Title: [121162] trunk
- Revision
- 121162
- Author
- shin...@chromium.org
- Date
- 2012-06-25 09:59:25 -0700 (Mon, 25 Jun 2012)
Log Message
[Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
https://bugs.webkit.org/show_bug.cgi?id=88495
Reviewed by Ryosuke Niwa.
Source/WebCore:
InsertionPoint::removedFrom(insertionPoint) tries to find its owner ElementShadow from
parentNode or insertionPoint. If the parent node exsits but we cannot reach ElementShadow from
the parent node, InsertionPoint::removedFrom does not try to find ElementShadow anymore.
It's OK if the ElementShadow is being destructed, but there is a case ElementShadow is not being
destructed in editing. In this case, we should try to find ElementShadow from insertionPoint.
Otherwise it will bring inconsistency to Shadow DOM, and causes a crash.
Actually checking the existence of parentNode() does not make any sense. We should get
shadowRoot() directly.
Test: editing/shadow/insertorderedlist-crash.html
* html/shadow/InsertionPoint.cpp:
(WebCore::InsertionPoint::removedFrom):
LayoutTests:
* editing/shadow/insertorderedlist-crash-expected.txt: Added.
* editing/shadow/insertorderedlist-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (121161 => 121162)
--- trunk/LayoutTests/ChangeLog 2012-06-25 16:56:21 UTC (rev 121161)
+++ trunk/LayoutTests/ChangeLog 2012-06-25 16:59:25 UTC (rev 121162)
@@ -1,3 +1,13 @@
+2012-06-25 Shinya Kawanaka <shin...@chromium.org>
+
+ [Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
+ https://bugs.webkit.org/show_bug.cgi?id=88495
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/shadow/insertorderedlist-crash-expected.txt: Added.
+ * editing/shadow/insertorderedlist-crash.html: Added.
+
2012-06-25 Allan Sandfeld Jensen <allan.jen...@nokia.com>
[Qt] Unskip 3D transform tests.
Added: trunk/LayoutTests/editing/shadow/insertorderedlist-crash-expected.txt (0 => 121162)
--- trunk/LayoutTests/editing/shadow/insertorderedlist-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/shadow/insertorderedlist-crash-expected.txt 2012-06-25 16:59:25 UTC (rev 121162)
@@ -0,0 +1,3 @@
+This test confirms some combination of editing command with Shadow DOM does not cause a crash. To test manually, select from (before nested) to (after nested), then press Italic, and InsertUnorderedList.
+
+PASS
Added: trunk/LayoutTests/editing/shadow/insertorderedlist-crash.html (0 => 121162)
--- trunk/LayoutTests/editing/shadow/insertorderedlist-crash.html (rev 0)
+++ trunk/LayoutTests/editing/shadow/insertorderedlist-crash.html 2012-06-25 16:59:25 UTC (rev 121162)
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+
+<p>This test confirms some combination of editing command with Shadow DOM does not cause a crash.
+To test manually, select from (before nested) to (after nested), then press Italic, and InsertUnorderedList.</p>
+
+<div id="container" contenteditable>
+ <div><p>(before host)</p></div>
+ <div id="host"> <span contenteditable="false">not editable</span></div>
+ <div>(after host)</div>
+
+ <input type="button" value="Italic" _onclick_="document.execCommand('Italic')" />
+ <input type="button" value="InsertUnorderedList" _onclick_="document.execCommand('InsertUnorderedList')" />
+</div>
+
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+var shadowRoot = new WebKitShadowRoot(host);
+var div = document.createElement('div');
+shadowRoot.appendChild(div);
+div.innerHTML = "<span contenteditable>(before shadow)</span><shadow></shadow>(after shadow)";
+
+var nestedShadowRoot = new WebKitShadowRoot(div);
+nestedShadowRoot.innerHTML = "<div contenteditable>(before <span id='src'></span>nested)<shadow></shadow>(nested <span id='dst'></span>after)</div>";
+
+var src = ""
+var dst = nestedShadowRoot.getElementById('dst');
+
+if (window.eventSender) {
+ eventSender.mouseMoveTo(src.offsetLeft + src.offsetWidth / 2, src.offsetTop + src.offsetHeight / 2);
+ eventSender.mouseDown();
+ eventSender.mouseMoveTo(dst.offsetLeft + dst.offsetWidth / 2, dst.offsetTop + dst.offsetHeight / 2);
+ eventSender.mouseUp();
+
+ document.execCommand('Italic');
+ document.execCommand('InsertUnorderedList');
+
+ container.innerHTML = "PASS";
+}
+
+var successfullyParsed = true;
+</script>
+
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (121161 => 121162)
--- trunk/Source/WebCore/ChangeLog 2012-06-25 16:56:21 UTC (rev 121161)
+++ trunk/Source/WebCore/ChangeLog 2012-06-25 16:59:25 UTC (rev 121162)
@@ -1,3 +1,26 @@
+2012-06-25 Shinya Kawanaka <shin...@chromium.org>
+
+ [Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
+ https://bugs.webkit.org/show_bug.cgi?id=88495
+
+ Reviewed by Ryosuke Niwa.
+
+ InsertionPoint::removedFrom(insertionPoint) tries to find its owner ElementShadow from
+ parentNode or insertionPoint. If the parent node exsits but we cannot reach ElementShadow from
+ the parent node, InsertionPoint::removedFrom does not try to find ElementShadow anymore.
+
+ It's OK if the ElementShadow is being destructed, but there is a case ElementShadow is not being
+ destructed in editing. In this case, we should try to find ElementShadow from insertionPoint.
+ Otherwise it will bring inconsistency to Shadow DOM, and causes a crash.
+
+ Actually checking the existence of parentNode() does not make any sense. We should get
+ shadowRoot() directly.
+
+ Test: editing/shadow/insertorderedlist-crash.html
+
+ * html/shadow/InsertionPoint.cpp:
+ (WebCore::InsertionPoint::removedFrom):
+
2012-06-25 Kinuko Yasuda <kin...@chromium.org>
Remove responseBlob field from XMLHttpResponse.idl
Modified: trunk/Source/WebCore/html/shadow/InsertionPoint.cpp (121161 => 121162)
--- trunk/Source/WebCore/html/shadow/InsertionPoint.cpp 2012-06-25 16:56:21 UTC (rev 121161)
+++ trunk/Source/WebCore/html/shadow/InsertionPoint.cpp 2012-06-25 16:59:25 UTC (rev 121162)
@@ -128,15 +128,14 @@
void InsertionPoint::removedFrom(ContainerNode* insertionPoint)
{
if (insertionPoint->inDocument()) {
- Node* parent = parentNode();
- if (!parent)
- parent = insertionPoint;
- if (ShadowRoot* root = parent->shadowRoot()) {
- // host can be null when removedFrom() is called from ElementShadow destructor.
- if (root->host())
- root->owner()->invalidateDistribution();
- }
+ ShadowRoot* root = shadowRoot();
+ if (!root)
+ root = insertionPoint->shadowRoot();
+ // host can be null when removedFrom() is called from ElementShadow destructor.
+ if (root && root->host())
+ root->owner()->invalidateDistribution();
+
// Since this insertion point is no longer visible from the shadow subtree, it need to clean itself up.
clearDistribution();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
