Changeset 243459 in webkit
- Timestamp:
- Mar 25, 2019 2:21:50 PM (5 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 20 edited
-
ChangeLog (modified) (1 diff)
-
css/CSSFontSelector.cpp (modified) (4 diffs)
-
css/CSSFontSelector.h (modified) (2 diffs)
-
css/MediaQueryMatcher.cpp (modified) (2 diffs)
-
css/MediaQueryMatcher.h (modified) (1 diff)
-
css/StyleSheetList.cpp (modified) (2 diffs)
-
css/StyleSheetList.h (modified) (2 diffs)
-
css/ViewportStyleResolver.cpp (modified) (1 diff)
-
css/ViewportStyleResolver.h (modified) (1 diff)
-
dom/Document.h (modified) (2 diffs)
-
dom/DocumentParser.cpp (modified) (1 diff)
-
dom/DocumentParser.h (modified) (2 diffs)
-
dom/ScriptedAnimationController.cpp (modified) (1 diff)
-
dom/ScriptedAnimationController.h (modified) (1 diff)
-
html/parser/HTMLScriptRunner.cpp (modified) (2 diffs)
-
html/parser/HTMLScriptRunner.h (modified) (2 diffs)
-
loader/MediaResourceLoader.cpp (modified) (1 diff)
-
loader/MediaResourceLoader.h (modified) (2 diffs)
-
loader/cache/CachedResourceLoader.cpp (modified) (2 diffs)
-
loader/cache/CachedResourceLoader.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r243457 r243459 1 2019-03-25 Alex Christensen <achristensen@webkit.org> 2 3 Stop storing raw pointers to Documents 4 https://bugs.webkit.org/show_bug.cgi?id=196042 5 6 Reviewed by Geoff Garen. 7 8 Use WeakPtr instead! This could change some UAF bugs into null dereference crashes. 9 10 * css/CSSFontSelector.cpp: 11 (WebCore::CSSFontSelector::CSSFontSelector): 12 (WebCore::CSSFontSelector::addFontFaceRule): 13 (WebCore::CSSFontSelector::fontRangesForFamily): 14 * css/CSSFontSelector.h: 15 * css/MediaQueryMatcher.cpp: 16 (WebCore::MediaQueryMatcher::MediaQueryMatcher): 17 (WebCore::MediaQueryMatcher::matchMedia): 18 * css/MediaQueryMatcher.h: 19 * css/StyleSheetList.cpp: 20 (WebCore::StyleSheetList::StyleSheetList): 21 (WebCore::StyleSheetList::ownerNode const): 22 * css/StyleSheetList.h: 23 * css/ViewportStyleResolver.cpp: 24 (WebCore::ViewportStyleResolver::ViewportStyleResolver): 25 * css/ViewportStyleResolver.h: 26 * dom/Document.h: 27 (WebCore::Document::setTemplateDocumentHost): 28 (WebCore::Document::templateDocumentHost): 29 * dom/DocumentParser.cpp: 30 (WebCore::DocumentParser::DocumentParser): 31 * dom/DocumentParser.h: 32 (WebCore::DocumentParser::document const): 33 * dom/ScriptedAnimationController.cpp: 34 (WebCore::ScriptedAnimationController::ScriptedAnimationController): 35 * dom/ScriptedAnimationController.h: 36 * html/parser/HTMLScriptRunner.cpp: 37 (WebCore::HTMLScriptRunner::HTMLScriptRunner): 38 (WebCore::HTMLScriptRunner::runScript): 39 * html/parser/HTMLScriptRunner.h: 40 * loader/MediaResourceLoader.cpp: 41 (WebCore::MediaResourceLoader::MediaResourceLoader): 42 * loader/MediaResourceLoader.h: 43 * loader/cache/CachedResourceLoader.cpp: 44 (WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox const): 45 (WebCore::CachedResourceLoader::loadDone): 46 * loader/cache/CachedResourceLoader.h: 47 (WebCore::CachedResourceLoader::document const): 48 (WebCore::CachedResourceLoader::setDocument): 49 1 50 2019-03-25 Truitt Savell <tsavell@apple.com> 2 51 -
trunk/Source/WebCore/css/CSSFontSelector.cpp
r241288 r243459 63 63 64 64 CSSFontSelector::CSSFontSelector(Document& document) 65 : m_document( &document)65 : m_document(makeWeakPtr(document)) 66 66 , m_cssFontFaceSet(CSSFontFaceSet::create(this)) 67 67 , m_beginLoadingTimer(*this, &CSSFontSelector::beginLoadTimerFired) … … 208 208 fontFace->setLoadingBehavior(*loadingBehavior); 209 209 210 CSSFontFace::appendSources(fontFace, srcList, m_document , isInitiatingElementInUserAgentShadowTree);210 CSSFontFace::appendSources(fontFace, srcList, m_document.get(), isInitiatingElementInUserAgentShadowTree); 211 211 if (fontFace->computeFailureState()) 212 212 return; … … 313 313 bool resolveGenericFamilyFirst = familyName == standardFamily; 314 314 315 AtomicString familyForLookup = resolveGenericFamilyFirst ? resolveGenericFamily(m_document , fontDescription, familyName) : familyName;315 AtomicString familyForLookup = resolveGenericFamilyFirst ? resolveGenericFamily(m_document.get(), fontDescription, familyName) : familyName; 316 316 auto* face = m_cssFontFaceSet->fontFace(fontDescription.fontSelectionRequest(), familyForLookup); 317 317 if (face) { … … 323 323 } 324 324 if (!resolveGenericFamilyFirst) 325 familyForLookup = resolveGenericFamily(m_document , fontDescription, familyName);325 familyForLookup = resolveGenericFamily(m_document.get(), fontDescription, familyName); 326 326 auto font = FontCache::singleton().fontForFamily(fontDescription, familyForLookup); 327 327 if (RuntimeEnabledFeatures::sharedFeatures().webAPIStatisticsEnabled()) { -
trunk/Source/WebCore/css/CSSFontSelector.h
r226930 r243459 78 78 void unregisterForInvalidationCallbacks(FontSelectorClient&) final; 79 79 80 Document* document() const { return m_document ; }80 Document* document() const { return m_document.get(); } 81 81 82 82 void beginLoadingFontSoon(CachedFont&); … … 104 104 Vector<PendingFontFaceRule> m_stagingArea; 105 105 106 Document*m_document;106 WeakPtr<Document> m_document; 107 107 RefPtr<FontFaceSet> m_fontFaceSet; 108 108 Ref<CSSFontFaceSet> m_cssFontFaceSet; -
trunk/Source/WebCore/css/MediaQueryMatcher.cpp
r233838 r243459 39 39 40 40 MediaQueryMatcher::MediaQueryMatcher(Document& document) 41 : m_document( &document)41 : m_document(makeWeakPtr(document)) 42 42 { 43 43 } … … 85 85 86 86 auto media = MediaQuerySet::create(query, MediaQueryParserContext(*m_document)); 87 reportMediaQueryWarningIfNeeded(m_document , media.ptr());87 reportMediaQueryWarningIfNeeded(m_document.get(), media.ptr()); 88 88 bool result = evaluate(media.get()); 89 89 return MediaQueryList::create(*this, WTFMove(media), result); -
trunk/Source/WebCore/css/MediaQueryMatcher.h
r205093 r243459 67 67 String mediaType() const; 68 68 69 Document*m_document;69 WeakPtr<Document> m_document; 70 70 Vector<Listener> m_listeners; 71 71 -
trunk/Source/WebCore/css/StyleSheetList.cpp
r238758 r243459 35 35 36 36 StyleSheetList::StyleSheetList(Document& document) 37 : m_document( &document)37 : m_document(makeWeakPtr(document)) 38 38 { 39 39 } … … 58 58 { 59 59 if (m_document) 60 return m_document ;60 return m_document.get(); 61 61 return m_shadowRoot; 62 62 } -
trunk/Source/WebCore/css/StyleSheetList.h
r238758 r243459 24 24 #include <wtf/RefCounted.h> 25 25 #include <wtf/Vector.h> 26 #include <wtf/WeakPtr.h> 26 27 27 28 namespace WebCore { … … 55 56 const Vector<RefPtr<StyleSheet>>& styleSheets() const; 56 57 57 Document* m_document { nullptr };58 WeakPtr<Document> m_document; 58 59 ShadowRoot* m_shadowRoot { nullptr }; 59 60 Vector<RefPtr<StyleSheet>> m_detachedStyleSheets; -
