Title: [277624] branches/safari-612.1.15.0-branch/Source/WebCore
- Revision
- 277624
- Author
- alanc...@apple.com
- Date
- 2021-05-17 17:56:07 -0700 (Mon, 17 May 2021)
Log Message
Cherry-pick r277600. rdar://problem/78130123
REGRESSION(r277425): Crash in FrameSelection::selectFrameElementInParentIfFullySelected
https://bugs.webkit.org/show_bug.cgi?id=225795
Patch by Frederic Wang <fw...@igalia.com> on 2021-05-17
Reviewed by Ryosuke Niwa.
r277425 claimed that in FrameSelection::setSelectionWithoutUpdatingAppearance,
!m_document->frame() was equivalent to !selectionEndpointsBelongToMultipleDocuments &&
!selectionIsInAnotherDocument && selectionIsInDetachedDocument, but it misses the case when
newSelection.document() is null. So this patch adds back this particular case to the
original "if" block. This patch also adds an ASSERT on m_document->frame().
No new tests.
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): Add back the case
!m_document->frame() && !newSelection.document() to the first sanity check and ASSERT on
m_document->frame() after the second sanity check.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612.1.15.0-branch/Source/WebCore/ChangeLog (277623 => 277624)
--- branches/safari-612.1.15.0-branch/Source/WebCore/ChangeLog 2021-05-18 00:44:40 UTC (rev 277623)
+++ branches/safari-612.1.15.0-branch/Source/WebCore/ChangeLog 2021-05-18 00:56:07 UTC (rev 277624)
@@ -1,3 +1,48 @@
+2021-05-17 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r277600. rdar://problem/78130123
+
+ REGRESSION(r277425): Crash in FrameSelection::selectFrameElementInParentIfFullySelected
+ https://bugs.webkit.org/show_bug.cgi?id=225795
+
+ Patch by Frederic Wang <fw...@igalia.com> on 2021-05-17
+ Reviewed by Ryosuke Niwa.
+
+ r277425 claimed that in FrameSelection::setSelectionWithoutUpdatingAppearance,
+ !m_document->frame() was equivalent to !selectionEndpointsBelongToMultipleDocuments &&
+ !selectionIsInAnotherDocument && selectionIsInDetachedDocument, but it misses the case when
+ newSelection.document() is null. So this patch adds back this particular case to the
+ original "if" block. This patch also adds an ASSERT on m_document->frame().
+
+ No new tests.
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): Add back the case
+ !m_document->frame() && !newSelection.document() to the first sanity check and ASSERT on
+ m_document->frame() after the second sanity check.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-05-17 Frederic Wang <fw...@igalia.com>
+
+ REGRESSION(r277425): Crash in FrameSelection::selectFrameElementInParentIfFullySelected
+ https://bugs.webkit.org/show_bug.cgi?id=225795
+
+ Reviewed by Ryosuke Niwa.
+
+ r277425 claimed that in FrameSelection::setSelectionWithoutUpdatingAppearance,
+ !m_document->frame() was equivalent to !selectionEndpointsBelongToMultipleDocuments &&
+ !selectionIsInAnotherDocument && selectionIsInDetachedDocument, but it misses the case when
+ newSelection.document() is null. So this patch adds back this particular case to the
+ original "if" block. This patch also adds an ASSERT on m_document->frame().
+
+ No new tests.
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): Add back the case
+ !m_document->frame() && !newSelection.document() to the first sanity check and ASSERT on
+ m_document->frame() after the second sanity check.
+
2021-05-17 Russell Epstein <repst...@apple.com>
Cherry-pick r277453. rdar://problem/78112386
Modified: branches/safari-612.1.15.0-branch/Source/WebCore/editing/FrameSelection.cpp (277623 => 277624)
--- branches/safari-612.1.15.0-branch/Source/WebCore/editing/FrameSelection.cpp 2021-05-18 00:44:40 UTC (rev 277623)
+++ branches/safari-612.1.15.0-branch/Source/WebCore/editing/FrameSelection.cpp 2021-05-18 00:56:07 UTC (rev 277624)
@@ -363,7 +363,7 @@
return false;
}
- if (!m_document) {
+ if (!m_document || (!m_document->frame() && !newSelection.document())) {
m_selection = newSelection;
updateAssociatedLiveRange();
return false;
@@ -376,6 +376,7 @@
clear();
return false;
}
+ ASSERT(m_document->frame());
if (closeTyping)
TypingCommand::closeTyping(*m_document);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
