Context Navigation

← Previous Changeset
Next Changeset →

Changeset 230087 in webkit

Timestamp:

Mar 29, 2018 4:05:06 PM (6 years ago)

Author:

Wenson Hsieh

Message:

FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/38055732>

Reviewed by Zalan Bujtas.

Source/WebCore:

In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer, and ensuring that layout is
really up to date before calling updateAppearanceAfterLayoutOrStyleChange() from the timer.

Test: editing/selection/iframe-update-selection-appearance.html

editing/FrameSelection.cpp:

(WebCore::FrameSelection::appearanceUpdateTimerFired):

LayoutTests:

Add a new layout test that passes if we didn't crash.

editing/selection/iframe-update-selection-appearance-expected.txt: Added.
editing/selection/iframe-update-selection-appearance.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt (added)
LayoutTests/editing/selection/iframe-update-selection-appearance.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/editing/FrameSelection.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r230072
+                      r230087
+-03-29  Wenson Hsieh  <wenson_hsieh@apple.com>
+        FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+        https://bugs.webkit.org/show_bug.cgi?id=183395
+        <rdar://problem/38055732>
+        Reviewed by Zalan Bujtas.
+        Add a new layout test that passes if we didn't crash.
+        * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+        * editing/selection/iframe-update-selection-appearance.html: Added.
 -03-29  Per Arne Vollan  <pvollan@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r230083
+                      r230087
+-03-29  Wenson Hsieh  <wenson_hsieh@apple.com>
+        FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+        https://bugs.webkit.org/show_bug.cgi?id=183395
+        <rdar://problem/38055732>
+        Reviewed by Zalan Bujtas.
+        In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+        FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+        mitigation by wrapping the Frame in a Ref when firing the appearance update timer, and ensuring that layout is
+        really up to date before calling updateAppearanceAfterLayoutOrStyleChange() from the timer.
+        Test: editing/selection/iframe-update-selection-appearance.html
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::appearanceUpdateTimerFired):
 -03-29  Daniel Bates  <dabates@apple.com>

trunk/Source/WebCore/editing/FrameSelection.cpp

r227983	r230087
2442	2442	void FrameSelection::appearanceUpdateTimerFired()
2443	2443	{
	2444	Ref<Frame> protectedFrame(*m_frame);
	2445	if (auto* document = protectedFrame->document())
	2446	document->updateLayoutIgnorePendingStylesheets();
	2447
2444	2448	updateAppearanceAfterLayoutOrStyleChange();
2445	2449	}

Note: See TracChangeset for help on using the changeset viewer.