Diff
Modified: trunk/LayoutTests/ChangeLog (259157 => 259158)
--- trunk/LayoutTests/ChangeLog 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/LayoutTests/ChangeLog 2020-03-28 15:35:47 UTC (rev 259158)
@@ -1,3 +1,13 @@
+2020-03-28 Antti Koivisto <[email protected]>
+
+ Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove
+ https://bugs.webkit.org/show_bug.cgi?id=207034
+
+ Reviewed by Zalan Bujtas.
+
+ * editing/selection/selection-update-during-anonymous-inline-teardown-expected.txt: Added.
+ * editing/selection/selection-update-during-anonymous-inline-teardown.html: Added.
+
2020-03-27 Jack Lee <[email protected]>
Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
Added: trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown-expected.txt (0 => 259158)
--- trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown-expected.txt 2020-03-28 15:35:47 UTC (rev 259158)
@@ -0,0 +1,2 @@
+This test passes if it doesn't crash
+content
Added: trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown.html (0 => 259158)
--- trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown.html (rev 0)
+++ trunk/LayoutTests/editing/selection/selection-update-during-anonymous-inline-teardown.html 2020-03-28 15:35:47 UTC (rev 259158)
@@ -0,0 +1,15 @@
+<style>
+span {
+ -webkit-text-emphasis: open;
+ display: contents;
+}
+svg {
+ border-left: 1px solid red;
+}
+</style><svg><text>This test passes if it doesn't crash</text></svg><span>content</span><script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.offsetHeight;
+document.execCommand("selectAll", false);
+document.linkColor = "red";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (259157 => 259158)
--- trunk/Source/WebCore/ChangeLog 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/ChangeLog 2020-03-28 15:35:47 UTC (rev 259158)
@@ -1,3 +1,34 @@
+2020-03-28 Antti Koivisto <[email protected]>
+
+ Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove
+ https://bugs.webkit.org/show_bug.cgi?id=207034
+
+ Reviewed by Zalan Bujtas.
+
+ Reduced test case by Zalan.
+
+ Test: editing/selection/selection-update-during-anonymous-inline-teardown.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::setNeedsSelectionUpdateForRenderTreeChange):
+
+ Don't clear the selection immediately, do it in updateAppearanceAfterLayoutOrStyleChange after render tree update/layout is done instead.
+ This is safe as selection uses WeakPtrs to reference renderers.
+
+ Renamed to emphasize the use case.
+
+ (WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange):
+ (WebCore::FrameSelection::setNeedsSelectionUpdate): Deleted.
+ * editing/FrameSelection.h:
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::willBeDestroyed):
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::willBeDestroyed):
+ * rendering/RenderTextControlSingleLine.cpp:
+ (WebCore::RenderTextControlSingleLine::layout):
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::detachFromRenderElement):
+
2020-03-28 Commit Queue <[email protected]>
Unreviewed, reverting r259034.
Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (259157 => 259158)
--- trunk/Source/WebCore/editing/FrameSelection.cpp 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp 2020-03-28 15:35:47 UTC (rev 259158)
@@ -435,14 +435,12 @@
#endif
}
-void FrameSelection::setNeedsSelectionUpdate(RevealSelectionAfterUpdate revealMode)
+void FrameSelection::setNeedsSelectionUpdateForRenderTreeChange(RevealSelectionAfterUpdate revealMode)
{
m_selectionRevealIntent = AXTextStateChangeIntent();
if (revealMode == RevealSelectionAfterUpdate::Forced)
m_selectionRevealMode = SelectionRevealMode::Reveal;
m_pendingSelectionUpdate = true;
- if (RenderView* view = m_frame->contentRenderer())
- view->selection().clearSelection();
}
void FrameSelection::updateAndRevealSelection(const AXTextStateChangeIntent& intent)
@@ -2502,6 +2500,9 @@
void FrameSelection::updateAppearanceAfterLayoutOrStyleChange()
{
+ if (auto* view = m_frame->contentRenderer(); view && m_pendingSelectionUpdate)
+ view->selection().clearSelection();
+
if (auto* client = m_frame->editor().client())
client->updateEditorStateAfterLayoutIfEditabilityChanged();
Modified: trunk/Source/WebCore/editing/FrameSelection.h (259157 => 259158)
--- trunk/Source/WebCore/editing/FrameSelection.h 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/editing/FrameSelection.h 2020-03-28 15:35:47 UTC (rev 259158)
@@ -164,7 +164,7 @@
void scheduleAppearanceUpdateAfterStyleChange();
enum class RevealSelectionAfterUpdate : bool { NotForced, Forced };
- void setNeedsSelectionUpdate(RevealSelectionAfterUpdate = RevealSelectionAfterUpdate::NotForced);
+ void setNeedsSelectionUpdateForRenderTreeChange(RevealSelectionAfterUpdate = RevealSelectionAfterUpdate::NotForced);
bool contains(const LayoutPoint&) const;
Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (259157 => 259158)
--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2020-03-28 15:35:47 UTC (rev 259158)
@@ -138,7 +138,7 @@
// We can't wait for RenderBox::destroy to clear the selection,
// because by then we will have nuked the line boxes.
if (isSelectionBorder())
- frame().selection().setNeedsSelectionUpdate();
+ frame().selection().setNeedsSelectionUpdateForRenderTreeChange();
// If we are an anonymous block, then our line boxes might have children
// that will outlast this block. In the non-anonymous block case those
Modified: trunk/Source/WebCore/rendering/RenderInline.cpp (259157 => 259158)
--- trunk/Source/WebCore/rendering/RenderInline.cpp 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/rendering/RenderInline.cpp 2020-03-28 15:35:47 UTC (rev 259158)
@@ -87,7 +87,7 @@
// We can't wait for RenderBoxModelObject::destroy to clear the selection,
// because by then we will have nuked the line boxes.
if (isSelectionBorder())
- frame().selection().setNeedsSelectionUpdate();
+ frame().selection().setNeedsSelectionUpdateForRenderTreeChange();
// If line boxes are contained inside a root, that means we're an inline.
// In that case, we need to remove all the line boxes so that the parent
Modified: trunk/Source/WebCore/rendering/RenderTextControlSingleLine.cpp (259157 => 259158)
--- trunk/Source/WebCore/rendering/RenderTextControlSingleLine.cpp 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/rendering/RenderTextControlSingleLine.cpp 2020-03-28 15:35:47 UTC (rev 259158)
@@ -220,7 +220,7 @@
// The caps lock indicator was hidden or shown. If it is now visible then it may be occluding
// the current selection (say, the caret was after the last character in the text field).
// Schedule an update and reveal of the current selection.
- frame().selection().setNeedsSelectionUpdate(FrameSelection::RevealSelectionAfterUpdate::Forced);
+ frame().selection().setNeedsSelectionUpdateForRenderTreeChange(FrameSelection::RevealSelectionAfterUpdate::Forced);
}
}
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (259157 => 259158)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2020-03-28 15:19:45 UTC (rev 259157)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2020-03-28 15:35:47 UTC (rev 259158)
@@ -871,7 +871,7 @@
// If child is the start or end of the selection, then clear the selection to
// avoid problems of invalid pointers.
if (!parent.renderTreeBeingDestroyed() && child.isSelectionBorder())
- parent.frame().selection().setNeedsSelectionUpdate();
+ parent.frame().selection().setNeedsSelectionUpdateForRenderTreeChange();
child.resetFragmentedFlowStateOnRemoval();
