Context Navigation

← Previous Changeset
Next Changeset →

Changeset 192433 in webkit

Timestamp:

Nov 13, 2015 10:36:31 AM (8 years ago)

Author:

jiewen_tan@apple.com

Message:

Element::focus() should acquire the ownership of Frame.
https://bugs.webkit.org/show_bug.cgi?id=150204
<rdar://problem/23136794>

Reviewed by Brent Fulgham.

Source/WebCore:

The FrameSelection::setSelection method sometimes releases the last reference to a frame.
When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
of the method call.

Test: editing/selection/focus-iframe-removal-crash.html

dom/Element.cpp:

(WebCore::Element::updateFocusAppearance):

LayoutTests:

editing/selection/focus-iframe-removal-crash-expected.txt: Added.
editing/selection/focus-iframe-removal-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt (added)
LayoutTests/editing/selection/focus-iframe-removal-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/dom/Element.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r192432
+                      r192433
+-11-13  Jiewen Tan  <jiewen_tan@apple.com>
+        Element::focus() should acquire the ownership of Frame.
+        https://bugs.webkit.org/show_bug.cgi?id=150204
+        <rdar://problem/23136794>
+        Reviewed by Brent Fulgham.
+        * editing/selection/focus-iframe-removal-crash-expected.txt: Added.
+        * editing/selection/focus-iframe-removal-crash.html: Added.
 -11-13  Tim Horton  <timothy_horton@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r192414
+                      r192433
+-11-13  Jiewen Tan  <jiewen_tan@apple.com>
+        Element::focus() should acquire the ownership of Frame.
+        https://bugs.webkit.org/show_bug.cgi?id=150204
+        <rdar://problem/23136794>
+        Reviewed by Brent Fulgham.
+        The FrameSelection::setSelection method sometimes releases the last reference to a frame.
+        When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
+        Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
+        of the method call.
+        Test: editing/selection/focus-iframe-removal-crash.html
+        * dom/Element.cpp:
+        (WebCore::Element::updateFocusAppearance):
 -11-13  Sergio Villar Senin  <svillar@igalia.com>

trunk/Source/WebCore/dom/Element.cpp

-                      r192354
+                      r192433
+{
     if (isRootEditableElement()) {
+        Frame* frame = document().frame();
+        // Keep frame alive in this method, since setSelection() may release the last reference to |frame|.
+        RefPtr<Frame> frame = document().frame();
         if (!frame)
             return;

Note: See TracChangeset for help on using the changeset viewer.