Title: [240610] trunk/Source/WebCore
- Revision
- 240610
- Author
- [email protected]
- Date
- 2019-01-28 16:15:01 -0800 (Mon, 28 Jan 2019)
Log Message
svg/text/select-text-inside-non-static-position.html crashes under ScrollingStateTree::unparentChildrenAndDestroyNode()
https://bugs.webkit.org/show_bug.cgi?id=193930
Reviewed by Tim Horton.
ScrollingStateTree::unparentChildrenAndDestroyNode() should make a copy of the 'children' vector
before iterating, since iteration mutates the array.
Tested by ASan tests.
* page/scrolling/ScrollingStateNode.h:
(WebCore::ScrollingStateNode::takeChildren):
* page/scrolling/ScrollingStateTree.cpp:
(WebCore::ScrollingStateTree::unparentChildrenAndDestroyNode):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (240609 => 240610)
--- trunk/Source/WebCore/ChangeLog 2019-01-29 00:14:58 UTC (rev 240609)
+++ trunk/Source/WebCore/ChangeLog 2019-01-29 00:15:01 UTC (rev 240610)
@@ -1,5 +1,22 @@
2019-01-28 Simon Fraser <[email protected]>
+ svg/text/select-text-inside-non-static-position.html crashes under ScrollingStateTree::unparentChildrenAndDestroyNode()
+ https://bugs.webkit.org/show_bug.cgi?id=193930
+
+ Reviewed by Tim Horton.
+
+ ScrollingStateTree::unparentChildrenAndDestroyNode() should make a copy of the 'children' vector
+ before iterating, since iteration mutates the array.
+
+ Tested by ASan tests.
+
+ * page/scrolling/ScrollingStateNode.h:
+ (WebCore::ScrollingStateNode::takeChildren):
+ * page/scrolling/ScrollingStateTree.cpp:
+ (WebCore::ScrollingStateTree::unparentChildrenAndDestroyNode):
+
+2019-01-28 Simon Fraser <[email protected]>
+
css3/filters/blur-filter-page-scroll-self.html crashes under WebCore::ScrollingStateNode::ScrollingStateNode
https://bugs.webkit.org/show_bug.cgi?id=193925
Modified: trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h (240609 => 240610)
--- trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h 2019-01-29 00:14:58 UTC (rev 240609)
+++ trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h 2019-01-29 00:15:01 UTC (rev 240610)
@@ -236,6 +236,7 @@
ScrollingNodeID parentNodeID() const { return m_parent ? m_parent->scrollingNodeID() : 0; }
Vector<RefPtr<ScrollingStateNode>>* children() const { return m_children.get(); }
+ std::unique_ptr<Vector<RefPtr<ScrollingStateNode>>> takeChildren() { return WTFMove(m_children); }
void appendChild(Ref<ScrollingStateNode>&&);
void insertChild(Ref<ScrollingStateNode>&&, size_t index);
Modified: trunk/Source/WebCore/page/scrolling/ScrollingStateTree.cpp (240609 => 240610)
--- trunk/Source/WebCore/page/scrolling/ScrollingStateTree.cpp 2019-01-29 00:14:58 UTC (rev 240609)
+++ trunk/Source/WebCore/page/scrolling/ScrollingStateTree.cpp 2019-01-29 00:15:01 UTC (rev 240610)
@@ -227,12 +227,12 @@
m_rootStateNode = nullptr;
if (auto* children = protectedNode->children()) {
- for (auto child : *children) {
+ auto isolatedChildren = protectedNode->takeChildren();
+ for (auto child : *isolatedChildren) {
child->removeFromParent();
LOG_WITH_STREAM(Scrolling, stream << " moving " << child->scrollingNodeID() << " to unparented nodes");
m_unparentedNodes.add(child->scrollingNodeID(), WTFMove(child));
}
- children->clear();
}
protectedNode->removeFromParent();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