trunk/Source/WebCore/css/ViewportStyleResolver.cpp
r224320 r243459 43 43 44 44 ViewportStyleResolver::ViewportStyleResolver(Document* document) 45 : m_document(document )45 : m_document(document ? makeWeakPtr(*document) : nullptr) 46 46 { 47 47 ASSERT(m_document); -
trunk/Source/WebCore/css/ViewportStyleResolver.h
r218588 r243459 62 62 float getViewportArgumentValue(CSSPropertyID) const; 63 63 64 Document*m_document;64 WeakPtr<Document> m_document; 65 65 RefPtr<MutableStyleProperties> m_propertySet; 66 66 }; -
trunk/Source/WebCore/dom/Document.h
r243324 r243459 1345 1345 const Document* templateDocument() const; 1346 1346 Document& ensureTemplateDocument(); 1347 void setTemplateDocumentHost(Document* templateDocumentHost) { m_templateDocumentHost = templateDocumentHost; }1348 Document* templateDocumentHost() { return m_templateDocumentHost ; }1347 void setTemplateDocumentHost(Document* templateDocumentHost) { m_templateDocumentHost = makeWeakPtr(templateDocumentHost); } 1348 Document* templateDocumentHost() { return m_templateDocumentHost.get(); } 1349 1349 1350 1350 void didAssociateFormControl(Element&); … … 1924 1924 1925 1925 RefPtr<Document> m_templateDocument; 1926 Document* m_templateDocumentHost { nullptr }; // Manually managed weakref (backpointer from m_templateDocument).1926 WeakPtr<Document> m_templateDocumentHost; // Manually managed weakref (backpointer from m_templateDocument). 1927 1927 1928 1928 Ref<CSSFontSelector> m_fontSelector; -
trunk/Source/WebCore/dom/DocumentParser.cpp
r191955 r243459 34 34 : m_state(ParsingState) 35 35 , m_documentWasLoadedAsPartOfNavigation(false) 36 , m_document( &document)36 , m_document(makeWeakPtr(document)) 37 37 { 38 38 } -
trunk/Source/WebCore/dom/DocumentParser.h
r233891 r243459 63 63 64 64 // document() will return 0 after detach() is called. 65 Document* document() const { ASSERT(m_document); return m_document ; }65 Document* document() const { ASSERT(m_document); return m_document.get(); } 66 66 67 67 bool isParsing() const { return m_state == ParsingState; } … … 115 115 // Every DocumentParser needs a pointer back to the document. 116 116 // m_document will be 0 after the parser is stopped. 117 Document*m_document;117 WeakPtr<Document> m_document; 118 118 }; 119 119 -
trunk/Source/WebCore/dom/ScriptedAnimationController.cpp
r242714 r243459 56 56 57 57 ScriptedAnimationController::ScriptedAnimationController(Document& document) 58 : m_document( &document)58 : m_document(makeWeakPtr(document)) 59 59 , m_animationTimer(*this, &ScriptedAnimationController::animationTimerFired) 60 60 { -
trunk/Source/WebCore/dom/ScriptedAnimationController.h
r242714 r243459 85 85 CallbackList m_callbacks; 86 86 87 Document*m_document;87 WeakPtr<Document> m_document; 88 88 CallbackId m_nextCallbackId { 0 }; 89 89 int m_suspendCount { 0 }; -
trunk/Source/WebCore/html/parser/HTMLScriptRunner.cpp
