Title: [183538] trunk
- Revision
- 183538
- Author
- [email protected]
- Date
- 2015-04-29 01:23:12 -0700 (Wed, 29 Apr 2015)
Log Message
Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
https://bugs.webkit.org/show_bug.cgi?id=140261
Patch by Hyungwook Lee <[email protected]> on 2015-04-29
Reviewed by Darin Adler.
Source/WebCore:
We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions
because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it.
* rendering/RenderView.cpp:
(WebCore::isValidObjectForNewSelection):
(WebCore::RenderView::clearSubtreeSelection):
(WebCore::RenderView::applySubtreeSelection):
LayoutTests:
* editing/execCommand/crash-140261-expected.txt: Added.
* editing/execCommand/crash-140261.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (183537 => 183538)
--- trunk/LayoutTests/ChangeLog 2015-04-29 08:18:10 UTC (rev 183537)
+++ trunk/LayoutTests/ChangeLog 2015-04-29 08:23:12 UTC (rev 183538)
@@ -1,3 +1,13 @@
+2015-04-29 Hyungwook Lee <[email protected]>
+
+ Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+ https://bugs.webkit.org/show_bug.cgi?id=140261
+
+ Reviewed by Darin Adler.
+
+ * editing/execCommand/crash-140261-expected.txt: Added.
+ * editing/execCommand/crash-140261.html: Added.
+
2015-04-29 Youenn Fablet <[email protected]>
Synchronous XMLHttpRequest should get access to AppCache resources stored as flat files
Added: trunk/LayoutTests/editing/execCommand/crash-140261-expected.txt (0 => 183538)
--- trunk/LayoutTests/editing/execCommand/crash-140261-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-140261-expected.txt 2015-04-29 08:23:12 UTC (rev 183538)
@@ -0,0 +1,4 @@
+
+Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()
+
+This test passes if it doesn't crash.
Added: trunk/LayoutTests/editing/execCommand/crash-140261.html (0 => 183538)
--- trunk/LayoutTests/editing/execCommand/crash-140261.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-140261.html 2015-04-29 08:23:12 UTC (rev 183538)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html contenteditable>
+<body>
+ <div></div>
+ <abbr>
+ <label>
+ <textarea></textarea>
+ </label>
+ <embed></embed>
+ </abbr>
+</body>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.execCommand("selectall", false, null);
+ document.execCommand("insertorderedlist", false, null);
+ document.write("<p>Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()</p>");
+ document.write("<p>This test passes if it doesn't crash.</p>");
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (183537 => 183538)
--- trunk/Source/WebCore/ChangeLog 2015-04-29 08:18:10 UTC (rev 183537)
+++ trunk/Source/WebCore/ChangeLog 2015-04-29 08:23:12 UTC (rev 183538)
@@ -1,3 +1,18 @@
+2015-04-29 Hyungwook Lee <[email protected]>
+
+ Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+ https://bugs.webkit.org/show_bug.cgi?id=140261
+
+ Reviewed by Darin Adler.
+
+ We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions
+ because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it.
+
+ * rendering/RenderView.cpp:
+ (WebCore::isValidObjectForNewSelection):
+ (WebCore::RenderView::clearSubtreeSelection):
+ (WebCore::RenderView::applySubtreeSelection):
+
2015-04-29 Youenn Fablet <[email protected]>
Synchronous XMLHttpRequest should get access to AppCache resources stored as flat files
Modified: trunk/Source/WebCore/rendering/RenderView.cpp (183537 => 183538)
--- trunk/Source/WebCore/rendering/RenderView.cpp 2015-04-29 08:18:10 UTC (rev 183537)
+++ trunk/Source/WebCore/rendering/RenderView.cpp 2015-04-29 08:23:12 UTC (rev 183538)
@@ -943,6 +943,11 @@
}
}
+static inline bool isValidObjectForNewSelection(const SelectionSubtreeRoot& root, const RenderObject& object)
+{
+ return (object.canBeSelectionLeaf() || &object == root.selectionData().selectionStart() || &object == root.selectionData().selectionEnd()) && object.selectionState() != RenderObject::SelectionNone && object.containingBlock();
+}
+
void RenderView::clearSubtreeSelection(const SelectionSubtreeRoot& root, SelectionRepaintMode blockRepaintMode, OldSelectionData& oldSelectionData) const
{
// Record the old selected objects. These will be used later
@@ -958,8 +963,7 @@
RenderObject* stop = rendererAfterPosition(root.selectionData().selectionEnd(), root.selectionData().selectionEndPos());
SelectionIterator selectionIterator(os);
while (os && os != stop) {
- if ((os->canBeSelectionLeaf() || os == root.selectionData().selectionStart() || os == root.selectionData().selectionEnd())
- && os->selectionState() != SelectionNone) {
+ if (isValidObjectForNewSelection(root, *os)) {
// Blocks are responsible for painting line gaps and margin gaps. They must be examined as well.
oldSelectionData.selectedObjects.set(os, std::make_unique<RenderSelectionInfo>(*os, true));
if (blockRepaintMode == RepaintNewXOROld) {
@@ -1013,7 +1017,7 @@
o = root.selectionData().selectionStart();
selectionIterator = SelectionIterator(o);
while (o && o != stop) {
- if ((o->canBeSelectionLeaf() || o == root.selectionData().selectionStart() || o == root.selectionData().selectionEnd()) && o->selectionState() != SelectionNone) {
+ if (isValidObjectForNewSelection(root, *o)) {
std::unique_ptr<RenderSelectionInfo> selectionInfo = std::make_unique<RenderSelectionInfo>(*o, true);
#if ENABLE(SERVICE_CONTROLS)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
