DescriptionRevert of Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() (patchset #1 id:1 of https://codereview.chromium.org/2811333003/ )
Reason for revert:
This causes use-after-free:
crbug.com/748718
Original issue's description:
> Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed()
>
> LayoutView::ClearSelection was originally introduced at 2004 to assure no
> crash:
> https://chromium.googlesource.com/chromium/src/+/10f7ac6ea6784e33161c7979e9a59c5e2cae14b5
>
> Even now that code doesn't make sense because we update LayoutSelection after
> layout in following sequence:
> 1. FrameView::PerformPostLayoutTasks() checks
> LayoutSelection::SetHasPendingSelection()
> 2. PaintLayerCompositor::UpdateIfNeededRecursiveInternal() calls
> LayoutSelection::Commit() and it updates layout selection.
>
>
>
> BUG=708453
>
> Review-Url: https://codereview.chromium.org/2811333003
> Cr-Commit-Position: refs/heads/master@{#464352}
> Committed: https://chromium.googlesource.com/chromium/src/+/230b4e0eb7f14d23c70bc4134b8a23a9ddccd5a8
TBR=yosin@chromium.org,eae@chromium.org,kojih@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=708453, 748718
Review-Url: https://codereview.chromium.org/2988003002
Cr-Commit-Position: refs/heads/master@{#489968}
Committed: https://chromium.googlesource.com/chromium/src/+/24bd4066e46f42bdafe467100538f4c6e940ff55
Patch Set 1 #
Messages
Total messages: 11 (6 generated)
|