Diff
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,3 +1,42 @@
+2016-10-28 Brent Fulgham <[email protected]>
+
+ Do a better job of protecting Frame objects in the context of _javascript_ calls
+ https://bugs.webkit.org/show_bug.cgi?id=164163
+ <rdar://problem/28955249>
+
+ Reviewed by Darin Adler.
+
+ * editing/AlternativeTextController.cpp:
+ (WebCore::AlternativeTextController::respondToUnappliedSpellCorrection): Protected the Frame.
+ * editing/Editor.cpp:
+ (WebCore::Editor::setTextAsChildOfElement): Ditto.
+ * editing/EditorCommand.cpp:
+ (WebCore::executeSwapWithMark): Ditto.
+ * editing/TypingCommand.cpp:
+ (WebCore::TypingCommand::deleteKeyPressed): Ditto.
+ (WebCore::TypingCommand::forwardDeleteKeyPressed): Ditto.
+ * editing/mac/EditorMac.mm:
+ (WebCore::Editor::replaceNodeFromPasteboard): Ditto.
+ * page/ContextMenuController.cpp:
+ (WebCore::ContextMenuController::contextMenuItemSelected): Ditto.
+ * page/DOMSelection.cpp:
+ (WebCore::DOMSelection::collapse): Ditto.
+ (WebCore::DOMSelection::collapseToEnd): Ditto.
+ (WebCore::DOMSelection::collapseToStart): Ditto.
+ (WebCore::DOMSelection::setBaseAndExtent): Ditto.
+ (WebCore::DOMSelection::setPosition): Ditto.
+ (WebCore::DOMSelection::modify): Ditto.
+ (WebCore::DOMSelection::extend): Ditto.
+ (WebCore::DOMSelection::addRange): Ditto.
+ (WebCore::DOMSelection::deleteFromDocument): Ditto.
+ * page/DragController.cpp:
+ (WebCore::setSelectionToDragCaret): Ditto.
+ (WebCore::DragController::startDrag): Ditto.
+ * page/Frame.cpp:
+ (WebCore::Frame::checkOverflowScroll): Ditto.
+ * page/TextIndicator.cpp:
+ (WebCore::TextIndicator::createWithRange): Ditto.
+
2016-10-27 Brent Fulgham <[email protected]>
Prevent hit tests from being performed on an invalid render tree
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/AlternativeTextController.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/AlternativeTextController.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/AlternativeTextController.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
*
* Redistribution and use in source and binary forms, with or without
@@ -317,6 +317,8 @@
{
if (AlternativeTextClient* client = alternativeTextClient())
client->recordAutocorrectionResponse(AutocorrectionReverted, corrected, correction);
+
+ Ref<Frame> protector(m_frame);
m_frame.document()->updateLayout();
m_frame.selection().setSelection(selectionOfCorrected, FrameSelection::defaultSetSelectionOptions() | FrameSelection::SpellCorrectionTriggered);
RefPtr<Range> range = Range::create(*m_frame.document(), m_frame.selection().selection().start(), m_frame.selection().selection().end());
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/Editor.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/Editor.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/Editor.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008, 2011, 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2011, 2013-2016 Apple Inc. All rights reserved.
* Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
*
* Redistribution and use in source and binary forms, with or without
@@ -1786,6 +1786,8 @@
void Editor::setComposition(const String& text, const Vector<CompositionUnderline>& underlines, unsigned selectionStart, unsigned selectionEnd)
{
+ Ref<Frame> protection(m_frame);
+
UserTypingGestureIndicator typingGestureIndicator(m_frame);
setIgnoreCompositionSelectionChange(true);
@@ -1919,6 +1921,8 @@
#if !PLATFORM(IOS)
void Editor::advanceToNextMisspelling(bool startBeforeSelection)
{
+ Ref<Frame> protection(m_frame);
+
// The basic approach is to search in two phases - from the selection end to the end of the doc, and
// then we wrap and search from the doc start to (approximately) where we started.
