Changeset 230570 in webkit
- Timestamp:
- Apr 12, 2018 6:41:11 AM (6 years ago)
- Location:
- branches/safari-605-branch
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/safari-605-branch/LayoutTests/ChangeLog
r230301 r230570 1 2018-04-11 Kocsen Chung <kocsen_chung@apple.com> 2 3 Cherry-pick r230513. rdar://problem/39337459 4 5 FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it 6 https://bugs.webkit.org/show_bug.cgi?id=183395 7 <rdar://problem/38055732> 8 9 Reviewed by Zalan Bujtas. 10 11 Source/WebCore: 12 13 In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the 14 FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple 15 mitigation by wrapping the Frame in a Ref when firing the appearance update timer. 16 17 Test: editing/selection/iframe-update-selection-appearance.html 18 19 * editing/FrameSelection.cpp: 20 (WebCore::FrameSelection::appearanceUpdateTimerFired): 21 22 LayoutTests: 23 24 Add a new layout test that passes if we didn't crash. 25 26 * editing/selection/iframe-update-selection-appearance-expected.txt: Added. 27 * editing/selection/iframe-update-selection-appearance.html: Added. 28 29 git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc 30 31 2018-04-10 Wenson Hsieh <wenson_hsieh@apple.com> 32 33 FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it 34 https://bugs.webkit.org/show_bug.cgi?id=183395 35 <rdar://problem/38055732> 36 37 Reviewed by Zalan Bujtas. 38 39 Add a new layout test that passes if we didn't crash. 40 41 * editing/selection/iframe-update-selection-appearance-expected.txt: Added. 42 * editing/selection/iframe-update-selection-appearance.html: Added. 43 1 44 2018-04-05 Jason Marcell <jmarcell@apple.com> 2 45 -
branches/safari-605-branch/Source/WebCore/ChangeLog
r230538 r230570 1 2018-04-11 Kocsen Chung <kocsen_chung@apple.com> 2 3 Cherry-pick r230513. rdar://problem/39337459 4 5 FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it 6 https://bugs.webkit.org/show_bug.cgi?id=183395 7 <rdar://problem/38055732> 8 9 Reviewed by Zalan Bujtas. 10 11 Source/WebCore: 12 13 In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the 14 FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple 15 mitigation by wrapping the Frame in a Ref when firing the appearance update timer. 16 17 Test: editing/selection/iframe-update-selection-appearance.html 18 19 * editing/FrameSelection.cpp: 20 (WebCore::FrameSelection::appearanceUpdateTimerFired): 21 22 LayoutTests: 23 24 Add a new layout test that passes if we didn't crash. 25 26 * editing/selection/iframe-update-selection-appearance-expected.txt: Added. 27 * editing/selection/iframe-update-selection-appearance.html: Added. 28 29 git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc 30 31 2018-04-10 Wenson Hsieh <wenson_hsieh@apple.com> 32 33 FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it 34 https://bugs.webkit.org/show_bug.cgi?id=183395 35 <rdar://problem/38055732> 36 37 Reviewed by Zalan Bujtas. 38 39 In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the 40 FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple 41 mitigation by wrapping the Frame in a Ref when firing the appearance update timer. 42 43 Test: editing/selection/iframe-update-selection-appearance.html 44 45 * editing/FrameSelection.cpp: 46 (WebCore::FrameSelection::appearanceUpdateTimerFired): 47 1 48 2018-04-10 Kocsen Chung <kocsen_chung@apple.com> 2 49 -
branches/safari-605-branch/Source/WebCore/editing/FrameSelection.cpp
r225837 r230570 2422 2422 void FrameSelection::appearanceUpdateTimerFired() 2423 2423 { 2424 Ref<Frame> protectedFrame(*m_frame); 2424 2425 updateAppearanceAfterLayoutOrStyleChange(); 2425 2426 }
Note: See TracChangeset
for help on using the changeset viewer.