Changeset 208173 in webkit

Timestamp:

Oct 31, 2016 2:03:56 PM (8 years ago)

Author:

matthew_hanson@apple.com

Message:

Merge r208168. rdar://problem/28962886

Location:

branches/safari-602-branch/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/editing/AlternativeTextController.cpp (modified) (2 diffs)
• WebCore/editing/Editor.cpp (modified) (7 diffs)
• WebCore/editing/EditorCommand.cpp (modified) (2 diffs)
• WebCore/editing/TypingCommand.cpp (modified) (3 diffs)
• WebCore/editing/mac/EditorMac.mm (modified) (1 diff)
• WebCore/page/ContextMenuController.cpp (modified) (2 diffs)
• WebCore/page/DOMSelection.cpp (modified) (10 diffs)
• WebCore/page/DragController.cpp (modified) (3 diffs)
• WebCore/page/Frame.cpp (modified) (1 diff)
• WebCore/page/TextIndicator.cpp (modified) (2 diffs)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp (modified) (2 diffs)
• WebKit2/WebProcess/WebPage/WebPage.cpp (modified) (2 diffs)
• WebKit2/WebProcess/WebPage/mac/WebPageMac.mm (modified) (2 diffs)

branches/safari-602-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2016-10-31  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r208168. rdar://problem/28962886
+
+    2016-10-28  Brent Fulgham  <bfulgham@apple.com>
+
+            Do a better job of protecting Frame objects in the context of JavaScript calls
+            https://bugs.webkit.org/show_bug.cgi?id=164163
+            <rdar://problem/28955249>
+
+            Reviewed by Darin Adler.
+
+            * editing/AlternativeTextController.cpp:
+            (WebCore::AlternativeTextController::respondToUnappliedSpellCorrection): Protected the Frame.
+            * editing/Editor.cpp:
+            (WebCore::Editor::setTextAsChildOfElement): Ditto.
+            * editing/EditorCommand.cpp:
+            (WebCore::executeSwapWithMark): Ditto.
+            * editing/TypingCommand.cpp:
+            (WebCore::TypingCommand::deleteKeyPressed): Ditto.
+            (WebCore::TypingCommand::forwardDeleteKeyPressed): Ditto.
+            * editing/mac/EditorMac.mm:
+            (WebCore::Editor::replaceNodeFromPasteboard): Ditto.
+            * page/ContextMenuController.cpp:
+            (WebCore::ContextMenuController::contextMenuItemSelected): Ditto.
+            * page/DOMSelection.cpp:
+            (WebCore::DOMSelection::collapse): Ditto.
+            (WebCore::DOMSelection::collapseToEnd): Ditto.
+            (WebCore::DOMSelection::collapseToStart): Ditto.
+            (WebCore::DOMSelection::setBaseAndExtent): Ditto.
+            (WebCore::DOMSelection::setPosition): Ditto.
+            (WebCore::DOMSelection::modify): Ditto.
+            (WebCore::DOMSelection::extend): Ditto.
+            (WebCore::DOMSelection::addRange): Ditto.
+            (WebCore::DOMSelection::deleteFromDocument): Ditto.
+            * page/DragController.cpp:
+            (WebCore::setSelectionToDragCaret): Ditto.
+            (WebCore::DragController::startDrag): Ditto.
+            * page/Frame.cpp:
+            (WebCore::Frame::checkOverflowScroll): Ditto.
+            * page/TextIndicator.cpp:
+            (WebCore::TextIndicator::createWithRange): Ditto.
+
 2016-10-31  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/Source/WebCore/editing/AlternativeTextController.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  *
@@ -318 +318 @@
     if (AlternativeTextClient* client = alternativeTextClient())
         client->recordAutocorrectionResponse(AutocorrectionReverted, corrected, correction);
+
+    Ref<Frame> protector(m_frame);
     m_frame.document()->updateLayout();
     m_frame.selection().setSelection(selectionOfCorrected, FrameSelection::defaultSetSelectionOptions() | FrameSelection::SpellCorrectionTriggered);

branches/safari-602-branch/Source/WebCore/editing/Editor.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2011, 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2011, 2013-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  *
@@ -1791 +1791 @@
 void Editor::setComposition(const String& text, const Vector<CompositionUnderline>& underlines, unsigned selectionStart, unsigned selectionEnd)
 {
+    Ref<Frame> protection(m_frame);
+
     UserTypingGestureIndicator typingGestureIndicator(m_frame);
 
