diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index ccfaefadd346c30b0c24b1d6279af27b6e25a537..63388ea382973269396a5c5aa783bc38a8f22a08 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2012-06-22 Abhishek Arya + + Crash in DragController::concludeEditDrag. + https://bugs.webkit.org/show_bug.cgi?id=89762 + + Reviewed by Ryosuke Niwa. + + * editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt: Added. + * editing/pasteboard/drop-text-events-sideeffect-crash.html: Added. + 2012-06-22 Takashi Sakamoto [Shadow] parentTreeScope() of nested shadow DOM subtree returns document(). diff --git a/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt b/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..bf50962d7dd586ad82b0779efb8e9883993bc3cd --- /dev/null +++ b/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt @@ -0,0 +1,11 @@ +Ensure safety on side-effect on drop-initiated TextEvent. + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS testTargetEditable.innerHTML is 'initialValue' +PASS testTargetIFrameDocument.body.innerHTML is 'initialBody' +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html b/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html new file mode 100644 index 0000000000000000000000000000000000000000..dff837668c0dc10a913693f49229b691db69852b --- /dev/null +++ b/LayoutTests/editing/pasteboard/drop-text-events-sideeffect-crash.html @@ -0,0 +1,15 @@ + + + + + + +

+
+ + + + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 319074cf2897fcda75a22cd9094b4efb29518baa..7d79fa52ad8bd63769b62a481d9daf1d41f4b4d0 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,18 @@ +2012-06-22 Abhishek Arya + + Crash in DragController::concludeEditDrag. + https://bugs.webkit.org/show_bug.cgi?id=89762 + + Reviewed by Ryosuke Niwa. + + RefPtr the innerFrame since it can get destroyed due to mutation + event fired in DragController::dispatchTextInputEventFor(). + + Test: editing/pasteboard/drop-text-events-sideeffect-crash.html + + * page/DragController.cpp: + (WebCore::DragController::concludeEditDrag): + 2012-06-22 Andrey Kosyakov Web Inspector: timeline event details popup misses CPU time diff --git a/Source/WebCore/page/DragController.cpp b/Source/WebCore/page/DragController.cpp index 46eae48f942b6d347211cc03f815213129a94a7d..dbfb3d7833fb5fa06bc356e548aa644de16da545 100644 --- a/Source/WebCore/page/DragController.cpp +++ b/Source/WebCore/page/DragController.cpp @@ -442,10 +442,10 @@ bool DragController::concludeEditDrag(DragData* dragData) Element* element = elementUnderMouse(m_documentUnderMouse.get(), point); if (!element) return false; - Frame* innerFrame = element->ownerDocument()->frame(); + RefPtr innerFrame = element->ownerDocument()->frame(); ASSERT(innerFrame); - if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame, dragData)) + if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame.get(), dragData)) return true; if (dragData->containsColor()) { @@ -490,7 +490,7 @@ bool DragController::concludeEditDrag(DragData* dragData) ResourceCacheValidationSuppressor validationSuppressor(cachedResourceLoader); if (dragIsMove(innerFrame->selection(), dragData) || dragCaret.isContentRichlyEditable()) { bool chosePlainText = false; - RefPtr fragment = documentFragmentFromDragData(dragData, innerFrame, range, true, chosePlainText); + RefPtr fragment = documentFragmentFromDragData(dragData, innerFrame.get(), range, true, chosePlainText); if (!fragment || !innerFrame->editor()->shouldInsertFragment(fragment, range, EditorInsertActionDropped)) { return false; } @@ -503,7 +503,7 @@ bool DragController::concludeEditDrag(DragData* dragData) bool smartInsert = smartDelete && innerFrame->selection()->granularity() == WordGranularity && dragData->canSmartReplace(); applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete)); } else { - if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) { + if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point)) { ReplaceSelectionCommand::CommandOptions options = ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::PreventNesting; if (dragData->canSmartReplace()) options |= ReplaceSelectionCommand::SmartReplace; @@ -513,13 +513,13 @@ bool DragController::concludeEditDrag(DragData* dragData) } } } else { - String text = dragData->asPlainText(innerFrame); + String text = dragData->asPlainText(innerFrame.get()); if (text.isEmpty() || !innerFrame->editor()->shouldInsertText(text, range.get(), EditorInsertActionDropped)) { return false; } m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData); - if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) + if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point)) applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::MatchStyle | ReplaceSelectionCommand::PreventNesting)); }