[webkit-changes] [251057] trunk

Sat, 12 Oct 2019 23:28:09 -0700

Title: [251057] trunk
Revision
251057
Author
rn...@webkit.org
Date
2019-10-12 23:26:19 -0700 (Sat, 12 Oct 2019)

Log Message

[iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount
https://bugs.webkit.org/show_bug.cgi?id=202878

Reviewed by Alex Christensen.

Source/WebCore:

Added the missing null check in tryAddEventListener and tryRemoveEventListener for scroll event.

Test: fast/events/scroll-event-on-document-without-window.html

* dom/Node.cpp:
(WebCore::tryAddEventListener):
(WebCore::tryRemoveEventListener):

LayoutTests:

Added a regression test for the crash.

* fast/events/scroll-event-on-document-without-window-expected.txt: Added.
* fast/events/scroll-event-on-document-without-window.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (251056 => 251057)


--- trunk/LayoutTests/ChangeLog	2019-10-13 05:35:27 UTC (rev 251056)
+++ trunk/LayoutTests/ChangeLog	2019-10-13 06:26:19 UTC (rev 251057)
@@ -1,5 +1,17 @@
 2019-10-12  Ryosuke Niwa  <rn...@webkit.org>
 
+        [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount
+        https://bugs.webkit.org/show_bug.cgi?id=202878
+
+        Reviewed by Alex Christensen.
+
+        Added a regression test for the crash.
+
+        * fast/events/scroll-event-on-document-without-window-expected.txt: Added.
+        * fast/events/scroll-event-on-document-without-window.html: Added.
+
+2019-10-12  Ryosuke Niwa  <rn...@webkit.org>
+
         Invoke callback registered by requestIdleCallback
         https://bugs.webkit.org/show_bug.cgi?id=202824

Added: trunk/LayoutTests/fast/events/scroll-event-on-document-without-window-expected.txt (0 => 251057)


--- trunk/LayoutTests/fast/events/scroll-event-on-document-without-window-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/scroll-event-on-document-without-window-expected.txt	2019-10-13 06:26:19 UTC (rev 251057)
@@ -0,0 +1,3 @@
+This tests add scroll event listener to a document without browsing context. WebKit should not crash.
+
+PASS

Added: trunk/LayoutTests/fast/events/scroll-event-on-document-without-window.html (0 => 251057)


--- trunk/LayoutTests/fast/events/scroll-event-on-document-without-window.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/scroll-event-on-document-without-window.html	2019-10-13 06:26:19 UTC (rev 251057)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests add scroll event listener to a document without browsing context. WebKit should not crash.</p>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const doc = document.implementation.createHTMLDocument();
+function listner() { }
+doc.addEventListener('scroll', listner);
+doc.removeEventListener('scroll', listner);
+
+document.write('PASS');
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (251056 => 251057)


--- trunk/Source/WebCore/ChangeLog	2019-10-13 05:35:27 UTC (rev 251056)
+++ trunk/Source/WebCore/ChangeLog	2019-10-13 06:26:19 UTC (rev 251057)
@@ -1,3 +1,18 @@
+2019-10-12  Ryosuke Niwa  <rn...@webkit.org>
+
+        [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount
+        https://bugs.webkit.org/show_bug.cgi?id=202878
+
+        Reviewed by Alex Christensen.
+
+        Added the missing null check in tryAddEventListener and tryRemoveEventListener for scroll event.
+
+        Test: fast/events/scroll-event-on-document-without-window.html
+
+        * dom/Node.cpp:
+        (WebCore::tryAddEventListener):
+        (WebCore::tryRemoveEventListener):
+
 2019-10-12  Simon Fraser  <simon.fra...@apple.com>
 
         Move CSSReflectionDirection into RenderStyleConstants as ReflectionDirection

Modified: trunk/Source/WebCore/dom/Node.cpp (251056 => 251057)


--- trunk/Source/WebCore/dom/Node.cpp	2019-10-13 05:35:27 UTC (rev 251056)
+++ trunk/Source/WebCore/dom/Node.cpp	2019-10-13 06:26:19 UTC (rev 251057)
@@ -2114,8 +2114,10 @@
         targetNode->document().didAddTouchEventHandler(*targetNode);
 
 #if PLATFORM(IOS_FAMILY)
-    if (targetNode == &targetNode->document() && eventType == eventNames().scrollEvent)
-        targetNode->document().domWindow()->incrementScrollEventListenersCount();
+    if (targetNode == &targetNode->document() && eventType == eventNames().scrollEvent) {
+        if (auto* window = targetNode->document().domWindow())
+            targetNode->document().domWindow()->incrementScrollEventListenersCount();
+    }
 
 #if ENABLE(TOUCH_EVENTS)
     if (eventNames().isTouchRelatedEventType(targetNode->document(), eventType))
@@ -2149,8 +2151,10 @@
         targetNode->document().didRemoveTouchEventHandler(*targetNode);
 
 #if PLATFORM(IOS_FAMILY)
-    if (targetNode == &targetNode->document() && eventType == eventNames().scrollEvent)
-        targetNode->document().domWindow()->decrementScrollEventListenersCount();
+    if (targetNode == &targetNode->document() && eventType == eventNames().scrollEvent) {
+        if (auto* window = targetNode->document().domWindow())
+            window->decrementScrollEventListenersCount();
+    }
 
 #if ENABLE(TOUCH_EVENTS)
     if (eventNames().isTouchRelatedEventType(targetNode->document(), eventType))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to