@@ -1924 +1926 @@
 void Editor::advanceToNextMisspelling(bool startBeforeSelection)
 {
+    Ref<Frame> protection(m_frame);
+
     // The basic approach is to search in two phases - from the selection end to the end of the doc, and
     // then we wrap and search from the doc start to (approximately) where we started.
@@ -2242 +2246 @@
 void Editor::markMisspellingsAfterTypingToWord(const VisiblePosition &wordStart, const VisibleSelection& selectionAfterTyping, bool doReplacement)
 {
+    Ref<Frame> protection(m_frame);
+
 #if PLATFORM(IOS)
     UNUSED_PARAM(selectionAfterTyping);
@@ -2492 +2498 @@
 void Editor::markAndReplaceFor(PassRefPtr<SpellCheckRequest> request, const Vector<TextCheckingResult>& results)
 {
+    Ref<Frame> protection(m_frame);
     ASSERT(request);
 
@@ -2950 +2957 @@
 void Editor::changeSelectionAfterCommand(const VisibleSelection& newSelection, FrameSelection::SetSelectionOptions options)
 {
+    Ref<Frame> protection(m_frame);
+
     // If the new selection is orphaned, then don't update the selection.
     if (newSelection.start().isOrphan() || newSelection.end().isOrphan())
@@ -3140 +3149 @@
 bool Editor::findString(const String& target, FindOptions options)
 {
+    Ref<Frame> protection(m_frame);
+
     VisibleSelection selection = m_frame.selection().selection();
 

branches/safari-602-branch/Source/WebCore/editing/EditorCommand.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2014, 2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2009 Igalia S.L.
@@ -1062 +1062 @@
 static bool executeSwapWithMark(Frame& frame, Event*, EditorCommandSource, const String&)
 {
+    Ref<Frame> protector(frame);
     const VisibleSelection& mark = frame.editor().mark();
     const VisibleSelection& selection = frame.selection().selection();

branches/safari-602-branch/Source/WebCore/editing/TypingCommand.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc.  All rights reserved.
+ * Copyright (C) 2005-2008, 2016 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -476 +476 @@
 {
     Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
 
     frame.editor().updateMarkersForWordsAffectedByEditing(false);
@@ -589 +590 @@
 {
     Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
 
     frame.editor().updateMarkersForWordsAffectedByEditing(false);

branches/safari-602-branch/Source/WebCore/editing/mac/EditorMac.mm

@@ -261 +261 @@
         return;
 
+    Ref<Frame> protector(m_frame);
     RefPtr<Range> range = Range::create(node->document(), Position(node, Position::PositionIsBeforeAnchor), Position(node, Position::PositionIsAfterAnchor));
     m_frame.selection().setSelection(VisibleSelection(*range), FrameSelection::DoNotSetFocus);

branches/safari-602-branch/Source/WebCore/page/ContextMenuController.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2016 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Igalia S.L
  *
@@ -224 +224 @@
         return;
 
+    Ref<Frame> protector(*frame);
+
     switch (action) {
     case ContextMenuItemTagOpenLinkInNewWindow:

branches/safari-602-branch/Source/WebCore/page/DOMSelection.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2009, 2016 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
@@ -202 +202 @@
 
     // FIXME: Eliminate legacy editing positions
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().moveTo(createLegacyEditingPosition(node, offset), DOWNSTREAM);
 }
@@ -217 +218 @@
     }
 
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().moveTo(selection.end(), DOWNSTREAM);
 }
@@ -232 +234 @@
     }
 
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().moveTo(selection.start(), DOWNSTREAM);
 }
@@ -256 +259 @@
 
     // FIXME: Eliminate legacy editing positions
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().moveTo(createLegacyEditingPosition(baseNode, baseOffset), createLegacyEditingPosition(extentNode, extentOffset), DOWNSTREAM);
 }
@@ -272 +276 @@
 
     // FIXME: Eliminate legacy editing positions
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().moveTo(createLegacyEditingPosition(node, offset), DOWNSTREAM);
 }
@@ -322 +327 @@
         return;
 
