Diff
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,3 +1,50 @@
+2019-05-28 Brent Fulgham <bfulg...@apple.com>
+
+ Protect frames during style and layout changes
+ https://bugs.webkit.org/show_bug.cgi?id=198047
+ <rdar://problem/50954082>
+
+ Reviewed by Zalan Bujtas.
+
+ Be more careful about the scope and lifetime of objects that participate in layout or
+ style updates. If a method decides a layout or style update is needed, it needs to
+ confirm that the elements it was operating on are still valid and needed in the
+ current operation.
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::getOrCreate):
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::accessibilityHitTest const):
+ * css/CSSComputedStyleDeclaration.cpp:
+ (WebCore::ComputedStyleExtractor::valueForPropertyinStyle):
+ * css/CSSComputedStyleDeclaration.h:
+ * css/SVGCSSComputedStyleDeclaration.cpp:
+ (WebCore::ComputedStyleExtractor::svgPropertyValue):
+ * dom/Document.cpp:
+ (WebCore::Document::setFocusedElement):
+ * editing/TypingCommand.cpp:
+ (WebCore::TypingCommand::insertTextRunWithoutNewlines):
+ (WebCore::TypingCommand::insertLineBreak):
+ (WebCore::TypingCommand::insertParagraphSeparator):
+ (WebCore::TypingCommand::insertParagraphSeparatorInQuotedContent):
+ * editing/ios/EditorIOS.mm:
+ (WebCore::Editor::setDictationPhrasesAsChildOfElement):
+ * html/HTMLLabelElement.cpp:
+ (WebCore::HTMLLabelElement::focus):
+ * html/HTMLTextAreaElement.cpp:
+ (WebCore::HTMLTextAreaElement::appendFormData):
+ * html/ImageDocument.cpp:
+ (WebCore::ImageDocument::imageClicked):
+ * html/ValidationMessage.cpp:
+ (WebCore::ValidationMessage::buildBubbleTree):
+ * page/FrameView.cpp:
+ (WebCore::FrameView::autoSizeIfEnabled):
+ (WebCore::FrameView::trackedRepaintRectsAsText const):
+ * page/PrintContext.cpp:
+ (WebCore::PrintContext::pageProperty):
+ (WebCore::PrintContext::numberOfPages):
+ (WebCore::PrintContext::spoolAllPagesWithBoundaries):
+
2019-05-23 Zalan Bujtas <za...@apple.com>
[Hittest] Move hittesting from RenderView to Document
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -594,6 +594,8 @@
if (!inCanvasSubtree && !isHidden && !insideMeterElement)
return nullptr;
+ auto protectedNode = makeRef(*node);
+
// Fallback content is only focusable as long as the canvas is displayed and visible.
// Update the style before Element::isFocusable() gets called.
if (inCanvasSubtree)
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
-* Copyright (C) 2008 Apple Inc. All rights reserved.
+* Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -2364,6 +2364,9 @@
m_renderer->document().updateLayout();
+ if (!m_renderer || !m_renderer->hasLayer())
+ return nullptr;
+
RenderLayer* layer = downcast<RenderBox>(*m_renderer).layer();
HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::AccessibilityHitTest);
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004 Zack Rusin <z...@kde.org>
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
* Copyright (C) 2007 Alexey Proskuryakov <a...@webkit.org>
* Copyright (C) 2007 Nicholas Shanks <web...@nickshanks.com>
* Copyright (C) 2011 Sencha, Inc. All rights reserved.
@@ -4214,7 +4214,7 @@
case CSSPropertyKerning:
case CSSPropertyTextAnchor:
case CSSPropertyVectorEffect:
- return svgPropertyValue(propertyID, DoNotUpdateLayout);
+ return svgPropertyValue(propertyID);
case CSSPropertyCustom:
ASSERT_NOT_REACHED();
return nullptr;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.h (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.h 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/css/CSSComputedStyleDeclaration.h 2019-07-01 11:03:41 UTC (rev 246993)
@@ -87,7 +87,7 @@
// no pseudo-element.
