Crash due to accessing removed parent lineboxes when clearing selection.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 20:56:10 +0000 (20:56 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 20:56:10 +0000 (20:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=81359

Reviewed by Eric Seidel.

Source/WebCore:

Similar to r110323, adds the canUpdateSelectionOnRootLineBoxes
check to more places.

Test: editing/selection/clear-selection-crash.html

* rendering/RenderObject.cpp:
(WebCore::RenderObject::canUpdateSelectionOnRootLineBoxes):
* rendering/RenderSelectionInfo.h:
(WebCore::RenderSelectionInfo::RenderSelectionInfo):
(WebCore::RenderBlockSelectionInfo::RenderBlockSelectionInfo):

LayoutTests:

* editing/selection/clear-selection-crash-expected.txt: Added.
* editing/selection/clear-selection-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@111899 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/selection/clear-selection-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/selection/clear-selection-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderSelectionInfo.h

index a91cb4074fd5754902d7d9ca02e0eaceac1b4dec..7a194683965060f016d8f4e514e31de3893b6500 100644 (file)
@@ -1,3 +1,13 @@
+2012-03-23  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed parent lineboxes when clearing selection.
+        https://bugs.webkit.org/show_bug.cgi?id=81359
+
+        Reviewed by Eric Seidel.
+
+        * editing/selection/clear-selection-crash-expected.txt: Added.
+        * editing/selection/clear-selection-crash.html: Added.
+
 2012-03-22  Ojan Vafai  <ojan@chromium.org>
 
         Initial triage pass of css3/selectors3/xml for the Chromium ports.
diff --git a/LayoutTests/editing/selection/clear-selection-crash-expected.txt b/LayoutTests/editing/selection/clear-selection-crash-expected.txt
new file mode 100644 (file)
index 0000000..2afa0bf
--- /dev/null
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/editing/selection/clear-selection-crash.html b/LayoutTests/editing/selection/clear-selection-crash.html
new file mode 100755 (executable)
index 0000000..24a272f
--- /dev/null
@@ -0,0 +1,27 @@
+<!DOCTYPE html>\r
+<html>\r
+<body>\r
+<div style="display: -webkit-inline-box">\r
+    <div id="start" style="display: -webkit-inline-box">\r
+        <i>\r
+            <div style="display: run-in; height: 1px"></div>\r
+            <span id="span1" style="width: 1px">A</span>\r
+        </i>\r
+    </div>\r
+    <i>B</i>\r
+</div>\r
+<script>\r
+if (window.layoutTestController)\r
+    layoutTestController.dumpAsText();\r
+\r
+document.body.offsetTop;\r
+document.designMode = 'on';\r
+document.execCommand('selectall');\r
+document.body.offsetTop;\r
+span1.style.display = 'block';\r
+\r
+document.body.offsetTop;\r
+document.body.innerHTML = "PASS. WebKit didn't crash.";\r
+</script>\r
+</body>\r
+</html>\r
index 4affdd732c35fa73d639b07b732ab717ca0f2df5..0820de8f8f263daa5f13fd363f7a724d4bfc5918 100644 (file)
@@ -1,3 +1,21 @@
+2012-03-23  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed parent lineboxes when clearing selection.
+        https://bugs.webkit.org/show_bug.cgi?id=81359
+
+        Reviewed by Eric Seidel.
+
+        Similar to r110323, adds the canUpdateSelectionOnRootLineBoxes
+        check to more places.
+
+        Test: editing/selection/clear-selection-crash.html
+
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::canUpdateSelectionOnRootLineBoxes):
+        * rendering/RenderSelectionInfo.h:
+        (WebCore::RenderSelectionInfo::RenderSelectionInfo):
+        (WebCore::RenderBlockSelectionInfo::RenderBlockSelectionInfo):
+
 2012-03-23  Beth Dakin  <bdakin@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=82083
index 46afe30b7595bc5e0a2fbdfb621a08a202ef6891..b3239adb8be67cb4d711a8d4009cc8a9ee5b02c2 100755 (executable)
@@ -2839,6 +2839,9 @@ CursorDirective RenderObject::getCursor(const LayoutPoint&, Cursor&) const
 
 bool RenderObject::canUpdateSelectionOnRootLineBoxes()
 {
+    if (needsLayout())
+        return false;
+
     RenderBlock* containingBlock = this->containingBlock();
     return containingBlock ? !containingBlock->needsLayout() : true;
 }
index 6ce05d6bee69aaa90a52563ce41fc9b1cfe7d141..c5e76ee33225fa96eef942ec8c8206e9a598138c 100644 (file)
@@ -62,7 +62,7 @@ class RenderSelectionInfo : public RenderSelectionInfoBase {
 public:
     RenderSelectionInfo(RenderObject* o, bool clipToVisibleContent)
         : RenderSelectionInfoBase(o)
-        , m_rect(o->needsLayout() ? LayoutRect() : o->selectionRectForRepaint(m_repaintContainer, clipToVisibleContent))
+        , m_rect(o->canUpdateSelectionOnRootLineBoxes() ? o->selectionRectForRepaint(m_repaintContainer, clipToVisibleContent) : LayoutRect())
     {
     }
     
@@ -83,7 +83,7 @@ class RenderBlockSelectionInfo : public RenderSelectionInfoBase {
 public:
     RenderBlockSelectionInfo(RenderBlock* b)
         : RenderSelectionInfoBase(b)
-        , m_rects(b->needsLayout() ? GapRects() : block()->selectionGapRectsForRepaint(m_repaintContainer))
+        , m_rects(b->canUpdateSelectionOnRootLineBoxes() ? block()->selectionGapRectsForRepaint(m_repaintContainer) : GapRects())
     { 
     }