Skip to site navigation (Press enter)

[webkit-changes] [168013] branches/safari-537.76-branch

lforschler Wed, 30 Apr 2014 07:03:53 -0700

Title: [168013] branches/safari-537.76-branch

Revision: 168013
Author: lforsch...@apple.com
Date: 2014-04-30 07:02:36 -0700 (Wed, 30 Apr 2014)

Log Message

Merge 166457. <rdar://problem/16701904>

Modified Paths

branches/safari-537.76-branch/LayoutTests/ChangeLog
branches/safari-537.76-branch/Source/WebCore/ChangeLog
branches/safari-537.76-branch/Source/WebCore/editing/FrameSelection.cpp


Added Paths

branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash-expected.txt
branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash.html

Diff

Modified: branches/safari-537.76-branch/LayoutTests/ChangeLog (168012 => 168013)


--- branches/safari-537.76-branch/LayoutTests/ChangeLog	2014-04-30 13:59:44 UTC (rev 168012)
+++ branches/safari-537.76-branch/LayoutTests/ChangeLog	2014-04-30 14:02:36 UTC (rev 168013)
@@ -1,5 +1,33 @@
 2014-04-30  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r166457
+
+    2014-03-29  David Kilzer  <ddkil...@apple.com>
+
+            Preserve selection end positions in directionOfSelection
+            <http://webkit.org/b/104813>
+            <rdar://problem/13666417>
+
+            Reviewed by Brent Fulgham.
+
+            Merged from Blink (patch by ke...@chromium.org):
+            https://src.chromium.org/viewvc/blink?revision=150621&view=revision
+            http://crbug.com/164263
+
+                VisibleSelection::visibleStart() and VisibleSelection::visibleEnd()
+                can both cause layouts, which has the potential to invalidate any
+                rendertree-based objects. This was causing a problem in
+                FrameSelection::directionOfSelection(), where a reference to a
+                lineBox was being held across a call to visibleEnd().
+
+                This patch ensures that the any layout is completed before linebox
+                references are retrieved.
+
+            * editing/selection/layout-during-move-selection-crash-expected.txt: Added.
+            * editing/selection/layout-during-move-selection-crash.html: Added.
+
+2014-04-30  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r166428
 
     2014-03-28  Radu Stavila  <stav...@adobe.com>

Copied: branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash-expected.txt (from rev 166457, trunk/LayoutTests/editing/selection/layout-during-move-selection-crash-expected.txt) (0 => 168013)


--- branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash-expected.txt	                        (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash-expected.txt	2014-04-30 14:02:36 UTC (rev 168013)
@@ -0,0 +1,3 @@
+
+button PASS, if no crash or assert in debug
+

Copied: branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash.html (from rev 166457, trunk/LayoutTests/editing/selection/layout-during-move-selection-crash.html) (0 => 168013)


--- branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash.html	                        (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/editing/selection/layout-during-move-selection-crash.html	2014-04-30 14:02:36 UTC (rev 168013)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<span id=span1></span><button id=button1>button</button>
+<style>
+        .embedStyle { min-height: 13pc; -webkit-transition: 10s; }
+</style>
+<script>
+    function runTest() {
+        div1 = document.createElement("div");
+        document.body.appendChild(div1);
+        embed1 = document.createElementNS("http://www.w3.org/1999/xhtml", "embed");
+        document.body.offsetTop;
+        embed1.setAttribute("class", "embedStyle");
+        span1.appendChild(embed1);
+        embed1.setAttribute("type", "block");
+        document.body.offsetTop;
+        r = document.createRange();
+        r.setStart(button1, 0);
+        r.setEnd(div1, div1.childNodes.length);
+        window.getSelection().addRange(r);
+        o = r.extractContents();
+        document.body.appendChild(o);
+        window.getSelection().modify("move", "Right", "character");
+
+        if (window.testRunner) testRunner.dumpAsText();
+    }
+    document.addEventListener("DOMContentLoaded", runTest, false);
+</script>PASS, if no crash or assert in debug
+</html>

Modified: branches/safari-537.76-branch/Source/WebCore/ChangeLog (168012 => 168013)


--- branches/safari-537.76-branch/Source/WebCore/ChangeLog	2014-04-30 13:59:44 UTC (rev 168012)
+++ branches/safari-537.76-branch/Source/WebCore/ChangeLog	2014-04-30 14:02:36 UTC (rev 168013)
@@ -1,5 +1,35 @@
 2014-04-30  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r166457
+
+    2014-03-29  David Kilzer  <ddkil...@apple.com>
+
+            Preserve selection end positions in directionOfSelection
+            <http://webkit.org/b/104813>
+            <rdar://problem/13666417>
+
+            Reviewed by Brent Fulgham.
+
+            Merged from Blink (patch by ke...@chromium.org):
+            https://src.chromium.org/viewvc/blink?revision=150621&view=revision
+            http://crbug.com/164263
+
+                VisibleSelection::visibleStart() and VisibleSelection::visibleEnd()
+                can both cause layouts, which has the potential to invalidate any
+                rendertree-based objects. This was causing a problem in
+                FrameSelection::directionOfSelection(), where a reference to a
+                lineBox was being held across a call to visibleEnd().
+
+                This patch ensures that the any layout is completed before linebox
+                references are retrieved.
+
+            Test: editing/selection/layout-during-move-selection-crash.html
+
+            * editing/FrameSelection.cpp:
+            (WebCore::FrameSelection::directionOfSelection):
+
+2014-04-30  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r166428
 
     2014-03-28  Radu Stavila  <stav...@adobe.com>

Modified: branches/safari-537.76-branch/Source/WebCore/editing/FrameSelection.cpp (168012 => 168013)


--- branches/safari-537.76-branch/Source/WebCore/editing/FrameSelection.cpp	2014-04-30 13:59:44 UTC (rev 168012)
+++ branches/safari-537.76-branch/Source/WebCore/editing/FrameSelection.cpp	2014-04-30 14:02:36 UTC (rev 168013)
@@ -500,10 +500,14 @@
     InlineBox* startBox = 0;
     InlineBox* endBox = 0;
     int unusedOffset;
-    if (m_selection.start().isNotNull())
-        m_selection.visibleStart().getInlineBoxAndOffset(startBox, unusedOffset);
-    if (m_selection.end().isNotNull())
-        m_selection.visibleEnd().getInlineBoxAndOffset(endBox, unusedOffset);
+    // Cache the VisiblePositions because visibleStart() and visibleEnd()
+    // can cause layout, which has the potential to invalidate lineboxes.
+    VisiblePosition startPosition = m_selection.visibleStart();
+    VisiblePosition endPosition = m_selection.visibleEnd();
+    if (startPosition.isNotNull())
+        startPosition.getInlineBoxAndOffset(startBox, unusedOffset);
+    if (endPosition.isNotNull())
+        endPosition.getInlineBoxAndOffset(endBox, unusedOffset);
     if (startBox && endBox && startBox->direction() == endBox->direction())
         return startBox->direction();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes