DescriptionMake SelectionEditor::setWithoutValidation() not to use obsoleted layout objects
Before this patch, |SelectionEditor::setWithoutValidation()| calls
|adjustVisibleSelectionInComposedTree()| to update composed tree version of
selection from DOM position. In |adjustVisibleSelectionInComposedTree()|, it
uses layout object in |mostBackwaredCaretPosition()| without updating layout
tree, via |VisibleSelection::computeSelectionType()|.
When |SelectionEditor::setWithoutValidation()| is called during DOM mutation,
e.g. |nodeWillBeRemove()|, Blink uses obsoleted layout object and it is not
safe.
This patch fixes above situation to make
|SelectionEditor::setWithoutValidation()| to call
|VisibleSelectionInComposedTree::setWithoutValidation()|.
BUG=561488
TEST=n/a; it is hard to write a test case, since obsoleted layout object is
still alive and there is no way to know obsoleted layout object.
Committed: https://crrev.com/b1d4fb057bdf2189888d502c47ba901f5d5da247
Cr-Commit-Position: refs/heads/master@{#362100}
Patch Set 1 #Patch Set 2 : 2015-11-27T18:11:04 #Patch Set 3 : 2015-11-30T10:45:57 #
Messages
Total messages: 18 (9 generated)
|