Diff
Modified: branches/safari-605-branch/LayoutTests/ChangeLog (227300 => 227301)
--- branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-22 17:56:59 UTC (rev 227300)
+++ branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-22 17:57:02 UTC (rev 227301)
@@ -1,3 +1,18 @@
+2018-01-22 Jason Marcell <[email protected]>
+
+ Cherry-pick r227082. rdar://problem/36722629
+
+ 2018-01-17 Antti Koivisto <[email protected]>
+
+ REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
+ https://bugs.webkit.org/show_bug.cgi?id=181742
+ <rdar://problem/36334726>
+
+ Reviewed by David Kilzer.
+
+ * fast/media/mediaqueryevaluator-crash-expected.txt: Added.
+ * fast/media/mediaqueryevaluator-crash.html: Added.
+
2018-01-17 Jason Marcell <[email protected]>
Cherry-pick r227121. rdar://problem/36609529
Added: branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt (0 => 227301)
--- branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash-expected.txt 2018-01-22 17:57:02 UTC (rev 227301)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash.html (0 => 227301)
--- branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/fast/media/mediaqueryevaluator-crash.html 2018-01-22 17:57:02 UTC (rev 227301)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<iframe id="webtest0"></iframe>
+<script id="webtest1">
+if (window.testRunner)
+ testRunner.dumpAsText();
+framedoc = frames[0].document.documentElement;
+document.body.innerText = 'PASS';
+framedoc.innerHTML = '<title>';
+framedoc.getElementsByTagName('title')[0].innerText = 'a';
+</script>
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (227300 => 227301)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-22 17:56:59 UTC (rev 227300)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-22 17:57:02 UTC (rev 227301)
@@ -1,5 +1,34 @@
2018-01-22 Jason Marcell <[email protected]>
+ Cherry-pick r227082. rdar://problem/36722629
+
+ 2018-01-17 Antti Koivisto <[email protected]>
+
+ REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32
+ https://bugs.webkit.org/show_bug.cgi?id=181742
+ <rdar://problem/36334726>
+
+ Reviewed by David Kilzer.
+
+ Test: fast/media/mediaqueryevaluator-crash.html
+
+ * css/MediaQueryEvaluator.cpp:
+ (WebCore::MediaQueryEvaluator::MediaQueryEvaluator):
+
+ Use WeakPtr<Document> instead of a plain Frame pointer.
+
+ (WebCore::MediaQueryEvaluator::evaluate const):
+
+ Get the frame via document.
+
+ * css/MediaQueryEvaluator.h:
+ * dom/Document.cpp:
+ (WebCore::Document::prepareForDestruction):
+
+ Take care to clear style resolver.
+
+2018-01-22 Jason Marcell <[email protected]>
+
Cherry-pick r227079. rdar://problem/36722442
2018-01-17 Youenn Fablet <[email protected]>
Modified: branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.cpp (227300 => 227301)
--- branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.cpp 2018-01-22 17:56:59 UTC (rev 227300)
+++ branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.cpp 2018-01-22 17:57:02 UTC (rev 227301)
@@ -109,7 +109,7 @@
MediaQueryEvaluator::MediaQueryEvaluator(const String& acceptedMediaType, const Document& document, const RenderStyle* style)
: m_mediaType(acceptedMediaType)
- , m_frame(document.frame())
+ , m_document(const_cast<Document&>(document).createWeakPtr())
, m_style(style)
{
}
@@ -137,7 +137,7 @@
bool MediaQueryEvaluator::evaluate(const MediaQuerySet& querySet, StyleResolver* styleResolver) const
{
- LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_frame && m_frame->document() ? m_frame->document()->url().string() : emptyString()));
+ LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryEvaluator::evaluate on " << (m_document ? m_document->url().string() : emptyString()));
auto& queries = querySet.queryVector();
if (!queries.size()) {
@@ -769,9 +769,14 @@
bool MediaQueryEvaluator::evaluate(const MediaQueryExpression& _expression_) const
{
- if (!m_frame || !m_frame->view() || !m_style)
+ if (!m_document)
return m_fallbackResult;
+ Document& document = *m_document;
+ auto* frame = document.frame();
+ if (!frame || !frame->view() || !m_style)
+ return m_fallbackResult;
+
if (!_expression_.isValid())
return false;
@@ -787,10 +792,9 @@
if (!function)
return false;
- Document& document = *m_frame->document();
if (!document.documentElement())
return false;
- return function(_expression_.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *m_frame, NoPrefix);
+ return function(_expression_.value(), { m_style, document.documentElement()->renderStyle(), document.renderView(), 1, false }, *frame, NoPrefix);
}
bool MediaQueryEvaluator::mediaAttributeMatches(Document& document, const String& attributeValue)
Modified: branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.h (227300 => 227301)
--- branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.h 2018-01-22 17:56:59 UTC (rev 227300)
+++ branches/safari-605-branch/Source/WebCore/css/MediaQueryEvaluator.h 2018-01-22 17:57:02 UTC (rev 227301)
@@ -28,6 +28,7 @@
#pragma once
#include "MediaQueryExpression.h"
+#include <wtf/WeakPtr.h>
namespace WebCore {
@@ -74,7 +75,7 @@
private:
String m_mediaType;
- Frame* m_frame { nullptr }; // not owned
+ WeakPtr<Document> m_document;
const RenderStyle* m_style { nullptr };
bool m_fallbackResult { false };
};
Modified: branches/safari-605-branch/Source/WebCore/dom/Document.cpp (227300 => 227301)
--- branches/safari-605-branch/Source/WebCore/dom/Document.cpp 2018-01-22 17:56:59 UTC (rev 227300)
+++ branches/safari-605-branch/Source/WebCore/dom/Document.cpp 2018-01-22 17:57:02 UTC (rev 227301)
@@ -2361,6 +2361,8 @@
if (m_domWindow && m_frame)
m_domWindow->willDetachDocumentFromFrame();
+ styleScope().clearResolver();
+
if (hasLivingRenderTree())
destroyRenderTree();
