Title: [254700] trunk/Source/WebCore
- Revision
- 254700
- Author
- [email protected]
- Date
- 2020-01-16 11:55:03 -0800 (Thu, 16 Jan 2020)
Log Message
WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=206335
Reviewed by Antti Koivisto.
Delay the widget hierarchy updates until we're done attaching a shadow root.
Otherwise, WK1 would retry to update the focus synchronously.
* dom/Element.cpp:
(WebCore::Element::addShadowRoot):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (254699 => 254700)
--- trunk/Source/WebCore/ChangeLog 2020-01-16 19:27:43 UTC (rev 254699)
+++ trunk/Source/WebCore/ChangeLog 2020-01-16 19:55:03 UTC (rev 254700)
@@ -1,3 +1,16 @@
+2020-01-16 Ryosuke Niwa <[email protected]>
+
+ WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=206335
+
+ Reviewed by Antti Koivisto.
+
+ Delay the widget hierarchy updates until we're done attaching a shadow root.
+ Otherwise, WK1 would retry to update the focus synchronously.
+
+ * dom/Element.cpp:
+ (WebCore::Element::addShadowRoot):
+
2020-01-16 Chris Lord <[email protected]>
REGRESSION (r254291): [ Catalina wk2 Debug ] Flaky ASSERT on fast/images/animated-image-loop-count.html
Modified: trunk/Source/WebCore/dom/Element.cpp (254699 => 254700)
--- trunk/Source/WebCore/dom/Element.cpp 2020-01-16 19:27:43 UTC (rev 254699)
+++ trunk/Source/WebCore/dom/Element.cpp 2020-01-16 19:55:03 UTC (rev 254700)
@@ -2279,6 +2279,7 @@
ShadowRoot& shadowRoot = newShadowRoot;
{
+ WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
ScriptDisallowedScope::InMainThread scriptDisallowedScope;
if (renderer())
RenderTreeUpdater::tearDownRenderers(*this);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
