Changeset 195606 in webkit


Ignore:
Timestamp:
Jan 26, 2016 12:07:07 PM (8 years ago)
Author:
hyatt@apple.com
Message:

Speculative fixes for crashing in viewportChangeAffectedPicture
https://bugs.webkit.org/show_bug.cgi?id=153450

Reviewed by Dean Jackson.

Don't attach any conditions to the removal of a picture element from
the document's HashSet. This ensures that if the condition is ever
wrong for any reason, we'll still remove the picture element on
destruction.

Fix the media query evaluation to match the other evaluations (used by
the preload scanner and HTMLImageElement). This includes using the
document element's computed style instead of our own and also null
checking the document element first. This is the likely cause of the
crashes.

  • html/HTMLPictureElement.cpp:

(WebCore::HTMLPictureElement::~HTMLPictureElement):
(WebCore::HTMLPictureElement::didMoveToNewDocument):
(WebCore::HTMLPictureElement::viewportChangeAffectedPicture):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r195605 r195606  
     12016-01-25  Dave Hyatt  <hyatt@apple.com>
     2
     3        Speculative fixes for crashing in viewportChangeAffectedPicture
     4        https://bugs.webkit.org/show_bug.cgi?id=153450
     5
     6        Reviewed by Dean Jackson.
     7
     8        Don't attach any conditions to the removal of a picture element from
     9        the document's HashSet. This ensures that if the condition is ever
     10        wrong for any reason, we'll still remove the picture element on
     11        destruction.
     12
     13        Fix the media query evaluation to match the other evaluations (used by
     14        the preload scanner and HTMLImageElement). This includes using the
     15        document element's computed style instead of our own and also null
     16        checking the document element first. This is the likely cause of the
     17        crashes.
     18
     19        * html/HTMLPictureElement.cpp:
     20        (WebCore::HTMLPictureElement::~HTMLPictureElement):
     21        (WebCore::HTMLPictureElement::didMoveToNewDocument):
     22        (WebCore::HTMLPictureElement::viewportChangeAffectedPicture):
     23
    1242016-01-26  Chris Dumez  <cdumez@apple.com>
    225

  • trunk/Source/WebCore/html/HTMLPictureElement.cpp

    r193859 r195606  
    4040HTMLPictureElement::~HTMLPictureElement()
    4141{
    42     if (hasViewportDependentResults())
    43         document().removeViewportDependentPicture(*this);
     42    document().removeViewportDependentPicture(*this);
    4443}
    4544
    4645void HTMLPictureElement::didMoveToNewDocument(Document* oldDocument)
    4746{
    48     if (hasViewportDependentResults() && oldDocument)
     47    if (oldDocument)
    4948        oldDocument->removeViewportDependentPicture(*this);
    5049    HTMLElement::didMoveToNewDocument(oldDocument);
     
    6564bool HTMLPictureElement::viewportChangeAffectedPicture()
    6665{
    67     MediaQueryEvaluator evaluator(document().printing() ? "print" : "screen", document().frame(), computedStyle());
     66    MediaQueryEvaluator evaluator(document().printing() ? "print" : "screen", document().frame(), document().documentElement() ? document().documentElement()->computedStyle() : nullptr);
    6867    unsigned numResults = m_viewportDependentMediaQueryResults.size();
    6968    for (unsigned i = 0; i < numResults; i++) {
Note: See TracChangeset for help on using the changeset viewer.