[webkit-changes] [144400] trunk

Thu, 28 Feb 2013 17:22:51 -0800

Title: [144400] trunk
Revision
144400
Author
[email protected]
Date
2013-02-28 17:24:47 -0800 (Thu, 28 Feb 2013)

Log Message

Stale FrameSelection in removed iframe causes crash
https://bugs.webkit.org/show_bug.cgi?id=108696

Reviewed by Ryosuke Niwa.

Source/WebCore:

Catching a specific issue where selectFrameElementInParentIfFullySelected in a nested
iFrame that is removed can leave the outer frame's selection referencing stale nodes.
Instead, in this case, we keep the frame alive long enough to check for this condition
and clear our selection if we hit it.

Test: editing/selection/selection-in-iframe-removed-crash.html

* editing/FrameSelection.cpp:
(WebCore::FrameSelection::setSelection):

LayoutTests:

* editing/selection/selection-in-iframe-removed-crash-expected.txt: Added.
* editing/selection/selection-in-iframe-removed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (144399 => 144400)


--- trunk/LayoutTests/ChangeLog	2013-03-01 01:01:31 UTC (rev 144399)
+++ trunk/LayoutTests/ChangeLog	2013-03-01 01:24:47 UTC (rev 144400)
@@ -1,3 +1,13 @@
+2013-02-28  Levi Weintraub  <[email protected]>
+
+        Stale FrameSelection in removed iframe causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=108696
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/selection-in-iframe-removed-crash-expected.txt: Added.
+        * editing/selection/selection-in-iframe-removed-crash.html: Added.
+
 2013-02-28  Stephen Chenney  <[email protected]>
 
         [Chromium] Rebaselines for Mac decorations-with-text-combine.html

Added: trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt (0 => 144400)


--- trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt	2013-03-01 01:24:47 UTC (rev 144400)
@@ -0,0 +1 @@
+Test passes if it does not crash.

Added: trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html (0 => 144400)


--- trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html	2013-03-01 01:24:47 UTC (rev 144400)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var docElement = document.documentElement;
+function crash() {
+    iframe1 = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+    iframe1.setAttribute("srcdoc", "ABC");
+    docElement.appendChild(iframe1);
+    document1 = document.implementation.createDocument("", null);
+    iframe1.addEventListener("DOMFocusOut", function () { document1.adoptNode(iframe1); }, false);
+    iframe1.focus();
+    setTimeout("finish();", 0);
+}
+
+function finish() {
+    document.designMode = "on";
+    range1 = document.createRange();
+    range1.selectNodeContents(iframe1.contentDocument);
+    window.getSelection().addRange(range1);
+}
+
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (144399 => 144400)


--- trunk/Source/WebCore/ChangeLog	2013-03-01 01:01:31 UTC (rev 144399)
+++ trunk/Source/WebCore/ChangeLog	2013-03-01 01:24:47 UTC (rev 144400)
@@ -1,3 +1,20 @@
+2013-02-28  Levi Weintraub  <[email protected]>
+
+        Stale FrameSelection in removed iframe causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=108696
+
+        Reviewed by Ryosuke Niwa.
+
+        Catching a specific issue where selectFrameElementInParentIfFullySelected in a nested
+        iFrame that is removed can leave the outer frame's selection referencing stale nodes.
+        Instead, in this case, we keep the frame alive long enough to check for this condition
+        and clear our selection if we hit it.
+
+        Test: editing/selection/selection-in-iframe-removed-crash.html
+
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::setSelection):
+
 2013-02-28  Conrad Shultz  <[email protected]>
 
         Need API to control page underlay color

Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (144399 => 144400)


--- trunk/Source/WebCore/editing/FrameSelection.cpp	2013-03-01 01:01:31 UTC (rev 144399)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp	2013-03-01 01:24:47 UTC (rev 144400)
@@ -280,7 +280,13 @@
     if (s.base().anchorNode()) {
         Document* document = s.base().anchorNode()->document();
         if (document && document->frame() && document->frame() != m_frame && document != m_frame->document()) {
+            RefPtr<Frame> guard = document->frame();
             document->frame()->selection()->setSelection(s, options, align, granularity);
+            // It's possible that during the above set selection, this FrameSelection has been modified by
+            // selectFrameElementInParentIfFullySelected, but that the selection is no longer valid since
+            // the frame is about to be destroyed. If this is the case, clear our selection.
+            if (guard->hasOneRef() && !m_selection.isNonOrphanedCaretOrRange())
+                clear();
             return;
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to