Title: [227400] branches/safari-605-branch/Source/WebCore
- Revision
- 227400
- Author
- [email protected]
- Date
- 2018-01-22 22:42:41 -0800 (Mon, 22 Jan 2018)
Log Message
Cherry-pick r227357. rdar://problem/36763204
Modified Paths
Diff
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (227399 => 227400)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-23 06:42:38 UTC (rev 227399)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-23 06:42:41 UTC (rev 227400)
@@ -1,5 +1,32 @@
2018-01-22 Jason Marcell <[email protected]>
+ Cherry-pick r227357. rdar://problem/36763204
+
+ 2018-01-22 Per Arne Vollan <[email protected]>
+
+ [Win] Null pointer crash under WebCore::RenderStyle::colorIncludingFallback.
+ https://bugs.webkit.org/show_bug.cgi?id=181801
+ <rdar://problem/35614900>
+
+ Reviewed by Brent Fulgham.
+
+ Do not paint synchronously when popup items have been added or changed while the popup is visible.
+ If new popup items have been added after the popup was shown, a synchronous paint operation will
+ possibly access their style before it is ready, leading to a null pointer crash. The invalidated
+ area will be painted asynchronously.
+
+ No new tests. To reproduce this crash, it is necessary to open a popup with _javascript_, add new
+ popup items, and then end the test. Opening the popup can be done by sending a mousedown event
+ with the eventsender. However, on Windows the mousedown event is sent synchronously, and will
+ block as long as the popup is open and running the popup event loop. This means no JS can be
+ executed until the popup is closed, causing the test to always time out before new popup items
+ can be added. I have verified the fix with a manual test case.
+
+ * platform/win/PopupMenuWin.cpp:
+ (WebCore::PopupMenuWin::updateFromElement):
+
+2018-01-22 Jason Marcell <[email protected]>
+
Cherry-pick r227353. rdar://problem/36763011
2018-01-22 Chris Dumez <[email protected]>
Modified: branches/safari-605-branch/Source/WebCore/platform/win/PopupMenuWin.cpp (227399 => 227400)
--- branches/safari-605-branch/Source/WebCore/platform/win/PopupMenuWin.cpp 2018-01-23 06:42:38 UTC (rev 227399)
+++ branches/safari-605-branch/Source/WebCore/platform/win/PopupMenuWin.cpp 2018-01-23 06:42:41 UTC (rev 227400)
@@ -572,8 +572,7 @@
m_focusedIndex = client()->selectedIndex();
::InvalidateRect(m_popup, 0, TRUE);
- if (!scrollToRevealSelection())
- ::UpdateWindow(m_popup);
+ scrollToRevealSelection();
}
const int separatorPadding = 4;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
