Title: [245435] releases/WebKitGTK/webkit-2.24
- Revision
- 245435
- Author
- [email protected]
- Date
- 2019-05-17 03:13:58 -0700 (Fri, 17 May 2019)
Log Message
Merge r242749 - [macOS] Dispatching reentrant "contextmenu" events may cause crashes
https://bugs.webkit.org/show_bug.cgi?id=195571
<rdar://problem/48086046>
Reviewed by Andy Estes.
Source/WebCore:
Make ContextMenuController::handleContextMenuEvent robust against reentrancy by guarding it with a boolean flag.
As demonstrated in the test case, it is currently possible to force WebKit into a bad state by dispatching a
synthetic "contextmenu" event from within the scope of one of the "before(copy|cut|paste)" events triggered as
a result of handling a context menu event.
Test: fast/events/contextmenu-reentrancy-crash.html
* page/ContextMenuController.cpp:
(WebCore::ContextMenuController::handleContextMenuEvent):
* page/ContextMenuController.h:
LayoutTests:
Add a test to verify that triggering reentrant "contextmenu" events from script does not cause a crash.
* fast/events/contextmenu-reentrancy-crash-expected.txt: Added.
* fast/events/contextmenu-reentrancy-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (245434 => 245435)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 06:06:43 UTC (rev 245434)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 10:13:58 UTC (rev 245435)
@@ -1,3 +1,16 @@
+2019-03-11 Wenson Hsieh <[email protected]>
+
+ [macOS] Dispatching reentrant "contextmenu" events may cause crashes
+ https://bugs.webkit.org/show_bug.cgi?id=195571
+ <rdar://problem/48086046>
+
+ Reviewed by Andy Estes.
+
+ Add a test to verify that triggering reentrant "contextmenu" events from script does not cause a crash.
+
+ * fast/events/contextmenu-reentrancy-crash-expected.txt: Added.
+ * fast/events/contextmenu-reentrancy-crash.html: Added.
+
2019-05-07 Brent Fulgham <[email protected]>
Correct JSON parser to address unterminated escape character
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash-expected.txt (0 => 245435)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash-expected.txt 2019-05-17 10:13:58 UTC (rev 245435)
@@ -0,0 +1,3 @@
+This test verifies that we don't crash when attempting to handle "contextmenu" events in a reentrant manner. This test passes if the green text "PASS" is present after page load.
+
+PASS
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash.html (0 => 245435)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/events/contextmenu-reentrancy-crash.html 2019-05-17 10:13:58 UTC (rev 245435)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test verifies that we don't crash when attempting to handle "contextmenu" events in a reentrant manner. This test passes if the green text "PASS" is present after page load.</p>
+</body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function dispatchContextMenuEvent() {
+ document.body.dispatchEvent(new MouseEvent("contextmenu"));
+}
+
+document.designMode = "on";
+document.addEventListener("beforepaste", dispatchContextMenuEvent);
+dispatchContextMenuEvent();
+document.writeln("<pre style='color: green'>PASS</pre>");
+</script>
+</html>
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (245434 => 245435)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-05-17 06:06:43 UTC (rev 245434)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-05-17 10:13:58 UTC (rev 245435)
@@ -1,3 +1,22 @@
+2019-03-11 Wenson Hsieh <[email protected]>
+
+ [macOS] Dispatching reentrant "contextmenu" events may cause crashes
+ https://bugs.webkit.org/show_bug.cgi?id=195571
+ <rdar://problem/48086046>
+
+ Reviewed by Andy Estes.
+
+ Make ContextMenuController::handleContextMenuEvent robust against reentrancy by guarding it with a boolean flag.
+ As demonstrated in the test case, it is currently possible to force WebKit into a bad state by dispatching a
+ synthetic "contextmenu" event from within the scope of one of the "before(copy|cut|paste)" events triggered as
+ a result of handling a context menu event.
+
+ Test: fast/events/contextmenu-reentrancy-crash.html
+
+ * page/ContextMenuController.cpp:
+ (WebCore::ContextMenuController::handleContextMenuEvent):
+ * page/ContextMenuController.h:
+
2019-05-08 Carlos Garcia Campos <[email protected]>
REGRESSION(r239915): [FreeType] White space skipped when rendering plain text with noto CJK font
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.cpp (245434 => 245435)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.cpp 2019-05-17 06:06:43 UTC (rev 245434)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.cpp 2019-05-17 10:13:58 UTC (rev 245435)
@@ -68,6 +68,7 @@
#include "UserTypingGestureIndicator.h"
#include "WindowFeatures.h"
#include "markup.h"
+#include <wtf/SetForScope.h>
#include <wtf/WallTime.h>
#include <wtf/unicode/CharacterNames.h>
@@ -97,6 +98,11 @@
void ContextMenuController::handleContextMenuEvent(Event& event)
{
+ if (m_isHandlingContextMenuEvent)
+ return;
+
+ SetForScope<bool> isHandlingContextMenuEventForScope(m_isHandlingContextMenuEvent, true);
+
m_contextMenu = maybeCreateContextMenu(event);
if (!m_contextMenu)
return;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.h (245434 => 245435)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.h 2019-05-17 06:06:43 UTC (rev 245434)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/page/ContextMenuController.h 2019-05-17 10:13:58 UTC (rev 245435)
@@ -93,6 +93,7 @@
std::unique_ptr<ContextMenu> m_contextMenu;
RefPtr<ContextMenuProvider> m_menuProvider;
ContextMenuContext m_context;
+ bool m_isHandlingContextMenuEvent { false };
};
} // namespace WebCore
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
