[webkit-changes] [186425] releases/WebKitGTK/webkit-2.8

Tue, 07 Jul 2015 02:13:42 -0700

Title: [186425] releases/WebKitGTK/webkit-2.8
Revision
186425
Author
[email protected]
Date
2015-07-07 02:13:29 -0700 (Tue, 07 Jul 2015)

Log Message

Merge r185838 - REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
https://bugs.webkit.org/show_bug.cgi?id=146116
rdar://problem/20959369

Reviewed by Brent Fulgham.

This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.

When multiple selection roots are present we need to ensure that a RenderObject
only shows up in one of them.
RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
selection and sets the selection range (start/end) on each selection root.
However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
based on visible selection and that could end up collecting renderers as selection start/end
from another selection subtree.
RenderObject's holds the last selection state (RenderObject::setSelectionState).
If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
we can't clean up selections properly when this object gets destroyed.
One of the roots ends up with a dangling RenderObject pointer.

Source/WebCore:

Test: fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html

* rendering/SelectionSubtreeRoot.cpp:
(WebCore::SelectionSubtreeRoot::adjustForVisibleSelection):

LayoutTests:

* fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt: Added.
* fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (186424 => 186425)


--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-07-07 09:09:49 UTC (rev 186424)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-07-07 09:13:29 UTC (rev 186425)
@@ -1,3 +1,28 @@
+2015-06-22  Zalan Bujtas  <[email protected]>
+
+        REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
+        https://bugs.webkit.org/show_bug.cgi?id=146116
+        rdar://problem/20959369
+
+        Reviewed by Brent Fulgham.
+
+        This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.
+
+        When multiple selection roots are present we need to ensure that a RenderObject
+        only shows up in one of them.
+        RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
+        selection and sets the selection range (start/end) on each selection root.
+        However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
+        based on visible selection and that could end up collecting renderers as selection start/end
+        from another selection subtree.
+        RenderObject's holds the last selection state (RenderObject::setSelectionState).
+        If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
+        we can't clean up selections properly when this object gets destroyed.
+        One of the roots ends up with a dangling RenderObject pointer.
+
+        * fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt: Added.
+        * fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html: Added.
+
 2015-06-19  Andy Estes  <[email protected]>
 
         Various assertion failures occur when executing script in the midst of DOM insertion

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt (0 => 186425)


--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt	2015-07-07 09:13:29 UTC (rev 186425)
@@ -0,0 +1,4 @@
+foo
+Pass if no crash or assert in debug.
+foobar
+

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html (0 => 186425)


--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html	2015-07-07 09:13:29 UTC (rev 186425)
@@ -0,0 +1,19 @@
+<html id="webtest0">
+<head>
+<style>
+	:last-child { -webkit-flow-into: foo; }
+</style>
+
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.write("foo<br>");
+</script>
+</head>
+<body>Pass if no crash or assert in debug.<summary id="webtest5"><mathml><femerge></femerge></mathml>foobar<table></table></summary></body>
+<script>
+document.querySelector("#webtest0").appendChild(document.createElement("canvas"));
+document.execCommand("SelectAll");
+document.getElementById("webtest5").appendChild(document.createElement("feconvolvematrix"));
+</script>
+</html>

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186424 => 186425)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 09:09:49 UTC (rev 186424)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 09:13:29 UTC (rev 186425)
@@ -1,3 +1,30 @@
+2015-06-22  Zalan Bujtas  <[email protected]>
+
+        REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
+        https://bugs.webkit.org/show_bug.cgi?id=146116
+        rdar://problem/20959369
+
+        Reviewed by Brent Fulgham.
+
+        This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.
+
+        When multiple selection roots are present we need to ensure that a RenderObject
+        only shows up in one of them.
+        RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
+        selection and sets the selection range (start/end) on each selection root.
+        However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
+        based on visible selection and that could end up collecting renderers as selection start/end
+        from another selection subtree.
+        RenderObject's holds the last selection state (RenderObject::setSelectionState).
+        If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
+        we can't clean up selections properly when this object gets destroyed.
+        One of the roots ends up with a dangling RenderObject pointer.
+
+        Test: fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html
+
+        * rendering/SelectionSubtreeRoot.cpp:
+        (WebCore::SelectionSubtreeRoot::adjustForVisibleSelection):
+
 2015-06-19  Joseph Pecoraro  <[email protected]>
 
         Crash under WebCore::PageConsoleClient::addMessage attempting to log insecure content message in ImageDocument

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/SelectionSubtreeRoot.cpp (186424 => 186425)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/SelectionSubtreeRoot.cpp	2015-07-07 09:09:49 UTC (rev 186424)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/SelectionSubtreeRoot.cpp	2015-07-07 09:13:29 UTC (rev 186425)
@@ -69,15 +69,22 @@
 
     m_selectionSubtreeData.clearSelection();
 
-    if (startPos.isNotNull()
-        && endPos.isNotNull()
-        && selection.visibleStart() != selection.visibleEnd()
-        && startPos.deprecatedNode()->renderer()->flowThreadContainingBlock() == endPos.deprecatedNode()->renderer()->flowThreadContainingBlock()) {
-        m_selectionSubtreeData.setSelectionStart(startPos.deprecatedNode()->renderer());
-        m_selectionSubtreeData.setSelectionStartPos(startPos.deprecatedEditingOffset());
-        m_selectionSubtreeData.setSelectionEnd(endPos.deprecatedNode()->renderer());
-        m_selectionSubtreeData.setSelectionEndPos(endPos.deprecatedEditingOffset());
-    }
+    if (startPos.isNull() || endPos.isNull())
+        return;
+
+    if (selection.visibleStart() == selection.visibleEnd())
+        return;
+
+    if (startPos.deprecatedNode()->renderer()->flowThreadContainingBlock() != endPos.deprecatedNode()->renderer()->flowThreadContainingBlock())
+        return;
+
+    if (&startPos.deprecatedNode()->renderer()->selectionRoot() != this)
+        return;
+
+    m_selectionSubtreeData.setSelectionStart(startPos.deprecatedNode()->renderer());
+    m_selectionSubtreeData.setSelectionStartPos(startPos.deprecatedEditingOffset());
+    m_selectionSubtreeData.setSelectionEnd(endPos.deprecatedNode()->renderer());
+    m_selectionSubtreeData.setSelectionEndPos(endPos.deprecatedEditingOffset());
 }
 
 } // namespace WebCore

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to