Modified: trunk/Source/WebCore/ChangeLog (186683 => 186684)
--- trunk/Source/WebCore/ChangeLog 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebCore/ChangeLog 2015-07-10 20:19:52 UTC (rev 186684)
@@ -1,3 +1,19 @@
+2015-07-10 Zalan Bujtas <za...@apple.com>
+
+ Crash at WebCore::WebPage::innerFrameQuad.
+ https://bugs.webkit.org/show_bug.cgi?id=146843
+ rdar://problem/21501819
+
+ Reviewed by Andreas Kling.
+
+ We may end up with a null rootEditableElement() after calling Document::updateLayout().
+
+ Speculative fix. Not reproducible.
+
+ * page/Frame.cpp: Some const cleanup.
+ (WebCore::Frame::visiblePositionForPoint):
+ * page/Frame.h:
+
2015-07-10 Brady Eidson <beid...@apple.com>
Crash in HistoryController::updateForCommit dereferencing a null HistoryItem.
Modified: trunk/Source/WebCore/page/Frame.cpp (186683 => 186684)
--- trunk/Source/WebCore/page/Frame.cpp 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebCore/page/Frame.cpp 2015-07-10 20:19:52 UTC (rev 186684)
@@ -816,7 +816,7 @@
return document() ? document()->displayStringModifiedByEncoding(str) : str;
}
-VisiblePosition Frame::visiblePositionForPoint(const IntPoint& framePoint)
+VisiblePosition Frame::visiblePositionForPoint(const IntPoint& framePoint) const
{
HitTestResult result = eventHandler().hitTestResultAtPoint(framePoint, HitTestRequest::ReadOnly | HitTestRequest::Active);
Node* node = result.innerNonSharedNode();
Modified: trunk/Source/WebCore/page/Frame.h (186683 => 186684)
--- trunk/Source/WebCore/page/Frame.h 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebCore/page/Frame.h 2015-07-10 20:19:52 UTC (rev 186684)
@@ -223,7 +223,7 @@
WEBCORE_EXPORT String displayStringModifiedByEncoding(const String&) const;
- WEBCORE_EXPORT VisiblePosition visiblePositionForPoint(const IntPoint& framePoint);
+ WEBCORE_EXPORT VisiblePosition visiblePositionForPoint(const IntPoint& framePoint) const;
Document* documentAtPoint(const IntPoint& windowPoint);
WEBCORE_EXPORT RefPtr<Range> rangeForPoint(const IntPoint& framePoint);
Modified: trunk/Source/WebKit2/ChangeLog (186683 => 186684)
--- trunk/Source/WebKit2/ChangeLog 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebKit2/ChangeLog 2015-07-10 20:19:52 UTC (rev 186684)
@@ -1,3 +1,27 @@
+2015-07-10 Zalan Bujtas <za...@apple.com>
+
+ Crash at WebCore::WebPage::innerFrameQuad.
+ https://bugs.webkit.org/show_bug.cgi?id=146843
+ rdar://problem/21501819
+
+ Reviewed by Andreas Kling.
+
+ We may end up with a null rootEditableElement() after calling Document::updateLayout().
+
+ Speculative fix. Not reproducible.
+
+ * WebProcess/WebPage/WebPage.h: Some const cleanup.
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::innerFrameQuad): null check assistedNode.rootEditableElement()
+ (WebKit::constrainPoint):
+ (WebKit::WebPage::selectWithGesture):
+ (WebKit::WebPage::visiblePositionInFocusedNodeForPoint):
+ (WebKit::WebPage::selectPositionAtPoint):
+ (WebKit::WebPage::selectPositionAtBoundaryWithDirection):
+ (WebKit::WebPage::selectTextWithGranularityAtPoint):
+ (WebKit::WebPage::updateSelectionWithExtentPoint):
+ (WebKit::WebPage::getPositionInformation):
+
2015-07-09 Jon Honeycutt <jhoneyc...@apple.com>
[iOS] Document picker has overlapping icons on iPad
Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h (186683 => 186684)
--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h 2015-07-10 20:19:52 UTC (rev 186684)
@@ -927,7 +927,7 @@
void completeSyntheticClick(WebCore::Node* nodeRespondingToClick, const WebCore::FloatPoint& location);
void sendTapHighlightForNodeIfNecessary(uint64_t requestID, WebCore::Node*);
void resetTextAutosizingBeforeLayoutIfNeeded(const WebCore::FloatSize& oldSize, const WebCore::FloatSize& newSize);
- WebCore::VisiblePosition visiblePositionInFocusedNodeForPoint(WebCore::Frame&, const WebCore::IntPoint&);
+ WebCore::VisiblePosition visiblePositionInFocusedNodeForPoint(const WebCore::Frame&, const WebCore::IntPoint&);
void volatilityTimerFired();
#endif
#if !PLATFORM(COCOA)
Modified: trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (186683 => 186684)
--- trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm 2015-07-10 19:01:51 UTC (rev 186683)
+++ trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm 2015-07-10 20:19:52 UTC (rev 186684)
@@ -793,14 +793,14 @@
send(Messages::WebPageProxy::DisableInspectorNodeSearch());
}
-static FloatQuad innerFrameQuad(Frame* frame, Node* assistedNode)
