Title: [250502] branches/safari-608-branch/Source/WebCore
- Revision
- 250502
- Author
- bshaf...@apple.com
- Date
- 2019-09-30 01:30:31 -0700 (Mon, 30 Sep 2019)
Log Message
Cherry-pick r248173. rdar://problem/55826879
Harden NodeRareData::m_connectedFrameCount
https://bugs.webkit.org/show_bug.cgi?id=200300
Reviewed by Geoffrey Garen.
Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
* dom/Node.cpp:
(WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
* dom/NodeRareData.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248173 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-608-branch/Source/WebCore/ChangeLog (250501 => 250502)
--- branches/safari-608-branch/Source/WebCore/ChangeLog 2019-09-30 08:30:28 UTC (rev 250501)
+++ branches/safari-608-branch/Source/WebCore/ChangeLog 2019-09-30 08:30:31 UTC (rev 250502)
@@ -1,5 +1,36 @@
2019-09-30 Babak Shafiei <bshaf...@apple.com>
+ Cherry-pick r248173. rdar://problem/55826879
+
+ Harden NodeRareData::m_connectedFrameCount
+ https://bugs.webkit.org/show_bug.cgi?id=200300
+
+ Reviewed by Geoffrey Garen.
+
+ Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
+
+ * dom/Node.cpp:
+ (WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
+ * dom/NodeRareData.h:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248173 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-08-02 Ryosuke Niwa <rn...@webkit.org>
+
+ Harden NodeRareData::m_connectedFrameCount
+ https://bugs.webkit.org/show_bug.cgi?id=200300
+
+ Reviewed by Geoffrey Garen.
+
+ Use unsinged integer type in NodeRareData::m_connectedFrameCount since it's padded anyway.
+
+ * dom/Node.cpp:
+ (WebCore::Node::decrementConnectedSubframeCount): Check that hasRareNode() is true in release builds.
+ * dom/NodeRareData.h:
+
+2019-09-30 Babak Shafiei <bshaf...@apple.com>
+
Cherry-pick r248172. rdar://problem/55826873
Document::resume should delay resetting of form control elements.
Modified: branches/safari-608-branch/Source/WebCore/dom/Node.cpp (250501 => 250502)
--- branches/safari-608-branch/Source/WebCore/dom/Node.cpp 2019-09-30 08:30:28 UTC (rev 250501)
+++ branches/safari-608-branch/Source/WebCore/dom/Node.cpp 2019-09-30 08:30:31 UTC (rev 250502)
@@ -2554,6 +2554,9 @@
void Node::decrementConnectedSubframeCount(unsigned amount)
{
+ ASSERT(rareData());
+ if (!hasRareData())
+ return; // Defend against type confusion when the above assertion fails. See webkit.org/b/200300.
rareData()->decrementConnectedSubframeCount(amount);
}
Modified: branches/safari-608-branch/Source/WebCore/dom/NodeRareData.h (250501 => 250502)
--- branches/safari-608-branch/Source/WebCore/dom/NodeRareData.h 2019-09-30 08:30:28 UTC (rev 250501)
+++ branches/safari-608-branch/Source/WebCore/dom/NodeRareData.h 2019-09-30 08:30:31 UTC (rev 250502)
@@ -29,6 +29,7 @@
#include "QualifiedName.h"
#include "TagCollection.h"
#include <wtf/HashSet.h>
+#include <wtf/StdLibExtras.h>
#include <wtf/text/AtomString.h>
namespace WebCore {
@@ -319,7 +320,7 @@
#endif
private:
- unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames.
+ unsigned m_connectedFrameCount; // Must fit Page::maxNumberOfFrames.
std::unique_ptr<NodeListsNodeData> m_nodeLists;
std::unique_ptr<NodeMutationObserverData> m_mutationObserverData;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
