Title: [153366] trunk
- Revision
- 153366
- Author
- rn...@webkit.org
- Date
- 2013-07-25 20:59:22 -0700 (Thu, 25 Jul 2013)
Log Message
Fix document leak when selection is created inside the document
https://bugs.webkit.org/show_bug.cgi?id=119122
Reviewed by Andreas Kling.
Source/WebCore:
Merge https://chromium.googlesource.com/chromium/blink/+/b908cb4c8da93316d787de31c93f2a43de332a10
The bug was caused by FrameSelection::m_previousCaretNode holding onto a Node, leaking its document.
Fixed the bug by explicitly clearing it in FrameSelection::prepareForDestruction.
Test: editing/selection/leak-document-with-selection-inside.html
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::prepareForDestruction):
LayoutTests:
Added a regression test.
* editing/selection/leak-document-with-selection-inside-expected.txt: Added.
* editing/selection/leak-document-with-selection-inside.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (153365 => 153366)
--- trunk/LayoutTests/ChangeLog 2013-07-26 01:48:23 UTC (rev 153365)
+++ trunk/LayoutTests/ChangeLog 2013-07-26 03:59:22 UTC (rev 153366)
@@ -1,3 +1,15 @@
+2013-07-25 Ryosuke Niwa <rn...@webkit.org>
+
+ Fix document leak when selection is created inside the document
+ https://bugs.webkit.org/show_bug.cgi?id=119122
+
+ Reviewed by Andreas Kling.
+
+ Added a regression test.
+
+ * editing/selection/leak-document-with-selection-inside-expected.txt: Added.
+ * editing/selection/leak-document-with-selection-inside.html: Added.
+
2013-07-25 Bem Jones-Bey <bjone...@adobe.com>
[CSS Shapes] New positioning model: support for inset rectangle shape-outside
Added: trunk/LayoutTests/editing/selection/leak-document-with-selection-inside-expected.txt (0 => 153366)
--- trunk/LayoutTests/editing/selection/leak-document-with-selection-inside-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/selection/leak-document-with-selection-inside-expected.txt 2013-07-26 03:59:22 UTC (rev 153366)
@@ -0,0 +1,12 @@
+This test asserts that document doesn't leak when a selection is created inside the document.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS internals.numberOfLiveDocuments() is originalNumberOfLiveDocuments
+PASS successfullyParsed is true
+
+TEST COMPLETE
+This test only runs on DumpRenderTree, as it requires existence of window.internals and cross-domain resource access check disabled.
+
+
Added: trunk/LayoutTests/editing/selection/leak-document-with-selection-inside.html (0 => 153366)
--- trunk/LayoutTests/editing/selection/leak-document-with-selection-inside.html (rev 0)
+++ trunk/LayoutTests/editing/selection/leak-document-with-selection-inside.html 2013-07-26 03:59:22 UTC (rev 153366)
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html>
+<body _onload_="runTest()">
+<p>This test only runs on DumpRenderTree, as it requires existence of window.internals and cross-domain resource access check disabled.</p>
+<iframe id="frame" src=''></iframe>
+<script src=""
+<script>
+description("This test asserts that document doesn't leak when a selection is created inside the document.");
+
+if (window.internals)
+ jsTestIsAsync = true;
+
+var originalNumberOfLiveDocuments = 0;
+
+var frame = document.getElementById('frame');
+frame._onload_ = function() {
+ if (frame.src ="" 'about:blank')
+ return true;
+
+ (function() {
+ var contentWindow = frame.contentWindow;
+ var element = contentWindow.document.getElementById("t");
+ contentWindow.getSelection().setPosition(element, 0);
+ })();
+
+ frame._onload_ = function() {
+ gc();
+ setTimeout(function () {
+ shouldBe("internals.numberOfLiveDocuments()", "originalNumberOfLiveDocuments");
+ finishJSTest();
+ }, 0);
+ }
+ frame.src = '';
+}
+
+function runTest() {
+ if (!window.internals)
+ return;
+ originalNumberOfLiveDocuments = internals.numberOfLiveDocuments();
+ frame.src = '';
+}
+
+var successfullyParsed = true;
+
+</script>
+<script src=""
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (153365 => 153366)
--- trunk/Source/WebCore/ChangeLog 2013-07-26 01:48:23 UTC (rev 153365)
+++ trunk/Source/WebCore/ChangeLog 2013-07-26 03:59:22 UTC (rev 153366)
@@ -1,3 +1,20 @@
+2013-07-25 Ryosuke Niwa <rn...@webkit.org>
+
+ Fix document leak when selection is created inside the document
+ https://bugs.webkit.org/show_bug.cgi?id=119122
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/b908cb4c8da93316d787de31c93f2a43de332a10
+
+ The bug was caused by FrameSelection::m_previousCaretNode holding onto a Node, leaking its document.
+ Fixed the bug by explicitly clearing it in FrameSelection::prepareForDestruction.
+
+ Test: editing/selection/leak-document-with-selection-inside.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::prepareForDestruction):
+
2013-07-25 Andreas Kling <akl...@apple.com>
ChromeClient::focusedNodeChanged() should be focusedElementChanged().
Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (153365 => 153366)
--- trunk/Source/WebCore/editing/FrameSelection.cpp 2013-07-26 01:48:23 UTC (rev 153365)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp 2013-07-26 03:59:22 UTC (rev 153366)
@@ -1209,6 +1209,7 @@
view->clearSelection();
setSelection(VisibleSelection(), CloseTyping | ClearTypingStyle | DoNotUpdateAppearance);
+ m_previousCaretNode.clear();
}
void FrameSelection::setStart(const VisiblePosition &pos, EUserTriggered trigger)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