RenderElement* styledRenderer() const;
- RefPtr<CSSValue> svgPropertyValue(CSSPropertyID, EUpdateLayout);
+ RefPtr<CSSValue> svgPropertyValue(CSSPropertyID);
Ref<CSSValue> adjustSVGPaintForCurrentColor(SVGPaintType, const String& url, const Color&, const Color& currentColor) const;
static Ref<CSSValue> valueForShadow(const ShadowData*, CSSPropertyID, const RenderStyle&, AdjustPixelValuesForComputedStyle = AdjustPixelValues);
Ref<CSSPrimitiveValue> currentColorOrValidColor(const RenderStyle*, const Color&) const;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,6 +1,7 @@
/*
Copyright (C) 2007 Eric Seidel <e...@webkit.org>
Copyright (C) 2007 Alexey Proskuryakov <a...@webkit.org>
+ Copyright (C) 2019 Apple Inc. All rights reserved.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
@@ -81,15 +82,11 @@
return CSSPrimitiveValue::create(color);
}
-RefPtr<CSSValue> ComputedStyleExtractor::svgPropertyValue(CSSPropertyID propertyID, EUpdateLayout updateLayout)
+RefPtr<CSSValue> ComputedStyleExtractor::svgPropertyValue(CSSPropertyID propertyID)
{
if (!m_element)
return nullptr;
- // Make sure our layout is up to date before we allow a query on these attributes.
- if (updateLayout)
- m_element->document().updateLayout();
-
auto* style = m_element->computedStyle();
if (!style)
return nullptr;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -4335,8 +4335,8 @@
}
if (focusWidget)
focusWidget->setFocus(true);
- else
- view()->setFocus(true);
+ else if (auto* frameView = view())
+ frameView->setFocus(true);
}
}
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/TypingCommand.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/TypingCommand.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/TypingCommand.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2008, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -551,6 +551,8 @@
applyCommandToComposite(WTFMove(command), endingSelection());
+ Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
typingAddedToOpenCommand(InsertText);
}
@@ -563,6 +565,9 @@
return;
applyCommandToComposite(InsertLineBreakCommand::create(document()));
+
+ Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
typingAddedToOpenCommand(InsertLineBreak);
}
@@ -583,6 +588,9 @@
return;
applyCommandToComposite(InsertParagraphSeparatorCommand::create(document(), false, false, EditAction::TypingInsertParagraph));
+
+ Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
typingAddedToOpenCommand(InsertParagraphSeparator);
}
@@ -607,6 +615,9 @@
}
applyCommandToComposite(BreakBlockquoteCommand::create(document()));
+
+ Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
typingAddedToOpenCommand(InsertParagraphSeparatorInQuotedContent);
}
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/ios/EditorIOS.mm (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/ios/EditorIOS.mm 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/editing/ios/EditorIOS.mm 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -279,9 +279,14 @@
element.appendChild(createFragmentFromText(*context, dictationPhrasesBuilder.toString()));
+ auto weakElement = makeWeakPtr(element);
+
// We need a layout in order to add markers below.
document().updateLayout();
+ if (!weakElement)
+ return;
+
if (!element.firstChild()->isTextNode()) {
// Shouldn't happen.
ASSERT(element.firstChild()->isTextNode());
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLLabelElement.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLLabelElement.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLLabelElement.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll (kn...@kde.org)
* (C) 1999 Antti Koivisto (koivi...@kde.org)
* (C) 2001 Dirk Mueller (muel...@kde.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov (a...@nypop.com)
*
* This library is free software; you can redistribute it and/or
@@ -149,6 +149,7 @@
void HTMLLabelElement::focus(bool restorePreviousSelection, FocusDirection direction)
{
+ Ref<HTMLLabelElement> protectedThis(*this);
if (document().haveStylesheetsLoaded()) {
document().updateLayout();
if (isFocusable()) {
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLTextAreaElement.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLTextAreaElement.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLTextAreaElement.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll (kn...@kde.org)
* (C) 1999 Antti Koivisto (koivi...@kde.org)
* (C) 2001 Dirk Mueller (muel...@kde.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov (a...@nypop.com)
* Copyright (C) 2007 Samuel Weinig (s...@webkit.org)
*
@@ -223,6 +223,7 @@
if (name().isEmpty())
return false;
+ Ref<HTMLTextAreaElement> protectedThis(*this);
document().updateLayout();
formData.append(name(), m_wrap == HardWrap ? valueWithHardLineBreaks() : value());
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/html/ImageDocument.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/html/ImageDocument.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/html/ImageDocument.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008, 2010, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -398,6 +398,9 @@
updateLayout();
+ if (!view())
+ return;
+
float scale = this->scale();
IntSize viewportSize = view()->visibleSize();
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/page/FrameView.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/page/FrameView.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/page/FrameView.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -3,7 +3,7 @@
* 1999 Lars Knoll <kn...@kde.org>
* 1999 Antti Koivisto <koivi...@kde.org>
* 2000 Dirk Mueller <muel...@kde.org>
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
* (C) 2006 Graham Dennis (graham.den...@gmail.com)
* (C) 2006 Alexey Proskuryakov (a...@nypop.com)
* Copyright (C) 2009 Google Inc. All rights reserved.