r234995 r243459 48 48 49 49 HTMLScriptRunner::HTMLScriptRunner(Document& document, HTMLScriptRunnerHost& host) 50 : m_document( &document)50 : m_document(makeWeakPtr(document)) 51 51 , m_host(host) 52 52 , m_scriptNestingLevel(0) … … 259 259 m_parserBlockingScript = PendingScript::create(scriptElement, scriptStartPosition); 260 260 else 261 scriptElement.executeClassicScript(ScriptSourceCode(scriptElement.element().textContent(), documentURLForScriptExecution(m_document ), scriptStartPosition, JSC::SourceProviderSourceType::Program, InlineClassicScript::create(scriptElement)));261 scriptElement.executeClassicScript(ScriptSourceCode(scriptElement.element().textContent(), documentURLForScriptExecution(m_document.get()), scriptStartPosition, JSC::SourceProviderSourceType::Program, InlineClassicScript::create(scriptElement))); 262 262 } else 263 263 requestParsingBlockingScript(scriptElement); -
trunk/Source/WebCore/html/parser/HTMLScriptRunner.h
r210319 r243459 29 29 #include "PendingScript.h" 30 30 #include <wtf/Deque.h> 31 #include <wtf/WeakPtr.h> 31 32 #include <wtf/text/TextPosition.h> 32 33 … … 72 73 bool isPendingScriptReady(const PendingScript&); 73 74 74 Document*m_document;75 WeakPtr<Document> m_document; 75 76 HTMLScriptRunnerHost& m_host; 76 77 RefPtr<PendingScript> m_parserBlockingScript; -
trunk/Source/WebCore/loader/MediaResourceLoader.cpp
r243163 r243459 44 44 MediaResourceLoader::MediaResourceLoader(Document& document, HTMLMediaElement& mediaElement, const String& crossOriginMode) 45 45 : ContextDestructionObserver(&document) 46 , m_document( &document)46 , m_document(makeWeakPtr(document)) 47 47 , m_mediaElement(makeWeakPtr(mediaElement)) 48 48 , m_crossOriginMode(crossOriginMode) -
trunk/Source/WebCore/loader/MediaResourceLoader.h
r241444 r243459 53 53 void removeResource(MediaResource&); 54 54 55 Document* document() { return m_document ; }55 Document* document() { return m_document.get(); } 56 56 const String& crossOriginMode() const { return m_crossOriginMode; } 57 57 … … 62 62 void contextDestroyed() override; 63 63 64 Document*m_document;64 WeakPtr<Document> m_document; 65 65 WeakPtr<HTMLMediaElement> m_mediaElement; 66 66 String m_crossOriginMode; -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r243319 r243459 579 579 return true; 580 580 case CachedResource::Type::CSSStyleSheet: 581 document = m_document ;581 document = m_document.get(); 582 582 break; 583 583 default: … … 1304 1304 { 1305 1305 RefPtr<DocumentLoader> protectDocumentLoader(m_documentLoader); 1306 RefPtr<Document> protectDocument(m_document );1306 RefPtr<Document> protectDocument(m_document.get()); 1307 1307 1308 1308 ASSERT(shouldPerformPostLoadActions || type == LoadCompletionType::Cancel); -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.h
r241121 r243459 126 126 127 127 Frame* frame() const; // Can be null 128 Document* document() const { return m_document ; } // Can be null129 void setDocument(Document* document) { m_document = document; }128 Document* document() const { return m_document.get(); } // Can be null 129 void setDocument(Document* document) { m_document = makeWeakPtr(document); } 130 130 void clearDocumentLoader() { m_documentLoader = nullptr; } 131 131 PAL::SessionID sessionID() const; … … 194 194 HashSet<String> m_validatedURLs; 195 195 mutable DocumentResourceMap m_documentResources; 196 Document*m_document;196 WeakPtr<Document> m_document; 197 197 DocumentLoader* m_documentLoader; 198 198
Note: See TracChangeset
for help on using the changeset viewer.
