Skip to site navigation (Press enter)

[webkit-changes] [227082] trunk

antti Wed, 17 Jan 2018 13:54:12 -0800

Title: [227082] trunk

Revision: 227082
Author: an...@apple.com
Date: 2018-01-17 13:53:26 -0800 (Wed, 17 Jan 2018)

Log Message

REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
https://bugs.webkit.org/show_bug.cgi?id=181742
<rdar://problem/36334726>


Reviewed by David Kilzer.

Source/WebCore:

Test: fast/media/mediaqueryevaluator-crash.html

* css/MediaQueryEvaluator.cpp:
(WebCore::MediaQueryEvaluator::MediaQueryEvaluator):

Use WeakPtr<Document> instead of a plain Frame pointer.

(WebCore::MediaQueryEvaluator::evaluate const):

Get the frame via document.

* css/MediaQueryEvaluator.h:
* dom/Document.cpp:
(WebCore::Document::prepareForDestruction):

Take care to clear style resolver.

LayoutTests:

* fast/media/mediaqueryevaluator-crash-expected.txt: Added.
* fast/media/mediaqueryevaluator-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/MediaQueryEvaluator.cpp
trunk/Source/WebCore/css/MediaQueryEvaluator.h
trunk/Source/WebCore/dom/Document.cpp

Added Paths

trunk/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt
trunk/LayoutTests/fast/media/mediaqueryevaluator-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (227081 => 227082)


--- trunk/LayoutTests/ChangeLog	2018-01-17 21:37:47 UTC (rev 227081)
+++ trunk/LayoutTests/ChangeLog	2018-01-17 21:53:26 UTC (rev 227082)
@@ -1,3 +1,14 @@
+2018-01-17  Antti Koivisto  <an...@apple.com>
+
+        REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
+        https://bugs.webkit.org/show_bug.cgi?id=181742
+        <rdar://problem/36334726>
+
+        Reviewed by David Kilzer.
+
+        * fast/media/mediaqueryevaluator-crash-expected.txt: Added.
+        * fast/media/mediaqueryevaluator-crash.html: Added.
+
 2018-01-17  Matt Lewis  <jlew...@apple.com>
 
         Marked inspector/worker/worker-recover-if-inspector-close.html as flaky on macOS

Added: trunk/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt (0 => 227082)


--- trunk/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt	2018-01-17 21:53:26 UTC (rev 227082)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/media/mediaqueryevaluator-crash.html (0 => 227082)


--- trunk/LayoutTests/fast/media/mediaqueryevaluator-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/media/mediaqueryevaluator-crash.html	2018-01-17 21:53:26 UTC (rev 227082)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<iframe id="webtest0"></iframe>
+<script id="webtest1">
+if (window.testRunner)
+    testRunner.dumpAsText();
+framedoc = frames[0].document.documentElement;
+document.body.innerText = 'PASS';
+framedoc.innerHTML = '<title>';
+framedoc.getElementsByTagName('title')[0].innerText = 'a';
+</script>

Modified: trunk/Source/WebCore/ChangeLog (227081 => 227082)


--- trunk/Source/WebCore/ChangeLog	2018-01-17 21:37:47 UTC (rev 227081)
+++ trunk/Source/WebCore/ChangeLog	2018-01-17 21:53:26 UTC (rev 227082)
@@ -1,3 +1,28 @@
+2018-01-17  Antti Koivisto  <an...@apple.com>
+
+        REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
+        https://bugs.webkit.org/show_bug.cgi?id=181742
+        <rdar://problem/36334726>
+
+        Reviewed by David Kilzer.
+
+        Test: fast/media/mediaqueryevaluator-crash.html
+
+        * css/MediaQueryEvaluator.cpp:
+        (WebCore::MediaQueryEvaluator::MediaQueryEvaluator):
+
+        Use WeakPtr<Document> instead of a plain Frame pointer.
+
+        (WebCore::MediaQueryEvaluator::evaluate const):
+
+        Get the frame via document.
+
+        * css/MediaQueryEvaluator.h:
+        * dom/Document.cpp:
+        (WebCore::Document::prepareForDestruction):
+
+        Take care to clear style resolver.
+
 2018-01-17  Youenn Fablet  <you...@apple.com>
 
         Put fetch request keepAlive behind a runtime flag

Modified: trunk/Source/WebCore/css/MediaQueryEvaluator.cpp (227081 => 227082)


--- trunk/Source/WebCore/css/MediaQueryEvaluator.cpp	2018-01-17 21:37:47 UTC (rev 227081)
+++ trunk/Source/WebCore/css/MediaQueryEvaluator.cpp	2018-01-17 21:53:26 UTC (rev 227082)
@@ -109,7 +109,7 @@
 
 MediaQueryEvaluator::MediaQueryEvaluator(const String& acceptedMediaType, const Document& document, const RenderStyle* style)
     : m_mediaType(acceptedMediaType)
-    , m_frame(document.frame())
+    , m_document(const_cast<Document&>(document).createWeakPtr())
     , m_style(style)
 {
 }
@@ -137,7 +137,7 @@
 
 bool MediaQueryEvaluator::evaluate(const MediaQuerySet& querySet, StyleResolver* styleResolver) const
 {
-    LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_frame && m_frame->document() ? m_frame->document()->url().string() : emptyString()));
+    LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_document ? m_document->url().string() : emptyString()));
 
     auto& queries = querySet.queryVector();
     if (!queries.size()) {
@@ -769,9 +769,14 @@
 
 bool MediaQueryEvaluator::evaluate(const MediaQueryExpression& _expression_) const
 {
-    if (!m_frame || !m_frame->view() || !m_style)
+    if (!m_document)
         return m_fallbackResult;
 
+    Document& document = *m_document;
+    auto* frame = document.frame();
+    if (!frame || !frame->view() || !m_style)
+        return m_fallbackResult;
+
     if (!_expression_.isValid())
         return false;
 
@@ -787,10 +792,9 @@
     if (!function)
         return false;
 
-    Document& document = *m_frame->document();
     if (!document.documentElement())
         return false;
-    return function(_expression_.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *m_frame, NoPrefix);
+    return function(_expression_.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *frame, NoPrefix);
 }
 
 bool MediaQueryEvaluator::mediaAttributeMatches(Document& document, const String& attributeValue)

Modified: trunk/Source/WebCore/css/MediaQueryEvaluator.h (227081 => 227082)


--- trunk/Source/WebCore/css/MediaQueryEvaluator.h	2018-01-17 21:37:47 UTC (rev 227081)
+++ trunk/Source/WebCore/css/MediaQueryEvaluator.h	2018-01-17 21:53:26 UTC (rev 227082)
@@ -28,6 +28,7 @@
 #pragma once
 
 #include "MediaQueryExpression.h"
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
@@ -74,7 +75,7 @@
 
 private:
     String m_mediaType;
-    Frame* m_frame { nullptr }; // not owned
+    WeakPtr<Document> m_document;
     const RenderStyle* m_style { nullptr };
     bool m_fallbackResult { false };
 };

Modified: trunk/Source/WebCore/dom/Document.cpp (227081 => 227082)


--- trunk/Source/WebCore/dom/Document.cpp	2018-01-17 21:37:47 UTC (rev 227081)
+++ trunk/Source/WebCore/dom/Document.cpp	2018-01-17 21:53:26 UTC (rev 227082)
@@ -2361,6 +2361,8 @@
     if (m_domWindow && m_frame)
         m_domWindow->willDetachDocumentFromFrame();
 
+    styleScope().clearResolver();
+
     if (hasLivingRenderTree())
         destroyRenderTree();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes