Title: [212096] branches/safari-603-branch
- Revision
- 212096
- Author
- matthew_han...@apple.com
- Date
- 2017-02-10 00:16:28 -0800 (Fri, 10 Feb 2017)
Log Message
Merge r212029. rdar://problem/30376972
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (212095 => 212096)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-10 08:16:24 UTC (rev 212095)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-10 08:16:28 UTC (rev 212096)
@@ -1,5 +1,22 @@
2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r212029. rdar://problem/30376972
+
+ 2017-02-09 Chris Dumez <cdu...@apple.com>
+
+ Make sure Event keeps its current target element alive
+ https://bugs.webkit.org/show_bug.cgi?id=167885
+ <rdar://problem/30376972>
+
+ Reviewed by Brent Fulgham.
+
+ Add layout test reproducing the crash.
+
+ * fast/events/currentTarget-gc-crash-expected.txt: Added.
+ * fast/events/currentTarget-gc-crash.html: Added.
+
+2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r212028. rdar://problem/30234133
2017-02-09 Ryosuke Niwa <rn...@webkit.org>
Added: branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt (0 => 212096)
--- branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt 2017-02-10 08:16:28 UTC (rev 212096)
@@ -0,0 +1,9 @@
+This test passes if it does not crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash.html (0 => 212096)
--- branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/currentTarget-gc-crash.html 2017-02-10 08:16:28 UTC (rev 212096)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+function f1() {
+ var iframe = document.getElementById("iframe");
+ iframe.srcdoc = "x";
+ window.frames.event = window.event;
+ gc();
+}
+function f2() {
+ var h = new XMLHttpRequest();
+ h._onreadystatechange_ = f1;
+ h.open("foo", "1");
+ var e = window.event;
+ e.initEvent("1", true, true);
+ try {
+ e.currentTarget.click();
+ } catch(e) { }
+ setTimeout(finishJSTest, 100);
+}
+</script>
+</head>
+<body _onload_="f1()">
+<script>
+description("This test passes if it does not crash");
+jsTestIsAsync = true;
+</script>
+<iframe id="iframe" _onload_="f2()"></iframe>
+<script src=""
+</body>
+</html>
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (212095 => 212096)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-10 08:16:24 UTC (rev 212095)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-10 08:16:28 UTC (rev 212096)
@@ -1,5 +1,27 @@
2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r212029. rdar://problem/30376972
+
+ 2017-02-09 Chris Dumez <cdu...@apple.com>
+
+ Make sure Event keeps its current target element alive
+ https://bugs.webkit.org/show_bug.cgi?id=167885
+ <rdar://problem/30376972>
+
+ Reviewed by Brent Fulgham.
+
+ Make sure Event keeps its current target element alive to avoid
+ crashes if it is accessed by JS after it has been garbage collected.
+
+ Test: fast/events/currentTarget-gc-crash.html
+
+ * dom/Event.cpp:
+ (WebCore::Event::setCurrentTarget):
+ * dom/Event.h:
+ (WebCore::Event::currentTarget):
+
+2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r212028. rdar://problem/30234133
2017-02-09 Ryosuke Niwa <rn...@webkit.org>
Modified: branches/safari-603-branch/Source/WebCore/dom/Event.cpp (212095 => 212096)
--- branches/safari-603-branch/Source/WebCore/dom/Event.cpp 2017-02-10 08:16:24 UTC (rev 212095)
+++ branches/safari-603-branch/Source/WebCore/dom/Event.cpp 2017-02-10 08:16:28 UTC (rev 212096)
@@ -200,6 +200,11 @@
receivedTarget();
}
+void Event::setCurrentTarget(EventTarget* currentTarget)
+{
+ m_currentTarget = currentTarget;
+}
+
Vector<EventTarget*> Event::composedPath() const
{
if (!m_eventPath)
Modified: branches/safari-603-branch/Source/WebCore/dom/Event.h (212095 => 212096)
--- branches/safari-603-branch/Source/WebCore/dom/Event.h 2017-02-10 08:16:24 UTC (rev 212095)
+++ branches/safari-603-branch/Source/WebCore/dom/Event.h 2017-02-10 08:16:28 UTC (rev 212096)
@@ -105,8 +105,8 @@
EventTarget* target() const { return m_target.get(); }
void setTarget(RefPtr<EventTarget>&&);
- EventTarget* currentTarget() const { return m_currentTarget; }
- void setCurrentTarget(EventTarget* currentTarget) { m_currentTarget = currentTarget; }
+ EventTarget* currentTarget() const { return m_currentTarget.get(); }
+ void setCurrentTarget(EventTarget*);
unsigned short eventPhase() const { return m_eventPhase; }
void setEventPhase(unsigned short eventPhase) { m_eventPhase = eventPhase; }
@@ -217,7 +217,7 @@
bool m_isExecutingPassiveEventListener { false };
unsigned short m_eventPhase { 0 };
- EventTarget* m_currentTarget { nullptr };
+ RefPtr<EventTarget> m_currentTarget;
const EventPath* m_eventPath { nullptr };
RefPtr<EventTarget> m_target;
DOMTimeStamp m_createTime;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