@@ -2237,6 +2241,8 @@
void Editor::markMisspellingsAfterTypingToWord(const VisiblePosition &wordStart, const VisibleSelection& selectionAfterTyping, bool doReplacement)
{
+ Ref<Frame> protection(m_frame);
+
#if PLATFORM(IOS)
UNUSED_PARAM(selectionAfterTyping);
UNUSED_PARAM(doReplacement);
@@ -2487,6 +2493,7 @@
void Editor::markAndReplaceFor(PassRefPtr<SpellCheckRequest> request, const Vector<TextCheckingResult>& results)
{
+ Ref<Frame> protection(m_frame);
ASSERT(request);
TextCheckingTypeMask textCheckingOptions = request->data().mask();
@@ -2945,6 +2952,8 @@
void Editor::changeSelectionAfterCommand(const VisibleSelection& newSelection, FrameSelection::SetSelectionOptions options)
{
+ Ref<Frame> protection(m_frame);
+
// If the new selection is orphaned, then don't update the selection.
if (newSelection.start().isOrphan() || newSelection.end().isOrphan())
return;
@@ -3135,6 +3144,8 @@
bool Editor::findString(const String& target, FindOptions options)
{
+ Ref<Frame> protection(m_frame);
+
VisibleSelection selection = m_frame.selection().selection();
RefPtr<Range> resultRange = rangeOfString(target, selection.firstRange().get(), options);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/EditorCommand.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/EditorCommand.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/EditorCommand.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2014, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
* Copyright (C) 2009 Igalia S.L.
*
@@ -1061,6 +1061,7 @@
static bool executeSwapWithMark(Frame& frame, Event*, EditorCommandSource, const String&)
{
+ Ref<Frame> protector(frame);
const VisibleSelection& mark = frame.editor().mark();
const VisibleSelection& selection = frame.selection().selection();
if (mark.isNone() || selection.isNone()) {
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/TypingCommand.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/TypingCommand.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/TypingCommand.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2008, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -480,6 +480,7 @@
void TypingCommand::deleteKeyPressed(TextGranularity granularity, bool shouldAddToKillRing)
{
Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
frame.editor().updateMarkersForWordsAffectedByEditing(false);
@@ -593,6 +594,7 @@
void TypingCommand::forwardDeleteKeyPressed(TextGranularity granularity, bool shouldAddToKillRing)
{
Frame& frame = this->frame();
+ Ref<Frame> protector(frame);
frame.editor().updateMarkersForWordsAffectedByEditing(false);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/mac/EditorMac.mm (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/mac/EditorMac.mm 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/editing/mac/EditorMac.mm 2016-12-28 11:04:16 UTC (rev 210196)
@@ -259,6 +259,7 @@
if (&node->document() != m_frame.document())
return;
+ Ref<Frame> protector(m_frame);
RefPtr<Range> range = Range::create(node->document(), Position(node, Position::PositionIsBeforeAnchor), Position(node, Position::PositionIsAfterAnchor));
m_frame.selection().setSelection(VisibleSelection(*range), FrameSelection::DoNotSetFocus);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ContextMenuController.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ContextMenuController.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ContextMenuController.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2010 Igalia S.L
*
* Redistribution and use in source and binary forms, with or without
@@ -223,6 +223,8 @@
if (!frame)
return;
+ Ref<Frame> protector(*frame);
+
switch (action) {
case ContextMenuItemTagOpenLinkInNewWindow:
openNewWindow(m_context.hitTestResult().absoluteLinkURL(), frame, ShouldOpenExternalURLsPolicy::ShouldAllowExternalSchemes);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2009, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2012 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -196,6 +196,7 @@
return;
// FIXME: Eliminate legacy editing positions
+ Ref<Frame> protector(*m_frame);
m_frame->selection().moveTo(createLegacyEditingPosition(node, offset), DOWNSTREAM);
}
@@ -211,6 +212,7 @@
return;
}
+ Ref<Frame> protector(*m_frame);
m_frame->selection().moveTo(selection.end(), DOWNSTREAM);
}
@@ -226,6 +228,7 @@
return;
}
+ Ref<Frame> protector(*m_frame);
m_frame->selection().moveTo(selection.start(), DOWNSTREAM);
}
@@ -245,6 +248,7 @@
return;
// FIXME: Eliminate legacy editing positions
+ Ref<Frame> protector(*m_frame);
m_frame->selection().moveTo(createLegacyEditingPosition(baseNode, baseOffset), createLegacyEditingPosition(extentNode, extentOffset), DOWNSTREAM);
}
@@ -257,6 +261,7 @@
return;
// FIXME: Eliminate legacy editing positions
+ Ref<Frame> protector(*m_frame);
m_frame->selection().moveTo(createLegacyEditingPosition(node, offset), DOWNSTREAM);
}
@@ -307,6 +312,7 @@
else
return;
+ Ref<Frame> protector(*m_frame);
m_frame->selection().modify(alter, direction, granularity);
}
@@ -324,6 +330,7 @@
return;
// FIXME: Eliminate legacy editing positions