+static FloatQuad innerFrameQuad(const Frame& frame, const Node& assistedNode)
{
- frame->document()->updateLayoutIgnorePendingStylesheets();
- RenderObject* renderer;
- if (assistedNode->hasTagName(HTMLNames::textareaTag) || assistedNode->hasTagName(HTMLNames::inputTag) || assistedNode->hasTagName(HTMLNames::selectTag))
- renderer = assistedNode->renderer();
- else
- renderer = assistedNode->rootEditableElement()->renderer();
+ frame.document()->updateLayoutIgnorePendingStylesheets();
+ RenderElement* renderer = nullptr;
+ if (assistedNode.hasTagName(HTMLNames::textareaTag) || assistedNode.hasTagName(HTMLNames::inputTag) || assistedNode.hasTagName(HTMLNames::selectTag))
+ renderer = downcast<RenderElement>(assistedNode.renderer());
+ else if (Element* rootEditableElement = assistedNode.rootEditableElement())
+ renderer = rootEditableElement->renderer();
if (!renderer)
return FloatQuad();
@@ -815,9 +815,9 @@
return FloatQuad(boundingBox);
}
-static IntPoint constrainPoint(const IntPoint& point, Frame* frame, Node* assistedNode)
+static IntPoint constrainPoint(const IntPoint& point, const Frame& frame, const Node& assistedNode)
{
- ASSERT(!assistedNode || &assistedNode->document() == frame->document());
+ ASSERT(&assistedNode.document() == frame.document());
const int DEFAULT_CONSTRAIN_INSET = 2;
IntRect innerFrame = innerFrameQuad(frame, assistedNode).enclosingBoundingBox();
IntPoint constrainedPoint = point;
@@ -951,7 +951,7 @@
void WebPage::selectWithGesture(const IntPoint& point, uint32_t granularity, uint32_t gestureType, uint32_t gestureState, uint64_t callbackID)
{
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
VisiblePosition position = visiblePositionInFocusedNodeForPoint(frame, point);
if (position.isNull()) {
@@ -1690,16 +1690,16 @@
send(Messages::WebPageProxy::VoidCallback(callbackID));
}
-VisiblePosition WebPage::visiblePositionInFocusedNodeForPoint(Frame& frame, const IntPoint& point)
+VisiblePosition WebPage::visiblePositionInFocusedNodeForPoint(const Frame& frame, const IntPoint& point)
{
IntPoint adjustedPoint(frame.view()->rootViewToContents(point));
- IntPoint constrainedPoint = m_assistedNode ? constrainPoint(adjustedPoint, &frame, m_assistedNode.get()) : adjustedPoint;
+ IntPoint constrainedPoint = m_assistedNode ? constrainPoint(adjustedPoint, frame, *m_assistedNode) : adjustedPoint;
return frame.visiblePositionForPoint(constrainedPoint);
}
void WebPage::selectPositionAtPoint(const WebCore::IntPoint& point, uint64_t callbackID)
{
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
VisiblePosition position = visiblePositionInFocusedNodeForPoint(frame, point);
if (position.isNotNull())
@@ -1709,7 +1709,7 @@
void WebPage::selectPositionAtBoundaryWithDirection(const WebCore::IntPoint& point, uint32_t granularity, uint32_t direction, uint64_t callbackID)
{
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
VisiblePosition position = visiblePositionInFocusedNodeForPoint(frame, point);
if (position.isNotNull()) {
@@ -1736,7 +1736,7 @@
void WebPage::selectTextWithGranularityAtPoint(const WebCore::IntPoint& point, uint32_t granularity, uint64_t callbackID)
{
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
VisiblePosition position = visiblePositionInFocusedNodeForPoint(frame, point);
RefPtr<Range> range;
@@ -1769,7 +1769,7 @@
void WebPage::updateSelectionWithExtentPoint(const WebCore::IntPoint& point, uint64_t callbackID)
{
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
VisiblePosition position = visiblePositionInFocusedNodeForPoint(frame, point);
if (position.isNull()) {
@@ -2113,13 +2113,13 @@
info.point = point;
info.nodeAtPositionIsAssistedNode = (hitNode == m_assistedNode);
if (m_assistedNode) {
- Frame& frame = m_page->focusController().focusedOrMainFrame();
+ const Frame& frame = m_page->focusController().focusedOrMainFrame();
if (frame.editor().hasComposition()) {
const uint32_t kHitAreaWidth = 66;
const uint32_t kHitAreaHeight = 66;
FrameView& view = *frame.view();
IntPoint adjustedPoint(view.rootViewToContents(point));
- IntPoint constrainedPoint = m_assistedNode ? constrainPoint(adjustedPoint, &frame, m_assistedNode.get()) : adjustedPoint;
+ IntPoint constrainedPoint = m_assistedNode ? constrainPoint(adjustedPoint, frame, *m_assistedNode) : adjustedPoint;
VisiblePosition position = frame.visiblePositionForPoint(constrainedPoint);
RefPtr<Range> compositionRange = frame.editor().compositionRange();
