Title: [215011] releases/WebKitGTK/webkit-2.14
- Revision
- 215011
- Author
- carlo...@webkit.org
- Date
- 2017-04-06 03:09:31 -0700 (Thu, 06 Apr 2017)
Log Message
Merge r212029 - Make sure Event keeps its current target element alive
https://bugs.webkit.org/show_bug.cgi?id=167885
<rdar://problem/30376972>
Patch by Chris Dumez <cdu...@apple.com> on 2017-02-09
Reviewed by Brent Fulgham.
Source/WebCore:
Make sure Event keeps its current target element alive to avoid
crashes if it is accessed by JS after it has been garbage collected.
Test: fast/events/currentTarget-gc-crash.html
* dom/Event.cpp:
(WebCore::Event::setCurrentTarget):
* dom/Event.h:
(WebCore::Event::currentTarget):
LayoutTests:
Add layout test reproducing the crash.
* fast/events/currentTarget-gc-crash-expected.txt: Added.
* fast/events/currentTarget-gc-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (215010 => 215011)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 10:04:21 UTC (rev 215010)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 10:09:31 UTC (rev 215011)
@@ -1,3 +1,16 @@
+2017-02-09 Chris Dumez <cdu...@apple.com>
+
+ Make sure Event keeps its current target element alive
+ https://bugs.webkit.org/show_bug.cgi?id=167885
+ <rdar://problem/30376972>
+
+ Reviewed by Brent Fulgham.
+
+ Add layout test reproducing the crash.
+
+ * fast/events/currentTarget-gc-crash-expected.txt: Added.
+ * fast/events/currentTarget-gc-crash.html: Added.
+
2017-02-09 Ryosuke Niwa <rn...@webkit.org>
Crash in render tree after dynamically mutating the slot value
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt (0 => 215011)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash-expected.txt 2017-04-06 10:09:31 UTC (rev 215011)
@@ -0,0 +1,9 @@
+This test passes if it does not crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash.html (0 => 215011)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/events/currentTarget-gc-crash.html 2017-04-06 10:09:31 UTC (rev 215011)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+function f1() {
+ var iframe = document.getElementById("iframe");
+ iframe.srcdoc = "x";
+ window.frames.event = window.event;
+ gc();
+}
+function f2() {
+ var h = new XMLHttpRequest();
+ h._onreadystatechange_ = f1;
+ h.open("foo", "1");
+ var e = window.event;
+ e.initEvent("1", true, true);
+ try {
+ e.currentTarget.click();
+ } catch(e) { }
+ setTimeout(finishJSTest, 100);
+}
+</script>
+</head>
+<body _onload_="f1()">
+<script>
+description("This test passes if it does not crash");
+jsTestIsAsync = true;
+</script>
+<iframe id="iframe" _onload_="f2()"></iframe>
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (215010 => 215011)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 10:04:21 UTC (rev 215010)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 10:09:31 UTC (rev 215011)
@@ -1,3 +1,21 @@
+2017-02-09 Chris Dumez <cdu...@apple.com>
+
+ Make sure Event keeps its current target element alive
+ https://bugs.webkit.org/show_bug.cgi?id=167885
+ <rdar://problem/30376972>
+
+ Reviewed by Brent Fulgham.
+
+ Make sure Event keeps its current target element alive to avoid
+ crashes if it is accessed by JS after it has been garbage collected.
+
+ Test: fast/events/currentTarget-gc-crash.html
+
+ * dom/Event.cpp:
+ (WebCore::Event::setCurrentTarget):
+ * dom/Event.h:
+ (WebCore::Event::currentTarget):
+
2017-02-09 Ryosuke Niwa <rn...@webkit.org>
Crash in render tree after dynamically mutating the slot value
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.cpp (215010 => 215011)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.cpp 2017-04-06 10:04:21 UTC (rev 215010)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.cpp 2017-04-06 10:09:31 UTC (rev 215011)
@@ -192,6 +192,11 @@
receivedTarget();
}
+void Event::setCurrentTarget(EventTarget* currentTarget)
+{
+ m_currentTarget = currentTarget;
+}
+
Vector<EventTarget*> Event::composedPath() const
{
if (!m_eventPath)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.h (215010 => 215011)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.h 2017-04-06 10:04:21 UTC (rev 215010)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Event.h 2017-04-06 10:09:31 UTC (rev 215011)
@@ -106,8 +106,8 @@
EventTarget* target() const { return m_target.get(); }
void setTarget(RefPtr<EventTarget>&&);
- EventTarget* currentTarget() const { return m_currentTarget; }
- void setCurrentTarget(EventTarget* currentTarget) { m_currentTarget = currentTarget; }
+ EventTarget* currentTarget() const { return m_currentTarget.get(); }
+ void setCurrentTarget(EventTarget*);
unsigned short eventPhase() const { return m_eventPhase; }
void setEventPhase(unsigned short eventPhase) { m_eventPhase = eventPhase; }
@@ -221,7 +221,7 @@
bool m_isExecutingPassiveEventListener { false };
unsigned short m_eventPhase { 0 };
- EventTarget* m_currentTarget { nullptr };
+ RefPtr<EventTarget> m_currentTarget;
const EventPath* m_eventPath { nullptr };
RefPtr<EventTarget> m_target;
DOMTimeStamp m_createTime;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
