Node* shadowRoot = shadowTreeRootNode())
selectStartTarget = shadowRoot->shadowHost();
else
- selectStartTarget = root;
+ selectStartTarget = root.get();
} else {
root = shadowTreeRootNode();
if (root)
@@ -1478,7 +1478,7 @@
if (selectStartTarget && !selectStartTarget->dispatchEvent(Event::create(eventNames().selectstartEvent, true, true)))
return;
- VisibleSelection newSelection(VisibleSelection::selectionFromContentsOfNode(root));
+ VisibleSelection newSelection(VisibleSelection::selectionFromContentsOfNode(root.get()));
if (shouldChangeSelection(newSelection))
setSelection(newSelection);
Modified: branches/safari-534.54-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp (103380 => 103381)
--- branches/safari-534.54-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2011-12-21 01:50:23 UTC (rev 103380)
+++ branches/safari-534.54-branch/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2011-12-21 01:52:50 UTC (rev 103381)
@@ -139,7 +139,7 @@
if (!m_fragment->firstChild())
return;
- Element* editableRoot = selection.rootEditableElement();
+ RefPtr<Element> editableRoot = selection.rootEditableElement();
ASSERT(editableRoot);
if (!editableRoot)
return;
@@ -154,8 +154,8 @@
return;
}
- Node* styleNode = selection.base().deprecatedNode();
- RefPtr<StyledElement> holder = insertFragmentForTestRendering(styleNode);
+ RefPtr<Node> styleNode = selection.base().deprecatedNode();
+ RefPtr<StyledElement> holder = insertFragmentForTestRendering(styleNode.get());
RefPtr<Range> range = VisibleSelection::selectionFromContentsOfNode(holder.get()).toNormalizedRange();
String text = plainText(range.get());
@@ -171,7 +171,7 @@
m_fragment = createFragmentFromText(selection.toNormalizedRange().get(), evt->text());
if (!m_fragment->firstChild())
return;
- holder = insertFragmentForTestRendering(styleNode);
+ holder = insertFragmentForTestRendering(styleNode.get());
}
removeInterchangeNodes(holder.get());
