[webkit-changes] [217454] branches/safari-603-branch

Thu, 25 May 2017 15:30:06 -0700

Title: [217454] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (217453 => 217454)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-05-25 22:20:14 UTC (rev 217453)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-05-25 22:29:43 UTC (rev 217454)
@@ -1,3 +1,19 @@
+2017-05-25  Jason Marcell  <[email protected]>
+
+        Cherry-pick r217439. rdar://problem/32089229
+
+    2017-05-24  Jiewen Tan  <[email protected]>
+
+            Crash on WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance + 1195
+            https://bugs.webkit.org/show_bug.cgi?id=172555
+            <rdar://problem/32004724>
+
+            Reviewed by Ryosuke Niwa.
+
+            * editing/selection/resources/select-iframe-focusin-document-crash-frame.html: Added.
+            * editing/selection/select-iframe-focusin-document-crash-expected.txt: Added.
+            * editing/selection/select-iframe-focusin-document-crash.html: Added.
+
 2017-05-24  Jason Marcell  <[email protected]>
 
         Cherry-pick r217172. rdar://problem/32380123

Added: branches/safari-603-branch/LayoutTests/editing/selection/resources/select-iframe-focusin-document-crash-frame.html (0 => 217454)


--- branches/safari-603-branch/LayoutTests/editing/selection/resources/select-iframe-focusin-document-crash-frame.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/editing/selection/resources/select-iframe-focusin-document-crash-frame.html	2017-05-25 22:29:43 UTC (rev 217454)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    </head>
+    <body>
+        <input id='input'></input>
+    </body>
+</html>

Added: branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash-expected.txt (0 => 217454)


--- branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash-expected.txt	2017-05-25 22:29:43 UTC (rev 217454)
@@ -0,0 +1 @@
+Test passes if WebKit doesn't crash.

Added: branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash.html (0 => 217454)


--- branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/editing/selection/select-iframe-focusin-document-crash.html	2017-05-25 22:29:43 UTC (rev 217454)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <script>
+        function testcase()
+        {
+            if (window.testRunner) {
+                testRunner.dumpAsText();
+                testRunner.waitUntilDone();
+            }
+            document.designMode = 'on';
+            setTimeout(run, 0);
+        }
+        function run()
+        {
+            var iframe = document.getElementById("iframe");
+            window.addEventListener('focusin', eventHandle);
+            var element = iframe.contentWindow.document.getElementById("input");
+            element.value = 'demo';
+            element.selectionStart = 0;
+        }
+        function eventHandle(event)
+        {
+            body.innerText = "Test passes if WebKit doesn't crash.";
+            setTimeout(finish, 0);
+        }
+        function finish()
+        {
+            if (window.testRunner)
+                testRunner.notifyDone();
+        }
+        </script>
+    </head>
+    <body _onload_='testcase();' id='body' >
+        <iframe id='iframe' src=''></iframe>
+    </body>
+</html>

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (217453 => 217454)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-05-25 22:20:14 UTC (rev 217453)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-05-25 22:29:43 UTC (rev 217454)
@@ -1,3 +1,24 @@
+2017-05-25  Jason Marcell  <[email protected]>
+
+        Cherry-pick r217439. rdar://problem/32089229
+
+    2017-05-24  Jiewen Tan  <[email protected]>
+
+            Crash on WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance + 1195
+            https://bugs.webkit.org/show_bug.cgi?id=172555
+            <rdar://problem/32004724>
+
+            Reviewed by Ryosuke Niwa.
+
+            setSelectionWithoutUpdatingAppearance could dispatch a synchronous focusin event,
+            which could invoke an event handler that deteles the frame. Therefore, add a
+            protector before the call.
+
+            Test: editing/selection/select-iframe-focusin-document-crash.html
+
+            * editing/FrameSelection.cpp:
+            (WebCore::FrameSelection::setSelection):
+
 2017-05-25  Matthew Hanson  <[email protected]>
 
         Cherry-pick r217392. rdar://problem/32391206

Modified: branches/safari-603-branch/Source/WebCore/editing/FrameSelection.cpp (217453 => 217454)


--- branches/safari-603-branch/Source/WebCore/editing/FrameSelection.cpp	2017-05-25 22:20:14 UTC (rev 217453)
+++ branches/safari-603-branch/Source/WebCore/editing/FrameSelection.cpp	2017-05-25 22:29:43 UTC (rev 217454)
@@ -333,6 +333,7 @@
 
 void FrameSelection::setSelection(const VisibleSelection& selection, SetSelectionOptions options, AXTextStateChangeIntent intent, CursorAlignOnScroll align, TextGranularity granularity)
 {
+    RefPtr<Frame> protectedFrame(m_frame);
     if (!setSelectionWithoutUpdatingAppearance(selection, options, align, granularity))
         return;
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to