[webkit-changes] [261778] trunk

Fri, 15 May 2020 21:33:27 -0700

Title: [261778] trunk
Revision
261778
Author
[email protected]
Date
2020-05-15 21:32:20 -0700 (Fri, 15 May 2020)

Log Message

Nullptr crash in MediaQueryMatcher::evaluateAll
https://bugs.webkit.org/show_bug.cgi?id=211963
<rdar://problem/62850977>

Reviewed by Brent Fulgham.

Source/WebCore:

Test: fast/media/media-query-list-mutation.html

* css/MediaQueryMatcher.cpp:
(WebCore::MediaQueryMatcher::evaluateAll):

Copy the vector before iterating.

LayoutTests:

* fast/media/media-query-list-mutation-expected.txt: Added.
* fast/media/media-query-list-mutation.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (261777 => 261778)


--- trunk/LayoutTests/ChangeLog	2020-05-16 04:09:51 UTC (rev 261777)
+++ trunk/LayoutTests/ChangeLog	2020-05-16 04:32:20 UTC (rev 261778)
@@ -1,3 +1,14 @@
+2020-05-15  Antti Koivisto  <[email protected]>
+
+        Nullptr crash in MediaQueryMatcher::evaluateAll
+        https://bugs.webkit.org/show_bug.cgi?id=211963
+        <rdar://problem/62850977>
+
+        Reviewed by Brent Fulgham.
+
+        * fast/media/media-query-list-mutation-expected.txt: Added.
+        * fast/media/media-query-list-mutation.html: Added.
+
 2020-05-15  Jack Lee  <[email protected]>
 
         Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.

Added: trunk/LayoutTests/fast/media/media-query-list-mutation-expected.txt (0 => 261778)


--- trunk/LayoutTests/fast/media/media-query-list-mutation-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/media/media-query-list-mutation-expected.txt	2020-05-16 04:32:20 UTC (rev 261778)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/media/media-query-list-mutation.html (0 => 261778)


--- trunk/LayoutTests/fast/media/media-query-list-mutation.html	                        (rev 0)
+++ trunk/LayoutTests/fast/media/media-query-list-mutation.html	2020-05-16 04:32:20 UTC (rev 261778)
@@ -0,0 +1,20 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+const queries = [];
+queries.push(window.matchMedia("screen"));
+queries.push(window.matchMedia("screen"));
+
+queries[0].addListener(() => {
+    for (let i = 0; i < 20; ++i)
+        queries.push(window.matchMedia("screen"))
+
+    requestAnimationFrame(() => testRunner.notifyDone());
+});
+
+window.internals.settings.setMediaTypeOverride("handheld");
+</script>
+This test passes if it doesn't crash.

Modified: trunk/Source/WebCore/ChangeLog (261777 => 261778)


--- trunk/Source/WebCore/ChangeLog	2020-05-16 04:09:51 UTC (rev 261777)
+++ trunk/Source/WebCore/ChangeLog	2020-05-16 04:32:20 UTC (rev 261778)
@@ -1,3 +1,18 @@
+2020-05-15  Antti Koivisto  <[email protected]>
+
+        Nullptr crash in MediaQueryMatcher::evaluateAll
+        https://bugs.webkit.org/show_bug.cgi?id=211963
+        <rdar://problem/62850977>
+
+        Reviewed by Brent Fulgham.
+
+        Test: fast/media/media-query-list-mutation.html
+
+        * css/MediaQueryMatcher.cpp:
+        (WebCore::MediaQueryMatcher::evaluateAll):
+
+        Copy the vector before iterating.
+
 2020-05-15  Jack Lee  <[email protected]>
 
         Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.

Modified: trunk/Source/WebCore/css/MediaQueryMatcher.cpp (261777 => 261778)


--- trunk/Source/WebCore/css/MediaQueryMatcher.cpp	2020-05-16 04:09:51 UTC (rev 261777)
+++ trunk/Source/WebCore/css/MediaQueryMatcher.cpp	2020-05-16 04:32:20 UTC (rev 261778)
@@ -118,7 +118,9 @@
     LOG_WITH_STREAM(MediaQueries, stream << "MediaQueryMatcher::styleResolverChanged " << m_document->url());
 
     MediaQueryEvaluator evaluator { mediaType(), *m_document, style.get() };
-    for (auto& list : m_mediaQueryLists) {
+
+    auto mediaQueryLists = m_mediaQueryLists;
+    for (auto& list : mediaQueryLists) {
         if (!list)
             continue;
         bool notify;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to