Title: [186612] branches/safari-600.8-branch
- Revision
- 186612
- Author
- matthew_han...@apple.com
- Date
- 2015-07-09 14:01:54 -0700 (Thu, 09 Jul 2015)
Log Message
Merge r186504. rdar://problem/21707900
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.8-branch/LayoutTests/ChangeLog (186611 => 186612)
--- branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-09 21:01:50 UTC (rev 186611)
+++ branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-09 21:01:54 UTC (rev 186612)
@@ -1,5 +1,38 @@
2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r186504. rdar://problem/21707900
+
+ 2015-07-07 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r185838. rdar://problem/21708257
+
+ 2015-06-22 Zalan Bujtas <za...@apple.com>
+
+ REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
+ https://bugs.webkit.org/show_bug.cgi?id=146116
+ rdar://problem/20959369
+
+ Reviewed by Brent Fulgham.
+
+ This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.
+
+ When multiple selection roots are present we need to ensure that a RenderObject
+ only shows up in one of them.
+ RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
+ selection and sets the selection range (start/end) on each selection root.
+ However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
+ based on visible selection and that could end up collecting renderers as selection start/end
+ from another selection subtree.
+ RenderObject's holds the last selection state (RenderObject::setSelectionState).
+ If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
+ we can't clean up selections properly when this object gets destroyed.
+ One of the roots ends up with a dangling RenderObject pointer.
+
+ * fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt: Added.
+ * fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html: Added.
+
+2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r186503. rdar://problem/21707907
2015-07-07 Matthew Hanson <matthew_han...@apple.com>
Added: branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt (0 => 186612)
--- branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt 2015-07-09 21:01:54 UTC (rev 186612)
@@ -0,0 +1,4 @@
+foo
+Pass if no crash or assert in debug.
+foobar
+
Added: branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html (0 => 186612)
--- branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html 2015-07-09 21:01:54 UTC (rev 186612)
@@ -0,0 +1,19 @@
+<html id="webtest0">
+<head>
+<style>
+ :last-child { -webkit-flow-into: foo; }
+</style>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ document.write("foo<br>");
+</script>
+</head>
+<body>Pass if no crash or assert in debug.<summary id="webtest5"><mathml><femerge></femerge></mathml>foobar<table></table></summary></body>
+<script>
+document.querySelector("#webtest0").appendChild(document.createElement("canvas"));
+document.execCommand("SelectAll");
+document.getElementById("webtest5").appendChild(document.createElement("feconvolvematrix"));
+</script>
+</html>
Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (186611 => 186612)
--- branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-09 21:01:50 UTC (rev 186611)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-09 21:01:54 UTC (rev 186612)
@@ -1,5 +1,40 @@
2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r186504. rdar://problem/21707900
+
+ 2015-07-07 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r185838. rdar://problem/21708257
+
+ 2015-06-22 Zalan Bujtas <za...@apple.com>
+
+ REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
+ https://bugs.webkit.org/show_bug.cgi?id=146116
+ rdar://problem/20959369
+
+ Reviewed by Brent Fulgham.
+
+ This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.
+
+ When multiple selection roots are present we need to ensure that a RenderObject
+ only shows up in one of them.
+ RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
+ selection and sets the selection range (start/end) on each selection root.
+ However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
+ based on visible selection and that could end up collecting renderers as selection start/end
+ from another selection subtree.
+ RenderObject's holds the last selection state (RenderObject::setSelectionState).
+ If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
+ we can't clean up selections properly when this object gets destroyed.
+ One of the roots ends up with a dangling RenderObject pointer.
+
+ Test: fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html
+
+ * rendering/SelectionSubtreeRoot.cpp:
+ (WebCore::SelectionSubtreeRoot::adjustForVisibleSelection):
+
+2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r186503. rdar://problem/21707907
2015-07-07 Matthew Hanson <matthew_han...@apple.com>
Modified: branches/safari-600.8-branch/Source/WebCore/rendering/SelectionSubtreeRoot.cpp (186611 => 186612)
--- branches/safari-600.8-branch/Source/WebCore/rendering/SelectionSubtreeRoot.cpp 2015-07-09 21:01:50 UTC (rev 186611)
+++ branches/safari-600.8-branch/Source/WebCore/rendering/SelectionSubtreeRoot.cpp 2015-07-09 21:01:54 UTC (rev 186612)
@@ -71,15 +71,22 @@
m_selectionEnd = nullptr;
m_selectionEndPos = -1;
- if (startPos.isNotNull()
- && endPos.isNotNull()
- && selection.visibleStart() != selection.visibleEnd()
- && startPos.deprecatedNode()->renderer()->flowThreadContainingBlock() == endPos.deprecatedNode()->renderer()->flowThreadContainingBlock()) {
- m_selectionStart = startPos.deprecatedNode()->renderer();
- m_selectionStartPos = startPos.deprecatedEditingOffset();
- m_selectionEnd = endPos.deprecatedNode()->renderer();
- m_selectionEndPos = endPos.deprecatedEditingOffset();
- }
+ if (startPos.isNull() || endPos.isNull())
+ return;
+
+ if (selection.visibleStart() == selection.visibleEnd())
+ return;
+
+ if (startPos.deprecatedNode()->renderer()->flowThreadContainingBlock() != endPos.deprecatedNode()->renderer()->flowThreadContainingBlock())
+ return;
+
+ if (&startPos.deprecatedNode()->renderer()->selectionRoot() != this)
+ return;
+
+ m_selectionStart = startPos.deprecatedNode()->renderer();
+ m_selectionStartPos = startPos.deprecatedEditingOffset();
+ m_selectionEnd = endPos.deprecatedNode()->renderer();
+ m_selectionEndPos = endPos.deprecatedEditingOffset();
}
} // namespace WebCore
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
