[webkit-changes] [138657] trunk/Source/WebCore

[inferno]

Title: [138657] trunk/Source/WebCore

Revision

138657

Author

infe...@chromium.org

Date

2013-01-02 15:03:24 -0800 (Wed, 02 Jan 2013)

Log Message

Crash in WebCore::Element::cloneElementWithoutChildren.
https://bugs.webkit.org/show_bug.cgi?id=105949

Reviewed by Ryosuke Niwa.

RefPtr |ancestors| vector since its elements can be destroyed from mutation events
fired in CompositeEditCommand::appendNode.

No new tests. The testcase relies on recursive DOM mutations and does not minimize.

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::getAncestorsInsideBlock):
(WebCore::InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock):
(WebCore::InsertParagraphSeparatorCommand::doApply):
* editing/InsertParagraphSeparatorCommand.h:
(InsertParagraphSeparatorCommand):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp
• trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (138656 => 138657)

--- trunk/Source/WebCore/ChangeLog	2013-01-02 23:00:10 UTC (rev 138656)
+++ trunk/Source/WebCore/ChangeLog	2013-01-02 23:03:24 UTC (rev 138657)
@@ -1,3 +1,22 @@
+2013-01-02  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in WebCore::Element::cloneElementWithoutChildren.
+        https://bugs.webkit.org/show_bug.cgi?id=105949
+
+        Reviewed by Ryosuke Niwa.
+        
+        RefPtr |ancestors| vector since its elements can be destroyed from mutation events
+        fired in CompositeEditCommand::appendNode. 
+
+        No new tests. The testcase relies on recursive DOM mutations and does not minimize.
+
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::getAncestorsInsideBlock):
+        (WebCore::InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock):
+        (WebCore::InsertParagraphSeparatorCommand::doApply):
+        * editing/InsertParagraphSeparatorCommand.h:
+        (InsertParagraphSeparatorCommand):
+
 2013-01-02  Douglas Stockwell  <dstockw...@chromium.org>
 
         Crash in WebCore::InlineBox::deleteLine

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (138656 => 138657)

--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2013-01-02 23:00:10 UTC (rev 138656)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2013-01-02 23:03:24 UTC (rev 138657)
@@ -120,7 +120,7 @@
            enclosingBlock->hasTagName(h5Tag);
 }
 
-void InsertParagraphSeparatorCommand::getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<Element*>& ancestors)
+void InsertParagraphSeparatorCommand::getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<RefPtr<Element> >& ancestors)
 {
     ancestors.clear();
     
@@ -131,7 +131,7 @@
     }
 }
 
-PassRefPtr<Element> InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock(const Vector<Element*>& ancestors, PassRefPtr<Element> blockToInsert)
+PassRefPtr<Element> InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock(const Vector<RefPtr<Element> >& ancestors, PassRefPtr<Element> blockToInsert)
 {
     // Make clones of ancestors in between the start node and the start block.
     RefPtr<Element> parent = blockToInsert;
@@ -240,7 +240,7 @@
 
         // Recreate the same structure in the new paragraph.
         
-        Vector<Element*> ancestors;
+        Vector<RefPtr<Element> > ancestors;
         getAncestorsInsideBlock(positionOutsideTabSpan(insertionPosition).deprecatedNode(), startBlock.get(), ancestors);      
         RefPtr<Element> parent = cloneHierarchyUnderNewBlock(ancestors, blockToInsert);
         
@@ -279,7 +279,7 @@
 
         // Recreate the same structure in the new paragraph.
 
-        Vector<Element*> ancestors;
+        Vector<RefPtr<Element> > ancestors;
         getAncestorsInsideBlock(positionAvoidingSpecialElementBoundary(positionOutsideTabSpan(insertionPosition)).deprecatedNode(), startBlock.get(), ancestors);
         
         appendBlockPlaceholder(cloneHierarchyUnderNewBlock(ancestors, blockToInsert));

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.h (138656 => 138657)

--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.h	2013-01-02 23:00:10 UTC (rev 138656)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.h	2013-01-02 23:03:24 UTC (rev 138657)
@@ -46,8 +46,8 @@
 
     void calculateStyleBeforeInsertion(const Position&);
     void applyStyleAfterInsertion(Node* originalEnclosingBlock);
-    void getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<Element*>& ancestors);
-    PassRefPtr<Element> cloneHierarchyUnderNewBlock(const Vector<Element*>& ancestors, PassRefPtr<Element> blockToInsert);
+    void getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<RefPtr<Element> >& ancestors);
+    PassRefPtr<Element> cloneHierarchyUnderNewBlock(const Vector<RefPtr<Element> >& ancestors, PassRefPtr<Element> blockToInsert);
 
     bool shouldUseDefaultParagraphElement(Node*) const;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes