Context Navigation

← Previous Changeset
Next Changeset →

Changeset 230513 in webkit

Timestamp:

Apr 10, 2018 8:44:00 PM (6 years ago)

Author:

Wenson Hsieh

Message:

FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/38055732>

Reviewed by Zalan Bujtas.

Source/WebCore:

In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer.

Test: editing/selection/iframe-update-selection-appearance.html

editing/FrameSelection.cpp:

(WebCore::FrameSelection::appearanceUpdateTimerFired):

LayoutTests:

Add a new layout test that passes if we didn't crash.

editing/selection/iframe-update-selection-appearance-expected.txt: Added.
editing/selection/iframe-update-selection-appearance.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt (added)
LayoutTests/editing/selection/iframe-update-selection-appearance.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/editing/FrameSelection.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r230510
+                      r230513
+-04-10  Wenson Hsieh  <wenson_hsieh@apple.com>
+        FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+        https://bugs.webkit.org/show_bug.cgi?id=183395
+        <rdar://problem/38055732>
+        Reviewed by Zalan Bujtas.
+        Add a new layout test that passes if we didn't crash.
+        * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+        * editing/selection/iframe-update-selection-appearance.html: Added.
 -04-10  Nan Wang  <n_wang@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r230512
+                      r230513
+-04-10  Wenson Hsieh  <wenson_hsieh@apple.com>
+        FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+        https://bugs.webkit.org/show_bug.cgi?id=183395
+        <rdar://problem/38055732>
+        Reviewed by Zalan Bujtas.
+        In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+        FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+        mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
+        Test: editing/selection/iframe-update-selection-appearance.html
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::appearanceUpdateTimerFired):
 -04-10  Brent Fulgham  <bfulgham@apple.com>

trunk/Source/WebCore/editing/FrameSelection.cpp

r230089	r230513
2442	2442	void FrameSelection::appearanceUpdateTimerFired()
2443	2443	{
	2444	Ref<Frame> protectedFrame(*m_frame);
2444	2445	updateAppearanceAfterLayoutOrStyleChange();
2445	2446	}

Note: See TracChangeset for help on using the changeset viewer.