Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge r165138 - Fix crash in CompositeEditCommand::cloneParagraphUnde…
…rNewElement() <http://webkit.org/b/129751> <rdar://problem/16237965> Reviewed by Jon Honeycutt. Merged from Blink (patch by Yuta Kitamura): https://src.chromium.org/viewvc/blink?revision=168160&view=revision http://crbug.com/345005 The root cause is CompositeEditCommand::moveParagraphWithClones() passing two positions |start| and |end| which do not follow the document order, i.e. in some situations |start| is located after |end| because of the difference in affinity. This patch fixes this crash by normalizing |end| to |start| in such situations. It also adds an ASSERT that checks the relationship between |start| and |end|. Source/WebCore: Test: editing/execCommand/format-block-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): (WebCore::CompositeEditCommand::moveParagraphWithClones): * editing/CompositeEditCommand.h: LayoutTests: * editing/execCommand/format-block-crash-expected.txt: Added. * editing/execCommand/format-block-crash.html: Added. * editing/execCommand/resources/format-block-crash-iframe.html: Added.
- Loading branch information
1 parent
b384743
commit 0f12da5
Showing
7 changed files
with
124 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
LayoutTests/editing/execCommand/format-block-crash-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Should not crash if we load a test case from crbug.com/345005. | ||
|
||
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
||
|
||
PASS event.data is "FINISH" | ||
PASS Did not crash. | ||
PASS successfullyParsed is true | ||
|
||
TEST COMPLETE | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<title>FormatBlock crash</title> | ||
<script src="../../resources/js-test.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
description('Should not crash if we load a test case from crbug.com/345005.'); | ||
|
||
window.jsTestIsAsync = true; | ||
|
||
window.addEventListener('message', didReceiveMessage, false); | ||
|
||
var iframe = document.createElement('iframe'); | ||
iframe.src = 'resources/format-block-crash-iframe.html'; | ||
document.body.appendChild(iframe); | ||
|
||
function didReceiveMessage(event) | ||
{ | ||
shouldBeEqualToString('event.data', 'FINISH'); | ||
document.body.removeChild(iframe); | ||
testPassed('Did not crash.'); | ||
window.finishJSTest(); | ||
} | ||
</script> | ||
</body> | ||
</html> |
29 changes: 29 additions & 0 deletions
29
LayoutTests/editing/execCommand/resources/format-block-crash-iframe.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<title>FormatBlock crash test case</title> | ||
</head> | ||
<!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=345005 --> | ||
<body style="display: table-row;"> | ||
<script> | ||
function run() | ||
{ | ||
document.designMode = 'on'; | ||
document.execCommand('SelectAll'); | ||
document.execCommand('FormatBlock', false, '<' + 'div>'); | ||
window.setTimeout(notifyFinish, 0); | ||
} | ||
|
||
function notifyFinish() | ||
{ | ||
window.parent.postMessage('FINISH', '*'); | ||
} | ||
|
||
window.setTimeout(run, 0); | ||
</script> | ||
<span contenteditable="true" style="display: table-caption;"></span> | ||
<span></span> | ||
<div style="display: -webkit-inline-box;"><span><span>B</span></span></div> | ||
<div></div> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters