Changeset 289567 in webkit

Timestamp:

Feb 10, 2022, 12:23:37 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Crash in in WebCore::CSSStyleSheet::didMutateRules
​https://bugs.webkit.org/show_bug.cgi?id=236450

Patch by Gabriel Nava Marino <​gnavamarino@apple.com> on 2022-02-10
Reviewed by Antti Koivisto.

Replace the raw pointer rule in RuleMutationScope with a RefPtr so it can be accessible
for the scope.

• css/CSSStyleSheet.cpp:

(WebCore::CSSStyleSheet::RuleMutationScope::~RuleMutationScope):

• css/CSSStyleSheet.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• css/CSSStyleSheet.cpp (modified) (1 diff)
• css/CSSStyleSheet.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-02-10  Gabriel Nava Marino  <gnavamarino@apple.com>
+
+        Crash in in WebCore::CSSStyleSheet::didMutateRules
+        https://bugs.webkit.org/show_bug.cgi?id=236450
+
+        Reviewed by Antti Koivisto.
+
+        Replace the raw pointer rule in RuleMutationScope with a RefPtr so it can be accessible 
+        for the scope.
+
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::RuleMutationScope::~RuleMutationScope):
+        * css/CSSStyleSheet.h:
+
 2022-02-10  Tim Nguyen  <ntim@apple.com>
 

trunk/Source/WebCore/css/CSSStyleSheet.cpp

@@ -419 +419 @@
 {
     if (m_styleSheet)
-        m_styleSheet->didMutateRules(m_mutationType, m_contentsWereClonedForMutation, m_insertedKeyframesRule, m_modifiedKeyframesRuleName);
-}
-
-}
+        m_styleSheet->didMutateRules(m_mutationType, m_contentsWereClonedForMutation, m_insertedKeyframesRule.get(), m_modifiedKeyframesRuleName);
+}
+
+}

trunk/Source/WebCore/css/CSSStyleSheet.h

@@ -110 +110 @@
         RuleMutationType m_mutationType;
         WhetherContentsWereClonedForMutation m_contentsWereClonedForMutation;
-        StyleRuleKeyframes* m_insertedKeyframesRule;
+        RefPtr<StyleRuleKeyframes> m_insertedKeyframesRule;
         String m_modifiedKeyframesRuleName;
     };