Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(147)

Issue 2988003002: Revert of Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() (Closed)

Created:
3 years, 4 months ago by yoichio
Modified:
3 years, 4 months ago
Reviewers:
kojih, yosin_UTC9, eae
CC:
blink-reviews, blink-reviews-layout_chromium.org, chromium-reviews, eae+blinkwatch, jchaffraix+rendering, leviw+renderwatch, pdr+renderingwatchlist_chromium.org, szager+layoutwatch_chromium.org, zoltan1
Target Ref:
refs/heads/master
Project:
chromium
Visibility:
Public.

Description

Revert of Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() (patchset #1 id:1 of https://codereview.chromium.org/2811333003/ ) Reason for revert: This causes use-after-free: crbug.com/748718 Original issue's description: > Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() > > LayoutView::ClearSelection was originally introduced at 2004 to assure no > crash: > https://chromium.googlesource.com/chromium/src/+/10f7ac6ea6784e33161c7979e9a59c5e2cae14b5 > > Even now that code doesn't make sense because we update LayoutSelection after > layout in following sequence: > 1. FrameView::PerformPostLayoutTasks() checks > LayoutSelection::SetHasPendingSelection() > 2. PaintLayerCompositor::UpdateIfNeededRecursiveInternal() calls > LayoutSelection::Commit() and it updates layout selection. > > > > BUG=708453 > > Review-Url: https://codereview.chromium.org/2811333003 > Cr-Commit-Position: refs/heads/master@{#464352} > Committed: https://chromium.googlesource.com/chromium/src/+/230b4e0eb7f14d23c70bc4134b8a23a9ddccd5a8 TBR=yosin@chromium.org,eae@chromium.org,kojih@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. BUG=708453, 748718 Review-Url: https://codereview.chromium.org/2988003002 Cr-Commit-Position: refs/heads/master@{#489968} Committed: https://chromium.googlesource.com/chromium/src/+/24bd4066e46f42bdafe467100538f4c6e940ff55

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+14 lines, -0 lines) Patch
M third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp View 1 chunk +7 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/layout/LayoutInline.cpp View 1 chunk +7 lines, -0 lines 0 comments Download

Messages

Total messages: 11 (6 generated)
yoichio
Created Revert of Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed()
3 years, 4 months ago (2017-07-27 07:40:02 UTC) #1
commit-bot: I haz the power
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2988003002/1
3 years, 4 months ago (2017-07-27 07:40:44 UTC) #4
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/510900)
3 years, 4 months ago (2017-07-27 09:46:18 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2988003002/1
3 years, 4 months ago (2017-07-27 12:50:36 UTC) #8
commit-bot: I haz the power
3 years, 4 months ago (2017-07-27 16:39:35 UTC) #11
Message was sent while issue was closed.
Committed patchset #1 (id:1) as
https://chromium.googlesource.com/chromium/src/+/24bd4066e46f42bdafe467100538...

Powered by Google App Engine
This is Rietveld 408576698