Title: [248173] trunk/Source/WebCore
- Revision
- 248173
- Author
- [email protected]
- Date
- 2019-08-02 13:07:11 -0700 (Fri, 02 Aug 2019)
Log Message
Harden NodeRareData::m_connectedFrameCount
https://bugs.webkit.org/show_bug.cgi?id=200300
Reviewed by Geoffrey Garen.
Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
* dom/Node.cpp:
(WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
* dom/NodeRareData.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (248172 => 248173)
--- trunk/Source/WebCore/ChangeLog 2019-08-02 19:58:50 UTC (rev 248172)
+++ trunk/Source/WebCore/ChangeLog 2019-08-02 20:07:11 UTC (rev 248173)
@@ -1,5 +1,18 @@
2019-08-02 Ryosuke Niwa <[email protected]>
+ Harden NodeRareData::m_connectedFrameCount
+ https://bugs.webkit.org/show_bug.cgi?id=200300
+
+ Reviewed by Geoffrey Garen.
+
+ Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
+
+ * dom/Node.cpp:
+ (WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
+ * dom/NodeRareData.h:
+
+2019-08-02 Ryosuke Niwa <[email protected]>
+
Document::resume should delay resetting of form control elements.
https://bugs.webkit.org/show_bug.cgi?id=200376
Modified: trunk/Source/WebCore/dom/Node.cpp (248172 => 248173)
--- trunk/Source/WebCore/dom/Node.cpp 2019-08-02 19:58:50 UTC (rev 248172)
+++ trunk/Source/WebCore/dom/Node.cpp 2019-08-02 20:07:11 UTC (rev 248173)
@@ -2554,6 +2554,9 @@
void Node::decrementConnectedSubframeCount(unsigned amount)
{
+ ASSERT(rareData());
+ if (!hasRareData())
+ return; // Defend against type confusion when the above assertion fails. See webkit.org/b/200300.
rareData()->decrementConnectedSubframeCount(amount);
}
Modified: trunk/Source/WebCore/dom/NodeRareData.h (248172 => 248173)
--- trunk/Source/WebCore/dom/NodeRareData.h 2019-08-02 19:58:50 UTC (rev 248172)
+++ trunk/Source/WebCore/dom/NodeRareData.h 2019-08-02 20:07:11 UTC (rev 248173)
@@ -29,6 +29,7 @@
#include "QualifiedName.h"
#include "TagCollection.h"
#include <wtf/HashSet.h>
+#include <wtf/StdLibExtras.h>
#include <wtf/text/AtomString.h>
namespace WebCore {
@@ -319,7 +320,7 @@
#endif
private:
- unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames.
+ unsigned m_connectedFrameCount; // Must fit Page::maxNumberOfFrames.
std::unique_ptr<NodeListsNodeData> m_nodeLists;
std::unique_ptr<NodeMutationObserverData> m_mutationObserverData;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