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().modify(alter, direction, granularity);
 }
@@ -339 +345 @@
 
     // FIXME: Eliminate legacy editing positions
+    Ref<Frame> protector(*m_frame);
     m_frame->selection().setExtent(createLegacyEditingPosition(&node, offset), DOWNSTREAM);
 }
@@ -377 +384 @@
     if (!r)
         return;
+
+    Ref<Frame> protector(*m_frame);
 
     FrameSelection& selection = m_frame->selection();
@@ -429 +438 @@
         return;
 
+    Ref<Frame> protector(*m_frame);
     selectedRange->deleteContents(ASSERT_NO_EXCEPTION);
 

branches/safari-602-branch/Source/WebCore/page/DragController.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2009, 2010, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2009-2010, 2013, 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -433 +433 @@
 static bool setSelectionToDragCaret(Frame* frame, VisibleSelection& dragCaret, RefPtr<Range>& range, const IntPoint& point)
 {
+    Ref<Frame> protector(*frame);
     frame->selection().setSelection(dragCaret);
     if (frame->selection().selection().isNone()) {
@@ -753 +754 @@
         return false;
 
+    Ref<Frame> protector(src);
     HitTestResult hitTestResult = src.eventHandler().hitTestResultAtPoint(dragOrigin, HitTestRequest::ReadOnly | HitTestRequest::Active);
 

branches/safari-602-branch/Source/WebCore/page/Frame.cpp

@@ -604 +604 @@
     }
 
+    Ref<Frame> protectedThis(*this);
+
     if (action == PerformOverflowScroll && (deltaX || deltaY)) {
         layer->scrollToOffset(layer->scrollOffset() + IntSize(deltaX, deltaY));

branches/safari-602-branch/Source/WebCore/page/TextIndicator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010, 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -70 +70 @@
         return nullptr;
 
+    Ref<Frame> protector(*frame);
+
 #if PLATFORM(IOS)
     frame->editor().setIgnoreCompositionSelectionChange(true);

branches/safari-602-branch/Source/WebKit2/ChangeLog

@@ +1 @@
+2016-10-31  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r208168. rdar://problem/28962886
+
+    2016-10-28  Brent Fulgham  <bfulgham@apple.com>
+
+            Do a better job of protecting Frame objects in the context of JavaScript calls
+            https://bugs.webkit.org/show_bug.cgi?id=164163
+            <rdar://problem/28955249>
+
+            Reviewed by Darin Adler.
+
+            * WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
+            (WebKit::InjectedBundleRangeHandle::renderedImage): Protected the Frame.
+            * WebProcess/WebPage/WebPage.cpp:
+            (WebKit::WebPage::insertTextAsync): Ditto.
+            (WebKit::WebPage::setComposition): Ditto.
+            * WebProcess/WebPage/mac/WebPageMac.mm:
+            (WebKit::WebPage::insertDictatedTextAsync): Ditto.
+
 2016-10-31  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010, 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -114 +114 @@
         return nullptr;
 
+    Ref<Frame> protector(*frame);
+
     VisibleSelection oldSelection = frame->selection().selection();
     frame->selection().setSelection(VisibleSelection(*m_range));

branches/safari-602-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

@@ -4583 +4583 @@
     Frame& frame = m_page->focusController().focusedOrMainFrame();
 
+    Ref<Frame> protector(frame);
+
     if (replacementEditingRange.location != notFound) {
         RefPtr<Range> replacementRange = rangeFromEditingRange(frame, replacementEditingRange, static_cast<EditingRangeIsRelativeTo>(editingRangeIsRelativeTo));
@@ -4746 +4748 @@
         return;
     }
+
+    Ref<Frame> protector(*targetFrame);
 
     if (replacementLength > 0) {

branches/safari-602-branch/Source/WebKit2/WebProcess/WebPage/mac/WebPageMac.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2010, 2011, 2012, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2012, 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -328 +328 @@
     Frame& frame = m_page->focusController().focusedOrMainFrame();
 
+    Ref<Frame> protector(frame);
+
     if (replacementEditingRange.location != notFound) {
         RefPtr<Range> replacementRange = rangeFromEditingRange(frame, replacementEditingRange);