Commit 700d6e2a authored by inferno@chromium.org's avatar inferno@chromium.org

Crash in DragController::concludeEditDrag.

https://bugs.webkit.org/show_bug.cgi?id=89762

Reviewed by Ryosuke Niwa.

Source/WebCore:

RefPtr the innerFrame since it can get destroyed due to mutation
event fired in DragController::dispatchTextInputEventFor().

Test: editing/pasteboard/drop-text-events-sideeffect-crash.html

* page/DragController.cpp:
(WebCore::DragController::concludeEditDrag):

LayoutTests:

* editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt: Added.
* editing/pasteboard/drop-text-events-sideeffect-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121031 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent e486f049
2012-06-22 Abhishek Arya <inferno@chromium.org>
Crash in DragController::concludeEditDrag.
https://bugs.webkit.org/show_bug.cgi?id=89762
Reviewed by Ryosuke Niwa.
* editing/pasteboard/drop-text-events-sideeffect-crash-expected.txt: Added.
* editing/pasteboard/drop-text-events-sideeffect-crash.html: Added.
2012-06-22 Takashi Sakamoto <tasak@google.com>
[Shadow] parentTreeScope() of nested shadow DOM subtree returns document().
......
Ensure safety on side-effect on drop-initiated TextEvent.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS testTargetEditable.innerHTML is 'initialValue'
PASS testTargetIFrameDocument.body.innerHTML is 'initialBody'
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="../../fast/js/resources/js-test-pre.js"></script>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script>
document.body.contentEditable = "true";
</script>
<script src="script-tests/drop-text-events-sideeffect.js"></script>
<script src="../../fast/js/resources/js-test-post.js"></script>
</body>
</html>
2012-06-22 Abhishek Arya <inferno@chromium.org>
Crash in DragController::concludeEditDrag.
https://bugs.webkit.org/show_bug.cgi?id=89762
Reviewed by Ryosuke Niwa.
RefPtr the innerFrame since it can get destroyed due to mutation
event fired in DragController::dispatchTextInputEventFor().
Test: editing/pasteboard/drop-text-events-sideeffect-crash.html
* page/DragController.cpp:
(WebCore::DragController::concludeEditDrag):
2012-06-22 Andrey Kosyakov <caseq@chromium.org>
Web Inspector: timeline event details popup misses CPU time
......@@ -442,10 +442,10 @@ bool DragController::concludeEditDrag(DragData* dragData)
Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
if (!element)
return false;
Frame* innerFrame = element->ownerDocument()->frame();
RefPtr<Frame> innerFrame = element->ownerDocument()->frame();
ASSERT(innerFrame);
if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame, dragData))
if (m_page->dragCaretController()->hasCaret() && !dispatchTextInputEventFor(innerFrame.get(), dragData))
return true;
if (dragData->containsColor()) {
......@@ -490,7 +490,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
ResourceCacheValidationSuppressor validationSuppressor(cachedResourceLoader);
if (dragIsMove(innerFrame->selection(), dragData) || dragCaret.isContentRichlyEditable()) {
bool chosePlainText = false;
RefPtr<DocumentFragment> fragment = documentFragmentFromDragData(dragData, innerFrame, range, true, chosePlainText);
RefPtr<DocumentFragment> fragment = documentFragmentFromDragData(dragData, innerFrame.get(), range, true, chosePlainText);
if (!fragment || !innerFrame->editor()->shouldInsertFragment(fragment, range, EditorInsertActionDropped)) {
return false;
}
......@@ -503,7 +503,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
bool smartInsert = smartDelete && innerFrame->selection()->granularity() == WordGranularity && dragData->canSmartReplace();
applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete));
} else {
if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) {
if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point)) {
ReplaceSelectionCommand::CommandOptions options = ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::PreventNesting;
if (dragData->canSmartReplace())
options |= ReplaceSelectionCommand::SmartReplace;
......@@ -513,13 +513,13 @@ bool DragController::concludeEditDrag(DragData* dragData)
}
}
} else {
String text = dragData->asPlainText(innerFrame);
String text = dragData->asPlainText(innerFrame.get());
if (text.isEmpty() || !innerFrame->editor()->shouldInsertText(text, range.get(), EditorInsertActionDropped)) {
return false;
}
m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData);
if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
if (setSelectionToDragCaret(innerFrame.get(), dragCaret, range, point))
applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), ReplaceSelectionCommand::SelectReplacement | ReplaceSelectionCommand::MatchStyle | ReplaceSelectionCommand::PreventNesting));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment