https://bugs.webkit.org/show_bug.cgi?id=228841
rdar://79960890
Reviewed by Ryosuke Niwa.
Source/WebCore:
In the case where the document is in the process of being detached (underneath `willBeRemovedFromFrame()`), if
there is currently uncommitted marked text in the document, we will attempt to cancel the IME composition in the
process of clearing out the selection. On macOS, this calls into `Editor::cancelComposition()` which
subsequently triggers layout under various call stacks (DOM mutations, text event dispatch, and when scrolling
to reveal the selection); this triggers a security release assertion inside `Document::updateLayout()`.
To mitigate this, we avoid calling into this codepath if the Document no longer has a living render tree (i.e.,
the render tree has either been destroyed, is being destroyed, or has not been created yet).
Test: editing/inserting/remove-frame-with-marked-text.html
* editing/mac/EditorMac.mm:
(WebCore::Editor::selectionWillChange):
Source/WebKit:
Deploy a similar fix on iOS, to avoid any attempts to compute editor state due to discarding uncommitted marked
text during Document teardown. This is required in order to avoid the same security assertion when running the
new layout test on iOS.
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::sendEditorStateUpdate):
Tools:
Make a small adjustment to DumpRenderTree, such that TextInputController targets the selected frame (or the main
frame, if there is no DOM selection). This behavior matches that of WebKitTestRunner, and allows layout tests
that use TextInputController to simulate setting marked text inside subframes.
* DumpRenderTree/mac/TextInputControllerMac.m:
(-[TextInputController selectedOrMainFrame]):
(-[TextInputController textInput]):
LayoutTests:
Add a layout test to exercise the crash.
* editing/inserting/remove-frame-with-marked-text-expected.txt: Added.
* editing/inserting/remove-frame-with-marked-text.html: Added.
Canonical link: https://commits.webkit.org/240347@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280762 268f45cc-cd09-0410-ab3c-d52691b4dbfc
42b5e59341