Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(5)

Issue 1477313003: Make SelectionEditor::setWithoutValidation() not to use obsoleted layout objects (Closed)

Created:
1 year, 12 months ago by yosin_UTC9
Modified:
1 year, 11 months ago
Reviewers:
yoichio, hajimehoshi
CC:
blink-reviews, chromium-reviews
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Make SelectionEditor::setWithoutValidation() not to use obsoleted layout objects Before this patch, |SelectionEditor::setWithoutValidation()| calls |adjustVisibleSelectionInComposedTree()| to update composed tree version of selection from DOM position. In |adjustVisibleSelectionInComposedTree()|, it uses layout object in |mostBackwaredCaretPosition()| without updating layout tree, via |VisibleSelection::computeSelectionType()|. When |SelectionEditor::setWithoutValidation()| is called during DOM mutation, e.g. |nodeWillBeRemove()|, Blink uses obsoleted layout object and it is not safe. This patch fixes above situation to make |SelectionEditor::setWithoutValidation()| to call |VisibleSelectionInComposedTree::setWithoutValidation()|. BUG=561488 TEST=n/a; it is hard to write a test case, since obsoleted layout object is still alive and there is no way to know obsoleted layout object. Committed: https://crrev.com/b1d4fb057bdf2189888d502c47ba901f5d5da247 Cr-Commit-Position: refs/heads/master@{#362100}

Patch Set 1 #

Patch Set 2 : 2015-11-27T18:11:04 #

Patch Set 3 : 2015-11-30T10:45:57 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+7 lines, -9 lines) Patch
M third_party/WebKit/Source/core/editing/Position.cpp View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/editing/SelectionEditor.h View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/Source/core/editing/SelectionEditor.cpp View 1 2 chunks +4 lines, -8 lines 0 comments Download

Messages

Total messages: 18 (9 generated)
yosin_UTC9
PTAL This is a part of fixing P1 bug crbug.com/561488 (heap-buffer-overflow)
1 year, 12 months ago (2015-11-27 09:58:56 UTC) #3
hajimehoshi
lgtm
1 year, 12 months ago (2015-11-27 11:41:16 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1477313003/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1477313003/20001
1 year, 12 months ago (2015-11-27 13:23:46 UTC) #6
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/147006)
1 year, 12 months ago (2015-11-27 14:21:28 UTC) #8
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1477313003/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1477313003/40001
1 year, 11 months ago (2015-11-30 01:47:31 UTC) #11
commit-bot: I haz the power
Try jobs failed on following builders: linux_android_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_android_rel_ng/builds/102496)
1 year, 11 months ago (2015-11-30 04:21:11 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1477313003/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1477313003/40001
1 year, 11 months ago (2015-11-30 04:28:36 UTC) #15
commit-bot: I haz the power
Committed patchset #3 (id:40001)
1 year, 11 months ago (2015-11-30 07:09:41 UTC) #16
commit-bot: I haz the power
1 year, 11 months ago (2015-11-30 07:10:37 UTC) #18
Message was sent while issue was closed.
Patchset 3 (id:??) landed as
https://crrev.com/b1d4fb057bdf2189888d502c47ba901f5d5da247
Cr-Commit-Position: refs/heads/master@{#362100}

Powered by Google App Engine
This is Rietveld efc10ee0f