Skip to site navigation (Press enter)

[webkit-changes] [278491] branches/safari-611-branch

alancoon Fri, 04 Jun 2021 13:25:22 -0700

Title: [278491] branches/safari-611-branch

Revision: 278491
Author: [email protected]
Date: 2021-06-04 13:24:24 -0700 (Fri, 04 Jun 2021)

Log Message

Cherry-pick r277644. rdar://problem/78875252


    SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance
    https://bugs.webkit.org/show_bug.cgi?id=225219

    Patch by Frederic Wang <[email protected]> on 2021-05-18
    Reviewed by Ryosuke Niwa.

    Source/WebCore:

    When FrameSelection::selectFrameElementInParentIfFullySelected sets focus on the parent
    frame, that can trigger DOM events, possibly making orphan the newSelection prepared before.
    This patch fixes that issue by clearing the selection on that parent frame in such a
    situation.

    Test: editing/selection/selection-in-iframe-removed-assert.html

    * editing/FrameSelection.cpp:
    (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): Check if the
    newSelection became orphan and if so, clear it.

    LayoutTests:

    Add a regression test.

    * editing/selection/selection-in-iframe-removed-assert.html: Copied from
    editing/selection/selection-in-iframe-removed-crash.html, with an additional
    requestAnimationFrame.
    * editing/selection/selection-in-iframe-removed-assert-expected.txt: Added.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277644 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-611-branch/LayoutTests/ChangeLog
branches/safari-611-branch/Source/WebCore/ChangeLog
branches/safari-611-branch/Source/WebCore/editing/FrameSelection.cpp

Added Paths

branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert-expected.txt
branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert.html

Diff

Modified: branches/safari-611-branch/LayoutTests/ChangeLog (278490 => 278491)


--- branches/safari-611-branch/LayoutTests/ChangeLog	2021-06-04 20:24:20 UTC (rev 278490)
+++ branches/safari-611-branch/LayoutTests/ChangeLog	2021-06-04 20:24:24 UTC (rev 278491)
@@ -1,3 +1,51 @@
+2021-06-04  Alan Coon  <[email protected]>
+
+        Cherry-pick r277644. rdar://problem/78875252
+
+    SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance
+    https://bugs.webkit.org/show_bug.cgi?id=225219
+    
+    Patch by Frederic Wang <[email protected]> on 2021-05-18
+    Reviewed by Ryosuke Niwa.
+    
+    Source/WebCore:
+    
+    When FrameSelection::selectFrameElementInParentIfFullySelected sets focus on the parent
+    frame, that can trigger DOM events, possibly making orphan the newSelection prepared before.
+    This patch fixes that issue by clearing the selection on that parent frame in such a
+    situation.
+    
+    Test: editing/selection/selection-in-iframe-removed-assert.html
+    
+    * editing/FrameSelection.cpp:
+    (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): Check if the
+    newSelection became orphan and if so, clear it.
+    
+    LayoutTests:
+    
+    Add a regression test.
+    
+    * editing/selection/selection-in-iframe-removed-assert.html: Copied from
+    editing/selection/selection-in-iframe-removed-crash.html, with an additional
+    requestAnimationFrame.
+    * editing/selection/selection-in-iframe-removed-assert-expected.txt: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-05-18  Frederic Wang  <[email protected]>
+
+            SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance
+            https://bugs.webkit.org/show_bug.cgi?id=225219
+
+            Reviewed by Ryosuke Niwa.
+
+            Add a regression test.
+
+            * editing/selection/selection-in-iframe-removed-assert.html: Copied from
+            editing/selection/selection-in-iframe-removed-crash.html, with an additional
+            requestAnimationFrame.
+            * editing/selection/selection-in-iframe-removed-assert-expected.txt: Added.
+
 2021-05-12  Russell Epstein  <[email protected]>
 
         Cherry-pick r277373. rdar://problem/77916543

Added: branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert-expected.txt (0 => 278491)


--- branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert-expected.txt	                        (rev 0)
+++ branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert-expected.txt	2021-06-04 20:24:24 UTC (rev 278491)
@@ -0,0 +1 @@
+Test passes if it does not hit any assertions.

