[webkit-changes] [248261] releases/WebKitGTK/webkit-2.24/Source/WebCore

Sat, 03 Aug 2019 20:28:23 -0700

Title: [248261] releases/WebKitGTK/webkit-2.24/Source/WebCore
Revision
248261
Author
[email protected]
Date
2019-08-03 20:24:27 -0700 (Sat, 03 Aug 2019)

Log Message

Merge r248173 - Harden NodeRareData::m_connectedFrameCount
https://bugs.webkit.org/show_bug.cgi?id=200300

Reviewed by Geoffrey Garen.

Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.

* dom/Node.cpp:
(WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
* dom/NodeRareData.h:

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (248260 => 248261)


--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog	2019-08-04 03:24:25 UTC (rev 248260)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog	2019-08-04 03:24:27 UTC (rev 248261)
@@ -1,5 +1,18 @@
 2019-08-02  Ryosuke Niwa  <[email protected]>
 
+        Harden NodeRareData::m_connectedFrameCount
+        https://bugs.webkit.org/show_bug.cgi?id=200300
+
+        Reviewed by Geoffrey Garen.
+
+        Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
+
+        * dom/Node.cpp:
+        (WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
+        * dom/NodeRareData.h:
+
+2019-08-02  Ryosuke Niwa  <[email protected]>
+
         Document::resume should delay resetting of form control elements.
         https://bugs.webkit.org/show_bug.cgi?id=200376

Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Node.cpp (248260 => 248261)


--- releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Node.cpp	2019-08-04 03:24:25 UTC (rev 248260)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Node.cpp	2019-08-04 03:24:27 UTC (rev 248261)
@@ -2536,6 +2536,9 @@
 
 void Node::decrementConnectedSubframeCount(unsigned amount)
 {
+    ASSERT(rareData());
+    if (!hasRareData())
+        return; // Defend against type confusion when the above assertion fails. See webkit.org/b/200300.
     rareData()->decrementConnectedSubframeCount(amount);
 }

Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/NodeRareData.h (248260 => 248261)


--- releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/NodeRareData.h	2019-08-04 03:24:25 UTC (rev 248260)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/NodeRareData.h	2019-08-04 03:24:27 UTC (rev 248261)
@@ -29,6 +29,7 @@
 #include "QualifiedName.h"
 #include "TagCollection.h"
 #include <wtf/HashSet.h>
+#include <wtf/StdLibExtras.h>
 #include <wtf/text/AtomicString.h>
 
 namespace WebCore {
@@ -319,7 +320,7 @@
 #endif
 
 private:
-    unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames.
+    unsigned m_connectedFrameCount; // Must fit Page::maxNumberOfFrames.
 
     std::unique_ptr<NodeListsNodeData> m_nodeLists;
     std::unique_ptr<NodeMutationObserverData> m_mutationObserverData;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to