RESOLVED FIXED94740
Crash in EditingStyle::mergeStyle 
https://bugs.webkit.org/show_bug.cgi?id=94740
Summary Crash in EditingStyle::mergeStyle
Ryosuke Niwa
Reported 2012-08-22 12:00:33 PDT
Reduction from http://code.google.com/p/chromium/issues/detail?id=130458 <div>a <progress> <a style></a> </progress> </div> <script> setTimeout(function(){ document.body.contentEditable = true; document.execCommand("selectall") document.execCommand("createlink", false, "a") }) </script>
Attachments
Patch (5.60 KB, patch)
2012-08-26 18:10 PDT, Sukolsak Sakshuwong 		no flags
DetailsFormatted DiffDiff
Patch (6.09 KB, patch)
2012-08-27 02:19 PDT, Sukolsak Sakshuwong 		no flags
DetailsFormatted DiffDiff
Patch (6.14 KB, patch)
2012-08-27 03:24 PDT, Sukolsak Sakshuwong 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Sukolsak Sakshuwong
Comment 1 2012-08-26 18:10:30 PDT
Created attachment 160619 [details] Patch
Ryosuke Niwa
Comment 2 2012-08-27 00:51:02 PDT
Comment on attachment 160619 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160619&action=review > Source/WebCore/ChangeLog:15 > + 2. The first remove phrase (removeInlineStyle()) thus did not remove <a>. > + 3. Then, we called fixRangeAndApplyInlineStyle(). In this method, we set > + pastEndNode to the next sibling of <progress>. I don't really follow these two steps. Revise? > Source/WebCore/ChangeLog:16 > + 4. Then, we called removeStyleFromRunBeforeApplyingStyle(). This method tried "Then" is redundant given you've numbered them 1-4. > Source/WebCore/editing/ApplyStyleCommand.cpp:801 > - next = node->traverseNextNode(); > + next = editingIgnoresContent(node.get()) ? node->traverseNextSibling() : node->traverseNextNode(); We need to make sure the ignored content doesn't contain pastEndNode. We should either assert that and/or break the loop when that's not the case. > Source/WebCore/editing/ApplyStyleCommand.cpp:1051 > + RefPtr<Node> next = editingIgnoresContent(node) ? node->traverseNextSibling() : node->traverseNextNode(); Ditto.
Sukolsak Sakshuwong
Comment 3 2012-08-27 02:19:23 PDT
Created attachment 160677 [details] Patch
Build Bot
Comment 4 2012-08-27 02:57:53 PDT
Comment on attachment 160677 [details] Patch Attachment 160677 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/13621040
Sukolsak Sakshuwong
Comment 5 2012-08-27 03:24:25 PDT
Created attachment 160685 [details] Patch
WebKit Review Bot
Comment 6 2012-08-28 04:13:23 PDT
Comment on attachment 160685 [details] Patch Clearing flags on attachment: 160685 Committed r126865: <http://trac.webkit.org/changeset/126865>
WebKit Review Bot
Comment 7 2012-08-28 04:13:27 PDT
All reviewed patches have been landed. Closing bug.
Roger Fong
Comment 8 2012-09-04 13:53:54 PDT
The test fails on Apple Windows port. Any idea why? Thanks, Here's the diff: --- /home/buildbot/slave/win-release-tests/build/layout-test-results/editing/style/apply-style-atomic-expected.txt 2012-08-29 19:43:14.684944200 -0700 +++ /home/buildbot/slave/win-release-tests/build/layout-test-results/editing/style/apply-style-atomic-actual.txt 2012-08-29 19:43:14.683944100 -0700 @@ -3,15 +3,4 @@ | href="a" | "<#selection-anchor>1" | <progress> -| <a> -| style="" -| "2" -| <shadow:root> -| <div> -| shadow:pseudoId="-webkit-progress-inner-element" -| <div> -| shadow:pseudoId="-webkit-progress-bar" -| <div> -| style="width: -100%;" -| shadow:pseudoId="-webkit-progress-value" -| <#selection-focus> +| "2<#selection-focus>"
Note You need to log in before you can comment on or make changes to this bug.