Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(158)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: LayoutTests/fast/dom/Range/surroundContents-crash.html

Issue 178543013: Fix a bug in Range::didSplitTextNode() that may yield an invalid Range object. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix comments in test. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | LayoutTests/fast/dom/Range/surroundContents-crash-expected.txt » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <title>Range.surroundContents() crash</title>
5 <script src="../../../resources/js-test.js"></script>
6 </head>
7 <body>
8 <script>
9 description('Range::didSplitTextNode() should not yield an invalid Range object nor cause a crash inside surroundContents().');
10
11 window.jsTestIsAsync = true;
12
13 var range;
14 var textContainer;
15 var textToBeSplit;
16 var newTextNode;
17
18 function run()
19 {
20 textContainer = document.createElement('div');
21 textToBeSplit = document.createTextNode('SPLITME');
22 textContainer.appendChild(textToBeSplit);
23 document.body.appendChild(textContainer);
24
25 var surroundParent = document.createElement('div');
26 var textToBeRemoved = document.createTextNode('I will be removed.');
27 surroundParent.appendChild(textToBeRemoved);
28 document.body.appendChild(surroundParent);
29
30 // Range.surroundContents(newParent) removes newParent's children during its preprocess phase, thus
31 // the following event handler is called in the middle of surroundContents() method.
32 textToBeRemoved.addEventListener('DOMNodeRemoved', function (event) {
yosin_UTC9 2014/03/04 09:26:29 nit: Can we use DOM mutation observer instead of i
Yuta Kitamura 2014/03/05 01:15:53 This crash needs synchronous call within surroundC
33 shouldEvaluateTo('textContainer.childNodes.length', 1);
34 shouldBeTrue('range.startContainer === textToBeSplit');
35 shouldEvaluateTo('range.startOffset', textToBeSplit.length);
36 shouldBeTrue('range.endContainer === textContainer');
37 shouldEvaluateTo('range.endOffset', 1);
38
39 // A bug in Range::didSplitTextNode() yielded an invalid Range object (m _start is located *after* m_end).
40 // This leads to a crash if this happens within surroundContents().
41 textToBeSplit.splitText(textToBeSplit.length - 1);
42 newTextNode = textToBeSplit.nextSibling;
43
44 // To reproduce a crash, there must be something in between split text n odes.
45 textContainer.insertBefore(document.createElement('span'), newTextNode);
46
47 shouldEvaluateTo('textContainer.childNodes.length', 3);
48 shouldBeTrue('range.startContainer === newTextNode');
49 shouldEvaluateTo('range.startOffset', newTextNode.length);
50 shouldBeTrue('range.endContainer === textContainer');
51 shouldEvaluateTo('range.endOffset', 3);
52 });
53
54 range = new Range();
55 range.setStart(textToBeSplit, textToBeSplit.length);
56 range.setEnd(textContainer, 1);
57 range.surroundContents(surroundParent);
58
59 testPassed('Did not crash.');
60
61 // Cleanup.
62 document.body.removeChild(textContainer);
63
64 window.finishJSTest();
65 }
66
67 window.setTimeout(run, 0);
68 </script>
69 </body>
70 </html>
OLDNEW
« no previous file with comments | « no previous file | LayoutTests/fast/dom/Range/surroundContents-crash-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698