+ Ref<Frame> protector(*m_frame);
m_frame->selection().setExtent(createLegacyEditingPosition(&node, offset), DOWNSTREAM);
}
@@ -361,6 +368,8 @@
if (!m_frame)
return;
+ Ref<Frame> protector(*m_frame);
+
FrameSelection& selection = m_frame->selection();
if (selection.isNone()) {
selection.moveTo(&range);
@@ -411,6 +420,7 @@
if (!selectedRange)
return;
+ Ref<Frame> protector(*m_frame);
selectedRange->deleteContents(ASSERT_NO_EXCEPTION);
setBaseAndExtent(&selectedRange->startContainer(), selectedRange->startOffset(), &selectedRange->startContainer(), selectedRange->startOffset());
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DragController.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DragController.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DragController.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2009, 2010, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2009-2010, 2013, 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -433,6 +433,7 @@
static bool setSelectionToDragCaret(Frame* frame, VisibleSelection& dragCaret, RefPtr<Range>& range, const IntPoint& point)
{
+ Ref<Frame> protector(*frame);
frame->selection().setSelection(dragCaret);
if (frame->selection().selection().isNone()) {
dragCaret = frame->visiblePositionForPoint(point);
@@ -753,6 +754,7 @@
if (!src.view() || !src.contentRenderer() || !state.source)
return false;
+ Ref<Frame> protector(src);
HitTestResult hitTestResult = src.eventHandler().hitTestResultAtPoint(dragOrigin, HitTestRequest::ReadOnly | HitTestRequest::Active);
// FIXME(136836): Investigate whether all elements should use the containsIncludingShadowDOM() path here.
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/Frame.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/Frame.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/Frame.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -604,6 +604,8 @@
}
}
+ Ref<Frame> protectedThis(*this);
+
if (action == PerformOverflowScroll && (deltaX || deltaY)) {
layer->scrollToOffset(layer->scrollOffset() + IntSize(deltaX, deltaY));
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/TextIndicator.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/TextIndicator.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/TextIndicator.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010, 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -69,6 +69,8 @@
if (!frame)
return nullptr;
+ Ref<Frame> protector(*frame);
+
#if PLATFORM(IOS)
frame->editor().setIgnoreCompositionSelectionChange(true);
frame->selection().setUpdateAppearanceEnabled(true);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,3 +1,19 @@
+2016-10-28 Brent Fulgham <[email protected]>
+
+ Do a better job of protecting Frame objects in the context of _javascript_ calls
+ https://bugs.webkit.org/show_bug.cgi?id=164163
+ <rdar://problem/28955249>
+
+ Reviewed by Darin Adler.
+
+ * WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
+ (WebKit::InjectedBundleRangeHandle::renderedImage): Protected the Frame.
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::insertTextAsync): Ditto.
+ (WebKit::WebPage::setComposition): Ditto.
+ * WebProcess/WebPage/mac/WebPageMac.mm:
+ (WebKit::WebPage::insertDictatedTextAsync): Ditto.
+
2016-10-21 David Kilzer <[email protected]>
Bug 163762: IntSize::area() should used checked arithmetic
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010, 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -114,6 +114,8 @@
if (!frameView)
return nullptr;
+ Ref<Frame> protector(*frame);
+
VisibleSelection oldSelection = frame->selection().selection();
frame->selection().setSelection(VisibleSelection(*m_range));
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2016-12-28 11:04:16 UTC (rev 210196)
@@ -4565,6 +4565,7 @@
{
Frame& frame = m_page->focusController().focusedOrMainFrame();
+ Ref<Frame> protector(frame);
if (replacementEditingRange.location != notFound) {
RefPtr<Range> replacementRange = rangeFromEditingRange(frame, replacementEditingRange, static_cast<EditingRangeIsRelativeTo>(editingRangeIsRelativeTo));
if (replacementRange)
@@ -4727,6 +4728,8 @@
return;
}
+ Ref<Frame> protector(*targetFrame);
+
if (replacementLength > 0) {
// The layout needs to be uptodate before setting a selection
targetFrame->document()->updateLayout();
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/mac/WebPageMac.mm (210195 => 210196)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/mac/WebPageMac.mm 2016-12-28 10:37:07 UTC (rev 210195)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/WebPage/mac/WebPageMac.mm 2016-12-28 11:04:16 UTC (rev 210196)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2011, 2012, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2012, 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -310,6 +310,8 @@
{
Frame& frame = m_page->focusController().focusedOrMainFrame();
+ Ref<Frame> protector(frame);
+
if (replacementEditingRange.location != notFound) {
RefPtr<Range> replacementRange = rangeFromEditingRange(frame, replacementEditingRange);
if (replacementRange)
