Title: [230570] branches/safari-605-branch
- Revision
- 230570
- Author
- kocsen_ch...@apple.com
- Date
- 2018-04-12 06:41:11 -0700 (Thu, 12 Apr 2018)
Log Message
Cherry-pick r230513. rdar://problem/39337459
FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/38055732>
Reviewed by Zalan Bujtas.
Source/WebCore:
In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
Test: editing/selection/iframe-update-selection-appearance.html
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::appearanceUpdateTimerFired):
LayoutTests:
Add a new layout test that passes if we didn't crash.
* editing/selection/iframe-update-selection-appearance-expected.txt: Added.
* editing/selection/iframe-update-selection-appearance.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/LayoutTests/ChangeLog (230569 => 230570)
--- branches/safari-605-branch/LayoutTests/ChangeLog 2018-04-12 13:41:08 UTC (rev 230569)
+++ branches/safari-605-branch/LayoutTests/ChangeLog 2018-04-12 13:41:11 UTC (rev 230570)
@@ -1,3 +1,46 @@
+2018-04-11 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r230513. rdar://problem/39337459
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ Source/WebCore:
+
+ In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+ FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+ mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
+
+ Test: editing/selection/iframe-update-selection-appearance.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::appearanceUpdateTimerFired):
+
+ LayoutTests:
+
+ Add a new layout test that passes if we didn't crash.
+
+ * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+ * editing/selection/iframe-update-selection-appearance.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-10 Wenson Hsieh <wenson_hs...@apple.com>
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ Add a new layout test that passes if we didn't crash.
+
+ * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+ * editing/selection/iframe-update-selection-appearance.html: Added.
+
2018-04-05 Jason Marcell <jmarc...@apple.com>
Apply patch. rdar://problem/39191858
Added: branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt (0 => 230570)
--- branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt 2018-04-12 13:41:11 UTC (rev 230570)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance.html (0 => 230570)
--- branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/editing/selection/iframe-update-selection-appearance.html 2018-04-12 13:41:11 UTC (rev 230570)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <style>
+ body { -webkit-user-modify: read-only; }
+ </style>
+ <script src=""
+ <script>
+ function reconnectSubframe() {
+ document.body.appendChild(document.querySelector("iframe"));
+ }
+
+ function go() {
+ jsTestIsAsync = true;
+ if (window.finishJSTest)
+ setTimeout(() => setTimeout(finishJSTest));
+
+ getSelection().setPosition(document.body);
+
+ if (window.internals)
+ setTimeout(() => internals.setCaptionsStyleSheetOverride("* { }"));
+
+ reconnectSubframe();
+ }
+ </script>
+</head>
+
+<body _onload_="go()">
+ <iframe hidden="true"></iframe>
+ <embed type="foobar" _onbeforeload_="reconnectSubframe()"></embed>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (230569 => 230570)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-04-12 13:41:08 UTC (rev 230569)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-04-12 13:41:11 UTC (rev 230570)
@@ -1,3 +1,50 @@
+2018-04-11 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r230513. rdar://problem/39337459
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ Source/WebCore:
+
+ In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+ FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+ mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
+
+ Test: editing/selection/iframe-update-selection-appearance.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::appearanceUpdateTimerFired):
+
+ LayoutTests:
+
+ Add a new layout test that passes if we didn't crash.
+
+ * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+ * editing/selection/iframe-update-selection-appearance.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-10 Wenson Hsieh <wenson_hs...@apple.com>
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+ FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+ mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
+
+ Test: editing/selection/iframe-update-selection-appearance.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::appearanceUpdateTimerFired):
+
2018-04-10 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r230467. rdar://problem/39317878
Modified: branches/safari-605-branch/Source/WebCore/editing/FrameSelection.cpp (230569 => 230570)
--- branches/safari-605-branch/Source/WebCore/editing/FrameSelection.cpp 2018-04-12 13:41:08 UTC (rev 230569)
+++ branches/safari-605-branch/Source/WebCore/editing/FrameSelection.cpp 2018-04-12 13:41:11 UTC (rev 230570)
@@ -2421,6 +2421,7 @@
void FrameSelection::appearanceUpdateTimerFired()
{
+ Ref<Frame> protectedFrame(*m_frame);
updateAppearanceAfterLayoutOrStyleChange();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes