RESOLVED FIXED 60534
Crashes if the document inside iframe is removed during pasting some text into it.
https://bugs.webkit.org/show_bug.cgi?id=60534
Summary Crashes if the document inside iframe is removed during pasting some text int...
Hajime Morrita
Reported 2011-05-09 22:32:33 PDT
Repro and patch will some shortly.
Attachments
Patch (4.63 KB, patch)
2011-05-10 01:44 PDT, Hajime Morrita
no flags
Patch (4.76 KB, patch)
2011-05-11 21:29 PDT, Hajime Morrita
tkent: review+
Hajime Morrita
Comment 1 2011-05-10 01:44:01 PDT
Kent Tamura
Comment 2 2011-05-10 01:56:13 PDT
Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:12 > + // Calls notifyDone() before because the removal > + // can terminate the scdript execution. > + if (window.parent.layoutTestController) > + window.parent.layoutTestController.notifyDone(); > + var toRemove = window.parent.document.getElementById("child"); > + toRemove.parentNode.removeChild(toRemove); Does this correctly crash without the Editor.cpp change? I think notifyDone() immediately terminates the test.
Hajime Morrita
Comment 3 2011-05-10 03:33:30 PDT
Hi Kent-san, thank you for taking a look! > Does this correctly crash without the Editor.cpp change? > I think notifyDone() immediately terminates the test. It works for Mac DRT which just set flag on notifyDone() to exit the event loop. But I have no idea for other port. So I'd like to search safer way.
Kent Tamura
Comment 4 2011-05-10 03:45:58 PDT
(In reply to comment #3) I think we can use a DOM mutation event in the parent document.
Ryosuke Niwa
Comment 5 2011-05-10 08:09:33 PDT
Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:8 > + // can terminate the scdript execution. Typo: scdript > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:10 > + if (window.parent.layoutTestController) > + window.parent.layoutTestController.notifyDone(); You can't call notifyDone before removing the node.
Ryosuke Niwa
Comment 6 2011-05-10 08:10:53 PDT
(In reply to comment #4) > (In reply to comment #3) > I think we can use a DOM mutation event in the parent document. Can't we just do setTimeout(function() {layoutTestController.notifyDone();}, 0) ?
Ryosuke Niwa
Comment 7 2011-05-11 08:38:41 PDT
Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review r- per various commets. > LayoutTests/editing/pasteboard/paste-removing-iframe.html:9 > +<h1>PASS unless crash.</h1> You need to be more descriptive here. Also, you should just print PASS when WebKit didn't crash.
Hajime Morrita
Comment 8 2011-05-11 21:29:29 PDT
Hajime Morrita
Comment 9 2011-05-11 21:33:18 PDT
Kent-san, Ryosuke, thank you for reviewing! I updated the patch, in which I moved test script from child frame to parent frame. > > LayoutTests/editing/pasteboard/paste-removing-iframe.html:9 > > +<h1>PASS unless crash.</h1> > > You need to be more descriptive here. Also, you should just print PASS when WebKit didn't crash. Add more explanation as a comment (to make explanation small) and simplify the text.
Kent Tamura
Comment 10 2011-05-11 22:09:28 PDT
Comment on attachment 93242 [details] Patch ok
Hajime Morrita
Comment 11 2011-05-11 22:40:37 PDT
Ademar Reis
Comment 12 2011-05-26 15:44:47 PDT
Revision r86311 cherry-picked into qtwebkit-2.2 with commit 25483fc <http://gitorious.org/webkit/qtwebkit/commit/25483fc>
Note You need to log in before you can comment on or make changes to this bug.