Bug 94740 - Crash in EditingStyle::mergeStyle
Summary: Crash in EditingStyle::mergeStyle
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Nobody
URL:
Keywords: HasReduction
Depends on:
Blocks:
 
Reported: 2012-08-22 12:00 PDT by Ryosuke Niwa
Modified: 2012-09-04 13:53 PDT (History)
9 users (show)

See Also:

Attachments
Patch (5.60 KB, patch)
2012-08-26 18:10 PDT, Sukolsak Sakshuwong 		no flags Details | Formatted Diff | Diff
Patch (6.09 KB, patch)
2012-08-27 02:19 PDT, Sukolsak Sakshuwong 		no flags Details | Formatted Diff | Diff
Patch (6.14 KB, patch)
2012-08-27 03:24 PDT, Sukolsak Sakshuwong 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2012-08-22 12:00:33 PDT 
Reduction from http://code.google.com/p/chromium/issues/detail?id=130458
<div>a
    <progress>
        <a style></a>
    </progress>
</div>
<script>
setTimeout(function(){
    document.body.contentEditable = true;
    document.execCommand("selectall")
    document.execCommand("createlink", false, "a")
})
</script>
Comment 1 Sukolsak Sakshuwong 2012-08-26 18:10:30 PDT 
Created attachment 160619 [details]
Patch
Comment 2 Ryosuke Niwa 2012-08-27 00:51:02 PDT 
Comment on attachment 160619 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=160619&action=review

> Source/WebCore/ChangeLog:15
> +        2. The first remove phrase (removeInlineStyle()) thus did not remove <a>.
> +        3. Then, we called fixRangeAndApplyInlineStyle(). In this method, we set
> +           pastEndNode to the next sibling of <progress>.

I don't really follow these two steps. Revise?

> Source/WebCore/ChangeLog:16
> +        4. Then, we called removeStyleFromRunBeforeApplyingStyle(). This method tried

"Then" is redundant given you've numbered them 1-4.

> Source/WebCore/editing/ApplyStyleCommand.cpp:801
> -        next = node->traverseNextNode();
> +        next = editingIgnoresContent(node.get()) ? node->traverseNextSibling() : node->traverseNextNode();

We need to make sure the ignored content doesn't contain pastEndNode.
We should either assert that and/or break the loop when that's not the case.

> Source/WebCore/editing/ApplyStyleCommand.cpp:1051
> +        RefPtr<Node> next = editingIgnoresContent(node) ? node->traverseNextSibling() : node->traverseNextNode();

Ditto.
Comment 3 Sukolsak Sakshuwong 2012-08-27 02:19:23 PDT 
Created attachment 160677 [details]
Patch
Comment 4 Build Bot 2012-08-27 02:57:53 PDT 
Comment on attachment 160677 [details]
Patch

Attachment 160677 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/13621040
Comment 5 Sukolsak Sakshuwong 2012-08-27 03:24:25 PDT 
Created attachment 160685 [details]
Patch
Comment 6 WebKit Review Bot 2012-08-28 04:13:23 PDT 
Comment on attachment 160685 [details]
Patch

Clearing flags on attachment: 160685

Committed r126865: <http://trac.webkit.org/changeset/126865>
Comment 7 WebKit Review Bot 2012-08-28 04:13:27 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Roger Fong 2012-09-04 13:53:54 PDT 
The test fails on Apple Windows port.
Any idea why?
Thanks,

Here's the diff:
--- /home/buildbot/slave/win-release-tests/build/layout-test-results/editing/style/apply-style-atomic-expected.txt	2012-08-29 19:43:14.684944200 -0700
+++ /home/buildbot/slave/win-release-tests/build/layout-test-results/editing/style/apply-style-atomic-actual.txt	2012-08-29 19:43:14.683944100 -0700
@@ -3,15 +3,4 @@
 |   href="a"
 |   "<#selection-anchor>1"
 |   <progress>
-|     <a>
-|       style=""
-|       "2"
-|     <shadow:root>
-|       <div>
-|         shadow:pseudoId="-webkit-progress-inner-element"
-|         <div>
-|           shadow:pseudoId="-webkit-progress-bar"
-|           <div>
-|             style="width: -100%;"
-|             shadow:pseudoId="-webkit-progress-value"
-|   <#selection-focus>
+|     "2<#selection-focus>"