Title: [160065] trunk/Source/WebCore
- Revision
- 160065
- Author
- [email protected]
- Date
- 2013-12-03 20:21:51 -0800 (Tue, 03 Dec 2013)
Log Message
Potential crash in RenderView::selectionBounds and RenderView::repaintSelection
https://bugs.webkit.org/show_bug.cgi?id=125207
Reviewed by Simon Fraser.
Merge https://chromium.googlesource.com/chromium/blink/+/f9e6e288a5aa959f05c374806121aaf0fc52d440
Update style in FrameSelection instead of RenderView's member functions. These are the last two
member functions of RenderView that updates the style.
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::focusedOrActiveStateChanged):
(WebCore::FrameSelection::bounds):
* rendering/RenderView.cpp:
(WebCore::RenderView::selectionBounds):
(WebCore::RenderView::repaintSelection):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (160064 => 160065)
--- trunk/Source/WebCore/ChangeLog 2013-12-04 03:23:52 UTC (rev 160064)
+++ trunk/Source/WebCore/ChangeLog 2013-12-04 04:21:51 UTC (rev 160065)
@@ -1,3 +1,22 @@
+2013-12-03 Ryosuke Niwa <[email protected]>
+
+ Potential crash in RenderView::selectionBounds and RenderView::repaintSelection
+ https://bugs.webkit.org/show_bug.cgi?id=125207
+
+ Reviewed by Simon Fraser.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/f9e6e288a5aa959f05c374806121aaf0fc52d440
+
+ Update style in FrameSelection instead of RenderView's member functions. These are the last two
+ member functions of RenderView that updates the style.
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::focusedOrActiveStateChanged):
+ (WebCore::FrameSelection::bounds):
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::selectionBounds):
+ (WebCore::RenderView::repaintSelection):
+
2013-12-03 Mark Rowe <[email protected]>
<https://webkit.org/b/125143> Improve the formatting in the generated Objective-C headers.
Modified: trunk/Source/WebCore/editing/FrameSelection.cpp (160064 => 160065)
--- trunk/Source/WebCore/editing/FrameSelection.cpp 2013-12-04 03:23:52 UTC (rev 160064)
+++ trunk/Source/WebCore/editing/FrameSelection.cpp 2013-12-04 04:21:51 UTC (rev 160065)
@@ -1687,11 +1687,14 @@
void FrameSelection::focusedOrActiveStateChanged()
{
bool activeAndFocused = isFocusedAndActive();
+ Ref<Document> document(*m_frame->document());
+ document->updateStyleIfNeeded();
+
// Because RenderObject::selectionBackgroundColor() and
// RenderObject::selectionForegroundColor() check if the frame is active,
// we have to update places those colors were painted.
- if (RenderView* view = m_frame->document()->renderView())
+ if (RenderView* view = document->renderView())
view->repaintSelection();
// Caret appears in the active frame.
@@ -1705,7 +1708,7 @@
// Because StyleResolver::checkOneSelector() and
// RenderTheme::isFocused() check if the frame is active, we have to
// update style and theme state that depended on those.
- if (Element* element = m_frame->document()->focusedElement()) {
+ if (Element* element = document->focusedElement()) {
element->setNeedsStyleRecalc();
if (RenderObject* renderer = element->renderer())
if (renderer && renderer->style().hasAppearance())
@@ -1920,6 +1923,10 @@
FloatRect FrameSelection::bounds(bool clipToVisibleContent) const
{
+ if (!m_frame->document())
+ return LayoutRect();
+
+ m_frame->document()->updateStyleIfNeeded();
RenderView* root = m_frame->contentRenderer();
FrameView* view = m_frame->view();
if (!root || !view)
Modified: trunk/Source/WebCore/rendering/RenderView.cpp (160064 => 160065)
--- trunk/Source/WebCore/rendering/RenderView.cpp 2013-12-04 03:23:52 UTC (rev 160064)
+++ trunk/Source/WebCore/rendering/RenderView.cpp 2013-12-04 04:21:51 UTC (rev 160065)
@@ -667,8 +667,6 @@
IntRect RenderView::selectionBounds(bool clipToVisibleContent) const
{
- document().updateStyleIfNeeded();
-
typedef HashMap<RenderObject*, OwnPtr<RenderSelectionInfo>> SelectionMap;
SelectionMap selectedObjects;
@@ -709,8 +707,6 @@
void RenderView::repaintSelection() const
{
- document().updateStyleIfNeeded();
-
HashSet<RenderBlock*> processedBlocks;
RenderObject* end = rendererAfterPosition(m_selectionEnd, m_selectionEndPos);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
