Commit 5eea7a83 authored by enrica@apple.com's avatar enrica@apple.com

WebCore: Crash when dragging text in Google Docs

https://bugs.webkit.org/show_bug.cgi?id=20471
<rdar://problem/7783629>
        
Reviewed by Adele Peterson.

This fixes the crash but also fixes the generated markup when
performing a replacement at the border with an inline, to avoid the 
new content being merged into the inline.
The crash is happening when doApply detects the need of merging
the start and the end of the new paragraph and the destination position
is moved inside an inline.
        
I've added new test cases to an existing layout test.
        
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply): When the situation described above is detected,
we insert a placeholder to avoid merging into the inline.

LayoutTests: Crash when dragging text in Google Docs
https://bugs.webkit.org/show_bug.cgi?id=20471
<rdar://problem/7783629>

Reviewed by Adele Peterson.

Added new test cases to an exisisting file and updated the result to reflect
the correct behavior.
        
* editing/selection/replace-selection-crash-expected.txt:
* editing/selection/replace-selection-crash.html:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66344 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 63038daf
2010-08-29 Enrica Casucci <enrica@apple.com>
Reviewed by Adele Peterson.
Crash when dragging text in Google Docs
https://bugs.webkit.org/show_bug.cgi?id=20471
<rdar://problem/7783629>
Added new test cases to an exisisting file and updated the result to reflect
the correct behavior.
* editing/selection/replace-selection-crash-expected.txt:
* editing/selection/replace-selection-crash.html:
2010-08-29 Adam Barth <abarth@webkit.org>
Reviewed by Darin Adler.
No crash!lect 
<div contenteditable="">
<p><span class="Apple-tab-span" style="white-space:pre"> <br></span>No crash!&nbsp;</p>
</div>
seNo crash!ct 
seleNo crash! 
No crash! 
......@@ -9,17 +9,24 @@
document.getElementsByTagName("div")[0].focus();
var sel = window.getSelection();
var paragraph = document.getElementsByTagName("p")[0];
sel.setBaseAndExtent(paragraph, 1, paragraph.lastChild, 6);
var paragraphs = document.getElementsByTagName("p");
sel.setBaseAndExtent(paragraphs[0].lastChild, 0, paragraphs[0].lastChild, 2);
document.execCommand("InsertHTML", false, '<p>No crash!</p>');
sel.setBaseAndExtent(paragraphs[1].lastChild, 2, paragraphs[1].lastChild, 4);
document.execCommand("InsertHTML", false, '<p>No crash!</p>');
sel.setBaseAndExtent(paragraphs[2].lastChild, 4, paragraphs[2].lastChild, 6);
document.execCommand("InsertHTML", false, '<p>No crash!</p>');
sel.setBaseAndExtent(paragraphs[3].lastChild, 0, paragraphs[3].lastChild, 6);
document.execCommand("InsertHTML", false, '<p>No crash!</p>');
document.write("<xmp>" + document.body.innerHTML + "</xmp>");
}
</script>
</head>
<body onload="test()">
<div contenteditable>
<p><span class="Apple-tab-span" style="white-space:pre"> </span>select&nbsp;</p>
<p><span style="white-space: pre"> </span>select&nbsp;</p>
<p><span style="white-space: pre"> </span>select&nbsp;</p>
<p><span style="white-space: pre"> </span>select&nbsp;</p>
<p><span style="white-space: pre"> </span>select&nbsp;</p>
</div>
</body>
</html>
2010-08-29 Enrica Casucci <enrica@apple.com>
Reviewed by Adele Peterson.
Crash when dragging text in Google Docs
https://bugs.webkit.org/show_bug.cgi?id=20471
<rdar://problem/7783629>
This fixes the crash but also fixes the generated markup when
performing a replacement at the border with an inline, to avoid the
new content being merged into the inline.
The crash is happening when doApply detects the need of merging
the start and the end of the new paragraph and the destination position
is moved inside an inline.
I've added new test cases to an existing layout test.
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply): When the situation described above is detected,
we insert a placeholder to avoid merging into the inline.
2010-08-29 Adam Barth <abarth@webkit.org>
Reviewed by Darin Adler.
......@@ -992,6 +992,12 @@ void ReplaceSelectionCommand::doApply()
if (shouldMergeStart(selectionStartWasStartOfParagraph, fragment.hasInterchangeNewlineAtStart(), startIsInsideMailBlockquote)) {
VisiblePosition destination = startOfInsertedContent.previous();
VisiblePosition startOfParagraphToMove = startOfInsertedContent;
// We need to handle the case where we need to merge the end
// but our destination node is inside an inline that is the last in the block.
// We insert a placeholder before the newly inserted content to avoid being merged into the inline.
Node* destinationNode = destination.deepEquivalent().node();
if (m_shouldMergeEnd && destinationNode != destinationNode->enclosingInlineElement() && destinationNode->enclosingInlineElement()->nextSibling())
insertNodeBefore(createBreakElement(document()), refNode.get());
// Merging the the first paragraph of inserted content with the content that came
// before the selection that was pasted into would also move content after
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment