Title: [111899] trunk
- Revision
- 111899
- Author
- [email protected]
- Date
- 2012-03-23 13:56:10 -0700 (Fri, 23 Mar 2012)
Log Message
Crash due to accessing removed parent lineboxes when clearing selection.
https://bugs.webkit.org/show_bug.cgi?id=81359
Reviewed by Eric Seidel.
Source/WebCore:
Similar to r110323, adds the canUpdateSelectionOnRootLineBoxes
check to more places.
Test: editing/selection/clear-selection-crash.html
* rendering/RenderObject.cpp:
(WebCore::RenderObject::canUpdateSelectionOnRootLineBoxes):
* rendering/RenderSelectionInfo.h:
(WebCore::RenderSelectionInfo::RenderSelectionInfo):
(WebCore::RenderBlockSelectionInfo::RenderBlockSelectionInfo):
LayoutTests:
* editing/selection/clear-selection-crash-expected.txt: Added.
* editing/selection/clear-selection-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (111898 => 111899)
--- trunk/LayoutTests/ChangeLog 2012-03-23 20:47:20 UTC (rev 111898)
+++ trunk/LayoutTests/ChangeLog 2012-03-23 20:56:10 UTC (rev 111899)
@@ -1,3 +1,13 @@
+2012-03-23 Abhishek Arya <[email protected]>
+
+ Crash due to accessing removed parent lineboxes when clearing selection.
+ https://bugs.webkit.org/show_bug.cgi?id=81359
+
+ Reviewed by Eric Seidel.
+
+ * editing/selection/clear-selection-crash-expected.txt: Added.
+ * editing/selection/clear-selection-crash.html: Added.
+
2012-03-22 Ojan Vafai <[email protected]>
Initial triage pass of css3/selectors3/xml for the Chromium ports.
Added: trunk/LayoutTests/editing/selection/clear-selection-crash-expected.txt (0 => 111899)
--- trunk/LayoutTests/editing/selection/clear-selection-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/selection/clear-selection-crash-expected.txt 2012-03-23 20:56:10 UTC (rev 111899)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/editing/selection/clear-selection-crash.html (0 => 111899)
--- trunk/LayoutTests/editing/selection/clear-selection-crash.html (rev 0)
+++ trunk/LayoutTests/editing/selection/clear-selection-crash.html 2012-03-23 20:56:10 UTC (rev 111899)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div style="display: -webkit-inline-box">
+ <div id="start" style="display: -webkit-inline-box">
+ <i>
+ <div style="display: run-in; height: 1px"></div>
+ <span id="span1" style="width: 1px">A</span>
+ </i>
+ </div>
+ <i>B</i>
+</div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+document.designMode = 'on';
+document.execCommand('selectall');
+document.body.offsetTop;
+span1.style.display = 'block';
+
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/editing/selection/clear-selection-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (111898 => 111899)
--- trunk/Source/WebCore/ChangeLog 2012-03-23 20:47:20 UTC (rev 111898)
+++ trunk/Source/WebCore/ChangeLog 2012-03-23 20:56:10 UTC (rev 111899)
@@ -1,3 +1,21 @@
+2012-03-23 Abhishek Arya <[email protected]>
+
+ Crash due to accessing removed parent lineboxes when clearing selection.
+ https://bugs.webkit.org/show_bug.cgi?id=81359
+
+ Reviewed by Eric Seidel.
+
+ Similar to r110323, adds the canUpdateSelectionOnRootLineBoxes
+ check to more places.
+
+ Test: editing/selection/clear-selection-crash.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::canUpdateSelectionOnRootLineBoxes):
+ * rendering/RenderSelectionInfo.h:
+ (WebCore::RenderSelectionInfo::RenderSelectionInfo):
+ (WebCore::RenderBlockSelectionInfo::RenderBlockSelectionInfo):
+
2012-03-23 Beth Dakin <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=82083
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (111898 => 111899)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2012-03-23 20:47:20 UTC (rev 111898)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2012-03-23 20:56:10 UTC (rev 111899)
@@ -2839,6 +2839,9 @@
bool RenderObject::canUpdateSelectionOnRootLineBoxes()
{
+ if (needsLayout())
+ return false;
+
RenderBlock* containingBlock = this->containingBlock();
return containingBlock ? !containingBlock->needsLayout() : true;
}
Modified: trunk/Source/WebCore/rendering/RenderSelectionInfo.h (111898 => 111899)
--- trunk/Source/WebCore/rendering/RenderSelectionInfo.h 2012-03-23 20:47:20 UTC (rev 111898)
+++ trunk/Source/WebCore/rendering/RenderSelectionInfo.h 2012-03-23 20:56:10 UTC (rev 111899)
@@ -62,7 +62,7 @@
public:
RenderSelectionInfo(RenderObject* o, bool clipToVisibleContent)
: RenderSelectionInfoBase(o)
- , m_rect(o->needsLayout() ? LayoutRect() : o->selectionRectForRepaint(m_repaintContainer, clipToVisibleContent))
+ , m_rect(o->canUpdateSelectionOnRootLineBoxes() ? o->selectionRectForRepaint(m_repaintContainer, clipToVisibleContent) : LayoutRect())
{
}
@@ -83,7 +83,7 @@
public:
RenderBlockSelectionInfo(RenderBlock* b)
: RenderSelectionInfoBase(b)
- , m_rects(b->needsLayout() ? GapRects() : block()->selectionGapRectsForRepaint(m_repaintContainer))
+ , m_rects(b->canUpdateSelectionOnRootLineBoxes() ? block()->selectionGapRectsForRepaint(m_repaintContainer) : GapRects())
{
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
