Title: [145469] branches/chromium/1410
- Revision
- 145469
- Author
- [email protected]
- Date
- 2013-03-11 19:48:30 -0700 (Mon, 11 Mar 2013)
Log Message
Merge 144400
BUG=173654
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt (from rev 144400, trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt) (0 => 145469)
--- branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt (rev 0)
+++ branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt 2013-03-12 02:48:30 UTC (rev 145469)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Copied: branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html (from rev 144400, trunk/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html) (0 => 145469)
--- branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html (rev 0)
+++ branches/chromium/1410/LayoutTests/editing/selection/selection-in-iframe-removed-crash.html 2013-03-12 02:48:30 UTC (rev 145469)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var docElement = document.documentElement;
+function crash() {
+ iframe1 = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+ iframe1.setAttribute("srcdoc", "ABC");
+ docElement.appendChild(iframe1);
+ document1 = document.implementation.createDocument("", null);
+ iframe1.addEventListener("DOMFocusOut", function () { document1.adoptNode(iframe1); }, false);
+ iframe1.focus();
+ setTimeout("finish();", 0);
+}
+
+function finish() {
+ document.designMode = "on";
+ range1 = document.createRange();
+ range1.selectNodeContents(iframe1.contentDocument);
+ window.getSelection().addRange(range1);
+}
+
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>
Modified: branches/chromium/1410/Source/WebCore/editing/FrameSelection.cpp (145468 => 145469)
--- branches/chromium/1410/Source/WebCore/editing/FrameSelection.cpp 2013-03-12 02:38:04 UTC (rev 145468)
+++ branches/chromium/1410/Source/WebCore/editing/FrameSelection.cpp 2013-03-12 02:48:30 UTC (rev 145469)
@@ -279,7 +279,13 @@
if (s.base().anchorNode()) {
Document* document = s.base().anchorNode()->document();
if (document && document->frame() && document->frame() != m_frame && document != m_frame->document()) {
+ RefPtr<Frame> guard = document->frame();
document->frame()->selection()->setSelection(s, options, align, granularity);
+ // It's possible that during the above set selection, this FrameSelection has been modified by
+ // selectFrameElementInParentIfFullySelected, but that the selection is no longer valid since
+ // the frame is about to be destroyed. If this is the case, clear our selection.
+ if (guard->hasOneRef() && !m_selection.isNonOrphanedCaretOrRange())
+ clear();
return;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
