<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[178231] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/178231">178231</a></dd>
<dt>Author</dt> <dd>zalan@apple.com</dd>
<dt>Date</dt> <dd>2015-01-09 18:12:01 -0800 (Fri, 09 Jan 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Calling clearSelection on a detached RenderObject leads to segfault.
https://bugs.webkit.org/show_bug.cgi?id=140275
Reviewed by Simon Fraser.
We collect selection rects and compute selection gaps in order to
paint/clear selection. With certain content, we need to be able
to walk the tree up to a particular container to compute the selection rect.
However this container might not be available when the selection is part of a detached tree.
This is a null-check fix to ensure we don't crash in such cases, but in the long run
selection gaps and rect should be cached between two layouts so that we don't need to
keep collecting/recomputing them. Tracked here: webkit.org/b/140321
Source/WebCore:
Test: editing/selection/clearselection-on-detached-subtree-crash.html
* rendering/RenderBox.cpp:
(WebCore::RenderBox::containingBlockLogicalWidthForContent):
(WebCore::RenderBox::containingBlockLogicalHeightForContent):
* rendering/RenderView.cpp:
(WebCore::RenderView::clearSelection):
LayoutTests:
* editing/selection/clearselection-on-detached-subtree-crash-expected.txt: Added.
* editing/selection/clearselection-on-detached-subtree-crash.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderBoxcpp">trunk/Source/WebCore/rendering/RenderBox.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderViewcpp">trunk/Source/WebCore/rendering/RenderView.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestseditingselectionclearselectionondetachedsubtreecrashexpectedtxt">trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestseditingselectionclearselectionondetachedsubtreecrashhtml">trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (178230 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-01-10 02:00:45 UTC (rev 178230)
+++ trunk/LayoutTests/ChangeLog 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2015-01-09 Zalan Bujtas <zalan@apple.com>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ * editing/selection/clearselection-on-detached-subtree-crash-expected.txt: Added.
+ * editing/selection/clearselection-on-detached-subtree-crash.html: Added.
+
</ins><span class="cx"> 2015-01-09 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
</span></span></pre></div>
<a id="trunkLayoutTestseditingselectionclearselectionondetachedsubtreecrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (0 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash-expected.txt 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+PASS if no crash.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestseditingselectionclearselectionondetachedsubtreecrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (0 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html (rev 0)
+++ trunk/LayoutTests/editing/selection/clearselection-on-detached-subtree-crash.html 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -0,0 +1,44 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>This test that calling clearSelection() on an already detached subtree does not crash.</title>
+<style>
+ .outer {
+ position: absolute;
+ }
+ .inner {
+ position: relative;
+ top: 0;
+ left: 0;
+ right: 0;
+ bottom: 0;
+ }
+</style>
+</head>
+<body>
+<div>PASS if no crash.</div>
+<div id="container">
+ <div class="outer">
+ <div class="inner">
+ <input id="input" value="foo">
+ </div>
+ </div>
+</div>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var input = document.getElementById('input');
+ input.setSelectionRange(0, 1);
+ var container = document.getElementById('container');
+ var div1 = document.createElement('div');
+ div1.style.display = 'inline-block';
+ container.appendChild(div1);
+ var div2 = document.createElement('div');
+ container.appendChild(div2);
+ div2.offsetHeight;
+ container.removeChild(div2);
+</script>
+</body>
+</html>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (178230 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-01-10 02:00:45 UTC (rev 178230)
+++ trunk/Source/WebCore/ChangeLog 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2015-01-09 Zalan Bujtas <zalan@apple.com>
+
+ Calling clearSelection on a detached RenderObject leads to segfault.
+ https://bugs.webkit.org/show_bug.cgi?id=140275
+
+ Reviewed by Simon Fraser.
+
+ We collect selection rects and compute selection gaps in order to
+ paint/clear selection. With certain content, we need to be able
+ to walk the tree up to a particular container to compute the selection rect.
+ However this container might not be available when the selection is part of a detached tree.
+ This is a null-check fix to ensure we don't crash in such cases, but in the long run
+ selection gaps and rect should be cached between two layouts so that we don't need to
+ keep collecting/recomputing them. Tracked here: webkit.org/b/140321
+
+ Test: editing/selection/clearselection-on-detached-subtree-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::containingBlockLogicalWidthForContent):
+ (WebCore::RenderBox::containingBlockLogicalHeightForContent):
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::clearSelection):
+
</ins><span class="cx"> 2015-01-09 Anders Carlsson <andersca@apple.com>
</span><span class="cx">
</span><span class="cx"> Remove more sync database code
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderBoxcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (178230 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderBox.cpp 2015-01-10 02:00:45 UTC (rev 178230)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -1840,6 +1840,8 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> RenderBlock* cb = containingBlock();
</span><ins>+ if (!cb)
+ return LayoutUnit();
</ins><span class="cx"> return cb->availableLogicalWidth();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1851,6 +1853,8 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> RenderBlock* cb = containingBlock();
</span><ins>+ if (!cb)
+ return LayoutUnit();
</ins><span class="cx"> return cb->availableLogicalHeight(heightType);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderView.cpp (178230 => 178231)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderView.cpp 2015-01-10 02:00:45 UTC (rev 178230)
+++ trunk/Source/WebCore/rendering/RenderView.cpp 2015-01-10 02:12:01 UTC (rev 178231)
</span><span class="lines">@@ -1094,7 +1094,7 @@
</span><span class="cx"> void RenderView::clearSelection()
</span><span class="cx"> {
</span><span class="cx"> layer()->repaintBlockSelectionGaps();
</span><del>- setSelection(0, -1, 0, -1, RepaintNewMinusOld);
</del><ins>+ setSelection(nullptr, -1, nullptr, -1, RepaintNewMinusOld);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool RenderView::printing() const
</span></span></pre>
</div>
</div>
</body>
</html>