Changeset 227082 in webkit


Ignore:
Timestamp:
Jan 17, 2018 1:53:26 PM (6 years ago)
Author:
Antti Koivisto
Message:

REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
https://bugs.webkit.org/show_bug.cgi?id=181742
<rdar://problem/36334726>

Reviewed by David Kilzer.

Source/WebCore:

Test: fast/media/mediaqueryevaluator-crash.html

  • css/MediaQueryEvaluator.cpp:

(WebCore::MediaQueryEvaluator::MediaQueryEvaluator):

Use WeakPtr<Document> instead of a plain Frame pointer.

(WebCore::MediaQueryEvaluator::evaluate const):

Get the frame via document.

  • css/MediaQueryEvaluator.h:
  • dom/Document.cpp:

(WebCore::Document::prepareForDestruction):

Take care to clear style resolver.

LayoutTests:

  • fast/media/mediaqueryevaluator-crash-expected.txt: Added.
  • fast/media/mediaqueryevaluator-crash.html: Added.
Location:
trunk
Files:
2 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r227081 r227082  
     12018-01-17  Antti Koivisto  <antti@apple.com>
     2
     3        REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
     4        https://bugs.webkit.org/show_bug.cgi?id=181742
     5        <rdar://problem/36334726>
     6
     7        Reviewed by David Kilzer.
     8
     9        * fast/media/mediaqueryevaluator-crash-expected.txt: Added.
     10        * fast/media/mediaqueryevaluator-crash.html: Added.
     11
    1122018-01-17  Matt Lewis  <jlewis3@apple.com>
    213
  • trunk/Source/WebCore/ChangeLog

    r227079 r227082  
     12018-01-17  Antti Koivisto  <antti@apple.com>
     2
     3        REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
     4        https://bugs.webkit.org/show_bug.cgi?id=181742
     5        <rdar://problem/36334726>
     6
     7        Reviewed by David Kilzer.
     8
     9        Test: fast/media/mediaqueryevaluator-crash.html
     10
     11        * css/MediaQueryEvaluator.cpp:
     12        (WebCore::MediaQueryEvaluator::MediaQueryEvaluator):
     13
     14        Use WeakPtr<Document> instead of a plain Frame pointer.
     15
     16        (WebCore::MediaQueryEvaluator::evaluate const):
     17
     18        Get the frame via document.
     19
     20        * css/MediaQueryEvaluator.h:
     21        * dom/Document.cpp:
     22        (WebCore::Document::prepareForDestruction):
     23
     24        Take care to clear style resolver.
     25
    1262018-01-17  Youenn Fablet  <youenn@apple.com>
    227
  • trunk/Source/WebCore/css/MediaQueryEvaluator.cpp

    r225639 r227082  
    110110MediaQueryEvaluator::MediaQueryEvaluator(const String& acceptedMediaType, const Document& document, const RenderStyle* style)
    111111    : m_mediaType(acceptedMediaType)
    112     , m_frame(document.frame())
     112    , m_document(const_cast<Document&>(document).createWeakPtr())
    113113    , m_style(style)
    114114{
     
    138138bool MediaQueryEvaluator::evaluate(const MediaQuerySet& querySet, StyleResolver* styleResolver) const
    139139{
    140     LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_frame && m_frame->document() ? m_frame->document()->url().string() : emptyString()));
     140    LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_document ? m_document->url().string() : emptyString()));
    141141
    142142    auto& queries = querySet.queryVector();
     
    770770bool MediaQueryEvaluator::evaluate(const MediaQueryExpression& expression) const
    771771{
    772     if (!m_frame || !m_frame->view() || !m_style)
     772    if (!m_document)
     773        return m_fallbackResult;
     774
     775    Document& document = *m_document;
     776    auto* frame = document.frame();
     777    if (!frame || !frame->view() || !m_style)
    773778        return m_fallbackResult;
    774779
     
    788793        return false;
    789794
    790     Document& document = *m_frame->document();
    791795    if (!document.documentElement())
    792796        return false;
    793     return function(expression.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *m_frame, NoPrefix);
     797    return function(expression.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *frame, NoPrefix);
    794798}
    795799
  • trunk/Source/WebCore/css/MediaQueryEvaluator.h

    r217247 r227082  
    2929
    3030#include "MediaQueryExpression.h"
     31#include <wtf/WeakPtr.h>
    3132
    3233namespace WebCore {
     
    7576private:
    7677    String m_mediaType;
    77     Frame* m_frame { nullptr }; // not owned
     78    WeakPtr<Document> m_document;
    7879    const RenderStyle* m_style { nullptr };
    7980    bool m_fallbackResult { false };
  • trunk/Source/WebCore/dom/Document.cpp

    r227006 r227082  
    23622362        m_domWindow->willDetachDocumentFromFrame();
    23632363
     2364    styleScope().clearResolver();
     2365
    23642366    if (hasLivingRenderTree())
    23652367        destroyRenderTree();
Note: See TracChangeset for help on using the changeset viewer.