Bug 60534 - Crashes if the document inside iframe is removed during pasting some text into it.
Summary: Crashes if the document inside iframe is removed during pasting some text int...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Hajime Morrita
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-09 22:32 PDT by Hajime Morrita
Modified: 2011-05-26 15:44 PDT (History)
3 users (show)

See Also:


Attachments
Patch (4.63 KB, patch)
2011-05-10 01:44 PDT, Hajime Morrita
no flags Details | Formatted Diff | Diff
Patch (4.76 KB, patch)
2011-05-11 21:29 PDT, Hajime Morrita
tkent: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hajime Morrita 2011-05-09 22:32:33 PDT
Repro and patch will some shortly.
Comment 1 Hajime Morrita 2011-05-10 01:44:01 PDT
Created attachment 92929 [details]
Patch
Comment 2 Kent Tamura 2011-05-10 01:56:13 PDT
Comment on attachment 92929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review

> LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:12
> +        // Calls notifyDone() before because the removal
> +        // can terminate the scdript execution.
> +        if (window.parent.layoutTestController)
> +            window.parent.layoutTestController.notifyDone();
> +        var toRemove = window.parent.document.getElementById("child");
> +        toRemove.parentNode.removeChild(toRemove);

Does this correctly crash without the Editor.cpp change?
I think notifyDone() immediately terminates the test.
Comment 3 Hajime Morrita 2011-05-10 03:33:30 PDT
Hi Kent-san, thank you for taking a look!

> Does this correctly crash without the Editor.cpp change?
> I think notifyDone() immediately terminates the test.
It works for Mac DRT which just set flag on notifyDone() to exit the event loop.
But I have no idea for other port.
So I'd like to search safer way.
Comment 4 Kent Tamura 2011-05-10 03:45:58 PDT
(In reply to comment #3)
I think we can use a DOM mutation event in the parent document.
Comment 5 Ryosuke Niwa 2011-05-10 08:09:33 PDT
Comment on attachment 92929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review

> LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:8
> +        // can terminate the scdript execution.

Typo: scdript

> LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:10
> +        if (window.parent.layoutTestController)
> +            window.parent.layoutTestController.notifyDone();

You can't call notifyDone before removing the node.
Comment 6 Ryosuke Niwa 2011-05-10 08:10:53 PDT
(In reply to comment #4)
> (In reply to comment #3)
> I think we can use a DOM mutation event in the parent document.

Can't we just do setTimeout(function() {layoutTestController.notifyDone();}, 0) ?
Comment 7 Ryosuke Niwa 2011-05-11 08:38:41 PDT
Comment on attachment 92929 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review

r- per various commets.

> LayoutTests/editing/pasteboard/paste-removing-iframe.html:9
> +<h1>PASS unless crash.</h1>

You need to be more descriptive here.  Also, you should just print PASS when WebKit didn't crash.
Comment 8 Hajime Morrita 2011-05-11 21:29:29 PDT
Created attachment 93242 [details]
Patch
Comment 9 Hajime Morrita 2011-05-11 21:33:18 PDT
Kent-san, Ryosuke, thank you for reviewing!
I updated the patch, in which I moved test script from child frame to parent frame.

> > LayoutTests/editing/pasteboard/paste-removing-iframe.html:9
> > +<h1>PASS unless crash.</h1>
> 
> You need to be more descriptive here.  Also, you should just print PASS when WebKit didn't crash.
Add more explanation as a comment (to make explanation small)
and simplify the text.
Comment 10 Kent Tamura 2011-05-11 22:09:28 PDT
Comment on attachment 93242 [details]
Patch

ok
Comment 11 Hajime Morrita 2011-05-11 22:40:37 PDT
Committed r86311: <http://trac.webkit.org/changeset/86311>
Comment 12 Ademar Reis 2011-05-26 15:44:47 PDT
Revision r86311 cherry-picked into qtwebkit-2.2 with commit 25483fc <http://gitorious.org/webkit/qtwebkit/commit/25483fc>