commit | 24bd4066e46f42bdafe467100538f4c6e940ff55 | [log] [tgz] |
---|---|---|
author | yoichio <yoichio@chromium.org> | Thu Jul 27 16:39:08 2017 |
committer | Commit Bot <commit-bot@chromium.org> | Thu Jul 27 16:39:08 2017 |
tree | 1969aec3ac57a650037f96192fbb24483c41bd74 | |
parent | 7c245b261166a900d438999342a328c84921d778 [diff] |
Revert of Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() (patchset #1 id:1 of https://codereview.chromium.org/2811333003/ ) Reason for revert: This causes use-after-free: crbug.com/748718 Original issue's description: > Remove ClearSelection() from Layout{BlockFlow,Inline}::WillbeDestroyed() > > LayoutView::ClearSelection was originally introduced at 2004 to assure no > crash: > https://chromium.googlesource.com/chromium/src/+/10f7ac6ea6784e33161c7979e9a59c5e2cae14b5 > > Even now that code doesn't make sense because we update LayoutSelection after > layout in following sequence: > 1. FrameView::PerformPostLayoutTasks() checks > LayoutSelection::SetHasPendingSelection() > 2. PaintLayerCompositor::UpdateIfNeededRecursiveInternal() calls > LayoutSelection::Commit() and it updates layout selection. > > > > BUG=708453 > > Review-Url: https://codereview.chromium.org/2811333003 > Cr-Commit-Position: refs/heads/master@{#464352} > Committed: https://chromium.googlesource.com/chromium/src/+/230b4e0eb7f14d23c70bc4134b8a23a9ddccd5a8 TBR=yosin@chromium.org,eae@chromium.org,kojih@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. BUG=708453, 748718 Review-Url: https://codereview.chromium.org/2988003002 Cr-Commit-Position: refs/heads/master@{#489968}