Added: branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert.html (0 => 278491)


--- branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert.html	                        (rev 0)
+++ branches/safari-611-branch/LayoutTests/editing/selection/selection-in-iframe-removed-assert.html	2021-06-04 20:24:24 UTC (rev 278491)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not hit any assertions.
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+var docElement = document.documentElement;
+function crash() {
+    iframe1 = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+    iframe1.setAttribute("srcdoc", "ABC");
+    docElement.appendChild(iframe1);
+    document1 = document.implementation.createDocument("", null);
+    iframe1.addEventListener("DOMFocusOut", function () { document1.adoptNode(iframe1); }, false);
+    iframe1.focus();
+    requestAnimationFrame(() => setTimeout(finish, 0));
+}
+
+function finish() {
+    document.designMode = "on";
+    range1 = document.createRange();
+    range1.selectNodeContents(iframe1.contentDocument);
+    window.getSelection().addRange(range1);
+    if (window.testRunner) {
+        document.body.innerHTML = 'Test passes if it does not hit any assertions.';
+        testRunner.notifyDone();
+    }
+}
+
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>

Modified: branches/safari-611-branch/Source/WebCore/ChangeLog (278490 => 278491)


--- branches/safari-611-branch/Source/WebCore/ChangeLog	2021-06-04 20:24:20 UTC (rev 278490)
+++ branches/safari-611-branch/Source/WebCore/ChangeLog	2021-06-04 20:24:24 UTC (rev 278491)
@@ -1,5 +1,57 @@
 2021-06-04  Alan Coon  <[email protected]>
 
+        Cherry-pick r277644. rdar://problem/78875252
+
+    SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance
+    https://bugs.webkit.org/show_bug.cgi?id=225219
+    
+    Patch by Frederic Wang <[email protected]> on 2021-05-18
+    Reviewed by Ryosuke Niwa.
+    
+    Source/WebCore:
+    
+    When FrameSelection::selectFrameElementInParentIfFullySelected sets focus on the parent
+    frame, that can trigger DOM events, possibly making orphan the newSelection prepared before.
+    This patch fixes that issue by clearing the selection on that parent frame in such a
+    situation.
+    
+    Test: editing/selection/selection-in-iframe-removed-assert.html
+    
+    * editing/FrameSelection.cpp:
+    (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): Check if the
+    newSelection became orphan and if so, clear it.
+    
+    LayoutTests:
+    
+    Add a regression test.
+    
+    * editing/selection/selection-in-iframe-removed-assert.html: Copied from
+    editing/selection/selection-in-iframe-removed-crash.html, with an additional
+    requestAnimationFrame.
+    * editing/selection/selection-in-iframe-removed-assert-expected.txt: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-05-18  Frederic Wang  <[email protected]>
+
+            SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance
+            https://bugs.webkit.org/show_bug.cgi?id=225219
+
+            Reviewed by Ryosuke Niwa.
+
+            When FrameSelection::selectFrameElementInParentIfFullySelected sets focus on the parent
+            frame, that can trigger DOM events, possibly making orphan the newSelection prepared before.
+            This patch fixes that issue by clearing the selection on that parent frame in such a
+            situation.
+
+            Test: editing/selection/selection-in-iframe-removed-assert.html
+
+            * editing/FrameSelection.cpp:
+            (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): Check if the
+            newSelection became orphan and if so, clear it.
+
+2021-06-04  Alan Coon  <[email protected]>
+
         Cherry-pick r276359. rdar://problem/78875297
 
     Integrator's note: did some conflict resolution here. Did a partial find-and-replace to update pullSamples as well.

Modified: branches/safari-611-branch/Source/WebCore/editing/FrameSelection.cpp (278490 => 278491)


--- branches/safari-611-branch/Source/WebCore/editing/FrameSelection.cpp	2021-06-04 20:24:20 UTC (rev 278490)
+++ branches/safari-611-branch/Source/WebCore/editing/FrameSelection.cpp	2021-06-04 20:24:24 UTC (rev 278491)
@@ -1965,7 +1965,11 @@
     VisibleSelection newSelection(beforeOwnerElement, afterOwnerElement);
     if (parent->selection().shouldChangeSelection(newSelection)) {
         page->focusController().setFocusedFrame(parent);
-        parent->selection().setSelection(newSelection);
+        // Previous focus can trigger DOM events, ensure the selection did not become orphan.
+        if (newSelection.isOrphan())
+            parent->selection().clear();
+        else
+            parent->selection().setSelection(newSelection);
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes