Diff
Modified: branches/safari-600.5-branch/LayoutTests/ChangeLog (179304 => 179305)
--- branches/safari-600.5-branch/LayoutTests/ChangeLog 2015-01-28 22:52:15 UTC (rev 179304)
+++ branches/safari-600.5-branch/LayoutTests/ChangeLog 2015-01-28 22:52:17 UTC (rev 179305)
@@ -1,5 +1,27 @@
2015-01-28 Matthew <[email protected]>
+ Merge r178231. rdar://problem/19617801
+
+ 2015-01-09 Zalan Bujtas <[email protected]>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ * editing/selection/clearselection-on-detached-subtree-crash-expected.txt: Added.
+ * editing/selection/clearselection-on-detached-subtree-crash.html: Added.
+
+2015-01-28 Matthew <[email protected]>
+
Merge r177927. rdar://problem/19585726
2015-01-05 Chris Dumez <[email protected]>
Added: branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (0 => 179305)
--- branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt 2015-01-28 22:52:17 UTC (rev 179305)
@@ -0,0 +1,3 @@
+PASS if no crash.
+
+
Added: branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (0 => 179305)
--- branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html 2015-01-28 22:52:17 UTC (rev 179305)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This test that calling clearSelection() on an already detached subtree does not crash.</title>
+<style>
+ .outer {
+ position: absolute;
+ }
+ .inner {
+ position: relative;
+ top: 0;
+ left: 0;
+ right: 0;
+ bottom: 0;
+ }
+</style>
+</head>
+<body>
+<div>PASS if no crash.</div>
+<div id="container">
+ <div class="outer">
+ <div class="inner">
+ <input id="input" value="foo">
+ </div>
+ </div>
+</div>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var input = document.getElementById('input');
+ input.setSelectionRange(0, 1);
+ var container = document.getElementById('container');
+ var div1 = document.createElement('div');
+ div1.style.display = 'inline-block';
+ container.appendChild(div1);
+ var div2 = document.createElement('div');
+ container.appendChild(div2);
+ div2.offsetHeight;
+ container.removeChild(div2);
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-600.5-branch/Source/WebCore/ChangeLog (179304 => 179305)
--- branches/safari-600.5-branch/Source/WebCore/ChangeLog 2015-01-28 22:52:15 UTC (rev 179304)
+++ branches/safari-600.5-branch/Source/WebCore/ChangeLog 2015-01-28 22:52:17 UTC (rev 179305)
@@ -1,5 +1,32 @@
2015-01-28 Matthew <[email protected]>
+ Merge r178231. rdar://problem/19617801
+
+ 2015-01-09 Zalan Bujtas <[email protected]>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ Test: editing/selection/clearselection-on-detached-subtree-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::containingBlockLogicalWidthForContent):
+ (WebCore::RenderBox::containingBlockLogicalHeightForContent):
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::clearSelection):
+
+2015-01-28 Matthew <[email protected]>
+
Merge r177927. rdar://problem/19585726
2015-01-05 Chris Dumez <[email protected]>
Modified: branches/safari-600.5-branch/Source/WebCore/rendering/RenderBox.cpp (179304 => 179305)
--- branches/safari-600.5-branch/Source/WebCore/rendering/RenderBox.cpp 2015-01-28 22:52:15 UTC (rev 179304)
+++ branches/safari-600.5-branch/Source/WebCore/rendering/RenderBox.cpp 2015-01-28 22:52:17 UTC (rev 179305)
@@ -1827,6 +1827,8 @@
#endif
RenderBlock* cb = containingBlock();
+ if (!cb)
+ return LayoutUnit();
return cb->availableLogicalWidth();
}
@@ -1838,6 +1840,8 @@
#endif
RenderBlock* cb = containingBlock();
+ if (!cb)
+ return LayoutUnit();
return cb->availableLogicalHeight(heightType);
}
Modified: branches/safari-600.5-branch/Source/WebCore/rendering/RenderView.cpp (179304 => 179305)
--- branches/safari-600.5-branch/Source/WebCore/rendering/RenderView.cpp 2015-01-28 22:52:15 UTC (rev 179304)
+++ branches/safari-600.5-branch/Source/WebCore/rendering/RenderView.cpp 2015-01-28 22:52:17 UTC (rev 179305)
@@ -1075,7 +1075,7 @@
void RenderView::clearSelection()
{
layer()->repaintBlockSelectionGaps();
- setSelection(0, -1, 0, -1, RepaintNewMinusOld);
+ setSelection(nullptr, -1, nullptr, -1, RepaintNewMinusOld);
}
bool RenderView::printing() const
