Context Navigation

← Previous Changeset
Next Changeset →

Changeset 144400 in webkit

Timestamp:

Feb 28, 2013 5:24:47 PM (11 years ago)

Author:

leviw@chromium.org

Message:

Stale FrameSelection in removed iframe causes crash
https://bugs.webkit.org/show_bug.cgi?id=108696

Reviewed by Ryosuke Niwa.

Source/WebCore:

Catching a specific issue where selectFrameElementInParentIfFullySelected in a nested
iFrame that is removed can leave the outer frame's selection referencing stale nodes.
Instead, in this case, we keep the frame alive long enough to check for this condition
and clear our selection if we hit it.

Test: editing/selection/selection-in-iframe-removed-crash.html

editing/FrameSelection.cpp:

(WebCore::FrameSelection::setSelection):

LayoutTests:

editing/selection/selection-in-iframe-removed-crash-expected.txt: Added.
editing/selection/selection-in-iframe-removed-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/editing/selection/selection-in-iframe-removed-crash-expected.txt (added)
LayoutTests/editing/selection/selection-in-iframe-removed-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/editing/FrameSelection.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r144396
+                      r144400
+-02-28  Levi Weintraub  <leviw@chromium.org>
+        Stale FrameSelection in removed iframe causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=108696
+        Reviewed by Ryosuke Niwa.
+        * editing/selection/selection-in-iframe-removed-crash-expected.txt: Added.
+        * editing/selection/selection-in-iframe-removed-crash.html: Added.
 -02-28  Stephen Chenney  <schenney@chromium.org>

trunk/Source/WebCore/ChangeLog

-                      r144399
+                      r144400
+-02-28  Levi Weintraub  <leviw@chromium.org>
+        Stale FrameSelection in removed iframe causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=108696
+        Reviewed by Ryosuke Niwa.
+        Catching a specific issue where selectFrameElementInParentIfFullySelected in a nested
+        iFrame that is removed can leave the outer frame's selection referencing stale nodes.
+        Instead, in this case, we keep the frame alive long enough to check for this condition
+        and clear our selection if we hit it.
+        Test: editing/selection/selection-in-iframe-removed-crash.html
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::setSelection):
 -02-28  Conrad Shultz  <conrad_shultz@apple.com>

trunk/Source/WebCore/editing/FrameSelection.cpp

-                      r143926
+                      r144400
         Document* document = s.base().anchorNode()->document();
         if (document && document->frame() && document->frame() != m_frame && document != m_frame->document()) {
+            RefPtr<Frame> guard = document->frame();
             document->frame()->selection()->setSelection(s, options, align, granularity);
+            // It's possible that during the above set selection, this FrameSelection has been modified by
+            // selectFrameElementInParentIfFullySelected, but that the selection is no longer valid since
+            // the frame is about to be destroyed. If this is the case, clear our selection.
+            if (guard->hasOneRef() && !m_selection.isNonOrphanedCaretOrRange())
+                clear();
             return;
+        }

Note: See TracChangeset for help on using the changeset viewer.