@@ -3512,6 +3512,7 @@
setHorizontalScrollbarLock(false);
setScrollbarModes(horizonalScrollbarMode, verticalScrollbarMode, true, true);
}
+ Ref<FrameView> protectedThis(*this);
// All the resizing above may have invalidated style (for example if viewport units are being used).
document->updateStyleIfNeeded();
// FIXME: Use the final layout's result as the content size (webkit.org/b/173561).
@@ -4889,9 +4890,12 @@
String FrameView::trackedRepaintRectsAsText() const
{
- if (frame().document())
- frame().document()->updateLayout();
+ Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
+ if (auto* document = frame.document())
+ document->updateLayout();
+
TextStream ts;
if (!m_trackedRepaintRects.isEmpty()) {
ts << "(repaint rects\n";
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/page/PrintContext.cpp (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/page/PrintContext.cpp 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/page/PrintContext.cpp 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Alp Toker <a...@atoker.com>
- * Copyright (C) 2007, 2016 Apple Inc.
+ * Copyright (C) 2007-2019 Apple Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -316,6 +316,8 @@
ASSERT(frame);
ASSERT(frame->document());
+ Ref<Frame> protectedFrame(*frame);
+
auto& document = *frame->document();
PrintContext printContext(frame);
printContext.begin(800); // Any width is OK here.
@@ -371,6 +373,8 @@
int PrintContext::numberOfPages(Frame& frame, const FloatSize& pageSizeInPixels)
{
+ Ref<Frame> protectedFrame(frame);
+
PrintContext printContext(&frame);
if (!printContext.beginAndComputePageRectsWithPageSize(frame, pageSizeInPixels))
return -1;
@@ -380,6 +384,8 @@
void PrintContext::spoolAllPagesWithBoundaries(Frame& frame, GraphicsContext& graphicsContext, const FloatSize& pageSizeInPixels)
{
+ Ref<Frame> protectedFrame(frame);
+
PrintContext printContext(&frame);
if (!printContext.beginAndComputePageRectsWithPageSize(frame, pageSizeInPixels))
return;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/ChangeLog (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/ChangeLog 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/ChangeLog 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,3 +1,21 @@
+2019-05-28 Brent Fulgham <bfulg...@apple.com>
+ Protect frames during style and layout changes
+ https://bugs.webkit.org/show_bug.cgi?id=198047
+ <rdar://problem/50954082>
+
+ Reviewed by Zalan Bujtas.
+
+ Be more careful about the scope and lifetime of objects that participate in layout or
+ style updates. If a method decides a layout or style update is needed, it needs to
+ confirm that the elements it was operating on are still valid and needed in the
+ current operation.
+
+ * DOM/DOM.mm:
+ (-[DOMRange renderedImageForcingBlackText:renderedImageForcingBlackText:]):
+ * WebView/WebHTMLView.mm:
+ (-[WebHTMLView _selectionDraggingImage]):
+ (-[WebHTMLView selectionImageForcingBlackText:selectionImageForcingBlackText:]):
+
2019-04-03 Myles C. Maxfield <mmaxfi...@apple.com>
-apple-trailing-word is needed for browser detection
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/DOM/DOM.mm (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/DOM/DOM.mm 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/DOM/DOM.mm 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
* Copyright (C) 2006 James G. Speth (sp...@end.com)
* Copyright (C) 2006 Samuel Weinig (sam.wei...@gmail.com)
*
@@ -618,6 +618,8 @@
if (!frame)
return nil;
+ Ref<Frame> protectedFrame(*frame);
+
// iOS uses CGImageRef for drag images, which doesn't support separate logical/physical sizes.
#if PLATFORM(MAC)
RetainPtr<NSImage> renderedImage = createDragImageForRange(*frame, range, forceBlackText);
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm (246992 => 246993)
--- releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm 2019-07-01 11:03:32 UTC (rev 246992)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm 2019-07-01 11:03:41 UTC (rev 246993)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2019 Apple Inc. All rights reserved.
* (C) 2006, 2007 Graham Dennis (graham.den...@gmail.com)
*
* Redistribution and use in source and binary forms, with or without
@@ -2197,6 +2197,8 @@
if (!coreFrame)
return nil;
+ Ref<Frame> protectedCoreFrame(*coreFrame);
+
TextIndicatorData textIndicator;
auto dragImage = createDragImageForSelection(*coreFrame, textIndicator);
[dragImage _web_dissolveToFraction:WebDragImageAlpha];
@@ -6962,6 +6964,8 @@
if (!coreFrame)
return nil;
+ Ref<Frame> protectedCoreFrame(*coreFrame);
+
#if PLATFORM(IOS_FAMILY)
return selectionImage(coreFrame, forceBlackText);
#else
