Title: [178360] releases/WebKitGTK/webkit-2.6
- Revision
- 178360
- Author
- [email protected]
- Date
- 2015-01-13 04:40:53 -0800 (Tue, 13 Jan 2015)
Log Message
Merge r178231 - Calling clearSelection on a detached RenderObject leads to segfault.
https://bugs.webkit.org/show_bug.cgi?id=140275
Reviewed by Simon Fraser.
We collect selection rects and compute selection gaps in order to
paint/clear selection. With certain content, we need to be able
to walk the tree up to a particular container to compute the selection rect.
However this container might not be available when the selection is part of a detached tree.
This is a null-check fix to ensure we don't crash in such cases, but in the long run
selection gaps and rect should be cached between two layouts so that we don't need to
keep collecting/recomputing them. Tracked here: webkit.org/b/140321
Source/WebCore:
Test: editing/selection/clearselection-on-detached-subtree-crash.html
* rendering/RenderBox.cpp:
(WebCore::RenderBox::containingBlockLogicalWidthForContent):
(WebCore::RenderBox::containingBlockLogicalHeightForContent):
* rendering/RenderView.cpp:
(WebCore::RenderView::clearSelection):
LayoutTests:
* editing/selection/clearselection-on-detached-subtree-crash-expected.txt: Added.
* editing/selection/clearselection-on-detached-subtree-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog (178359 => 178360)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-13 12:09:53 UTC (rev 178359)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-13 12:40:53 UTC (rev 178360)
@@ -1,3 +1,21 @@
+2015-01-09 Zalan Bujtas <[email protected]>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ * editing/selection/clearselection-on-detached-subtree-crash-expected.txt: Added.
+ * editing/selection/clearselection-on-detached-subtree-crash.html: Added.
+
2014-12-18 Chris Fleizach <[email protected]>
AX: Recursive crash at WebCore::accessibleNameForNode
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (0 => 178360)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt 2015-01-13 12:40:53 UTC (rev 178360)
@@ -0,0 +1,3 @@
+PASS if no crash.
+
+
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (0 => 178360)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html 2015-01-13 12:40:53 UTC (rev 178360)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This test that calling clearSelection() on an already detached subtree does not crash.</title>
+<style>
+ .outer {
+ position: absolute;
+ }
+ .inner {
+ position: relative;
+ top: 0;
+ left: 0;
+ right: 0;
+ bottom: 0;
+ }
+</style>
+</head>
+<body>
+<div>PASS if no crash.</div>
+<div id="container">
+ <div class="outer">
+ <div class="inner">
+ <input id="input" value="foo">
+ </div>
+ </div>
+</div>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var input = document.getElementById('input');
+ input.setSelectionRange(0, 1);
+ var container = document.getElementById('container');
+ var div1 = document.createElement('div');
+ div1.style.display = 'inline-block';
+ container.appendChild(div1);
+ var div2 = document.createElement('div');
+ container.appendChild(div2);
+ div2.offsetHeight;
+ container.removeChild(div2);
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog (178359 => 178360)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2015-01-13 12:09:53 UTC (rev 178359)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2015-01-13 12:40:53 UTC (rev 178360)
@@ -1,3 +1,26 @@
+2015-01-09 Zalan Bujtas <[email protected]>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ Test: editing/selection/clearselection-on-detached-subtree-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::containingBlockLogicalWidthForContent):
+ (WebCore::RenderBox::containingBlockLogicalHeightForContent):
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::clearSelection):
+
2014-12-18 Chris Fleizach <[email protected]>
AX: Recursive crash at WebCore::accessibleNameForNode
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderBox.cpp (178359 => 178360)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderBox.cpp 2015-01-13 12:09:53 UTC (rev 178359)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderBox.cpp 2015-01-13 12:40:53 UTC (rev 178360)
@@ -1828,6 +1828,8 @@
#endif
RenderBlock* cb = containingBlock();
+ if (!cb)
+ return LayoutUnit();
return cb->availableLogicalWidth();
}
@@ -1839,6 +1841,8 @@
#endif
RenderBlock* cb = containingBlock();
+ if (!cb)
+ return LayoutUnit();
return cb->availableLogicalHeight(heightType);
}
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderView.cpp (178359 => 178360)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderView.cpp 2015-01-13 12:09:53 UTC (rev 178359)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderView.cpp 2015-01-13 12:40:53 UTC (rev 178360)
@@ -1105,7 +1105,7 @@
void RenderView::clearSelection()
{
layer()->repaintBlockSelectionGaps();
- setSelection(0, -1, 0, -1, RepaintNewMinusOld);
+ setSelection(nullptr, -1, nullptr, -1, RepaintNewMinusOld);
}
bool RenderView::printing() const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
