Fix crash when node is moved in a selection

Let RenderObject::canUpdateSelectionOnRootLineBoxes() return false if the renderer is in an orphaned render tree, to prevent RenderSelectionInfo from calling selectionRectForPaintInvalidation() which would cause the crash. BUG=396596 TEST=editing/selection/move-node-in-selection-crash.html Review URL: https://codereview.chromium.org/452293004 git-svn-id: svn://svn.chromium.org/blink/trunk@180102 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Fix crash when node is moved in a selection
Let RenderObject::canUpdateSelectionOnRootLineBoxes() return false if the renderer is in an orphaned render tree, to prevent RenderSelectionInfo from calling selectionRectForPaintInvalidation() which would cause the crash. BUG=396596 TEST=editing/selection/move-node-in-selection-crash.html Review URL: https://codereview.chromium.org/452293004 git-svn-id: svn://svn.chromium.org/blink/trunk@180102 bbb929c8-8fbe-4397-9dbb-9b2b20218538
6ff64fe9 · wangxianzhu@chromium.org · afc4df7d · 6ff64fe9 · 6ff64fe9 · 6ff64fe9
Commit 6ff64fe9 authored Aug 12, 2014 by wangxianzhu@chromium.org
3 changed files
--- a/third_party/WebKit/LayoutTests/editing/selection/move-node-in-selection-crash-expected.txt
+++ b/third_party/WebKit/LayoutTests/editing/selection/move-node-in-selection-crash-expected.txt
+This is modified from a cluster-fuzz test case. Passes if no crash.
--- a/third_party/WebKit/LayoutTests/editing/selection/move-node-in-selection-crash.html
+++ b/third_party/WebKit/LayoutTests/editing/selection/move-node-in-selection-crash.html
+<style>
+p { position: fixed; height: 1px; }
+hgroup { position: fixed; padding-bottom: 1px; padding-left: 100%; -webkit-column-span: all; }
+sup { display: -webkit-box; }
+</style>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+window.onload = function() {
+  document.documentElement.appendChild(document.createElement('span'));
+  var grandparent = document.createElement('p');
+  document.documentElement.appendChild(grandparent);
+  document.execCommand('SelectAll', '');
+
+  grandparent.appendChild(document.createElement('hgroup'));
+  var oldParent = document.createElement('span');
+  grandparent.appendChild(oldParent);
+  var childToMove = document.createElement('sup');
+  oldParent.appendChild(childToMove);
+
+  document.body.offsetHeight;
+
+  // Move childToMove under the orphaned parent.
+  var orphanedParent = document.createElement('div');
+  orphanedParent.appendChild(childToMove);
+};
+</script>
+This is modified from a cluster-fuzz test case. Passes if no crash.
--- a/third_party/WebKit/Source/core/rendering/RenderObject.cpp
+++ b/third_party/WebKit/Source/core/rendering/RenderObject.cpp
@@ -3354,7 +3354,7 @@ bool RenderObject::canUpdateSelectionOnRootLineBoxes()
        return false;

    RenderBlock* containingBlock = this->containingBlock();
-    return containingBlock ? !containingBlock->needsLayout() : true;
+    return containingBlock ? !containingBlock->needsLayout() : false;
 }

 // We only create "generated" child renderers like one for first-letter if: