Title: [262553] branches/safari-609-branch
- Revision
- 262553
- Author
- alanc...@apple.com
- Date
- 2020-06-04 12:00:39 -0700 (Thu, 04 Jun 2020)
Log Message
Cherry-pick r262196. rdar://problem/63951363
Crash under WebNotificationManager::removeNotificationFromContextMap()
https://bugs.webkit.org/show_bug.cgi?id=212410
<rdar://63496726>
Reviewed by Alex Christensen.
Source/WebKit:
Protect the notification object in WebNotificationManager::didDestroyNotification() since
removing it from m_notificationIDMap will deref it and may end up destroying the notification
object otherwise.
Test: http/tests/notifications/crash-on-navigation.html
* WebProcess/Notifications/WebNotificationManager.cpp:
(WebKit::WebNotificationManager::didDestroyNotification):
LayoutTests:
Add layout test coverage.
* http/tests/notifications/crash-on-navigation-expected.txt: Added.
* http/tests/notifications/crash-on-navigation.html: Added.
* http/tests/notifications/resources/crash-on-navigation-iframe.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262196 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-609-branch/LayoutTests/ChangeLog (262552 => 262553)
--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-06-04 19:00:36 UTC (rev 262552)
+++ branches/safari-609-branch/LayoutTests/ChangeLog 2020-06-04 19:00:39 UTC (rev 262553)
@@ -1,5 +1,51 @@
2020-06-04 Alan Coon <alanc...@apple.com>
+ Cherry-pick r262196. rdar://problem/63951363
+
+ Crash under WebNotificationManager::removeNotificationFromContextMap()
+ https://bugs.webkit.org/show_bug.cgi?id=212410
+ <rdar://63496726>
+
+ Reviewed by Alex Christensen.
+
+ Source/WebKit:
+
+ Protect the notification object in WebNotificationManager::didDestroyNotification() since
+ removing it from m_notificationIDMap will deref it and may end up destroying the notification
+ object otherwise.
+
+ Test: http/tests/notifications/crash-on-navigation.html
+
+ * WebProcess/Notifications/WebNotificationManager.cpp:
+ (WebKit::WebNotificationManager::didDestroyNotification):
+
+ LayoutTests:
+
+ Add layout test coverage.
+
+ * http/tests/notifications/crash-on-navigation-expected.txt: Added.
+ * http/tests/notifications/crash-on-navigation.html: Added.
+ * http/tests/notifications/resources/crash-on-navigation-iframe.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262196 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-05-27 Chris Dumez <cdu...@apple.com>
+
+ Crash under WebNotificationManager::removeNotificationFromContextMap()
+ https://bugs.webkit.org/show_bug.cgi?id=212410
+ <rdar://63496726>
+
+ Reviewed by Alex Christensen.
+
+ Add layout test coverage.
+
+ * http/tests/notifications/crash-on-navigation-expected.txt: Added.
+ * http/tests/notifications/crash-on-navigation.html: Added.
+ * http/tests/notifications/resources/crash-on-navigation-iframe.html: Added.
+
+2020-06-04 Alan Coon <alanc...@apple.com>
+
Cherry-pick r261246. rdar://problem/63951358
pointermove event sometimes has incorrect pointerType of 'mouse' on touch interactions
Added: branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation-expected.txt (0 => 262553)
--- branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation-expected.txt (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation-expected.txt 2020-06-04 19:00:39 UTC (rev 262553)
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+
+
Added: branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation.html (0 => 262553)
--- branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation.html (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/notifications/crash-on-navigation.html 2020-06-04 19:00:39 UTC (rev 262553)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test passes if it does not crash.</p>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function gc() {
+ if (typeof GCController !== "undefined")
+ GCController.collect();
+ else {
+ var gcRec = function (n) {
+ if (n < 1)
+ return {};
+ var temp = {i: "ab" + i + (i / 100000)};
+ temp += "foo";
+ gcRec(n-1);
+ };
+ for (var i = 0; i < 1000; i++)
+ gcRec(10);
+ }
+}
+
+let reloads = 0;
+function frameLoaded()
+{
+ reloads++;
+ gc();
+ if (reloads == 50) {
+ testFrame.remove();
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+<iframe id="testFrame" src=""
+</body>
+</html>
Added: branches/safari-609-branch/LayoutTests/http/tests/notifications/resources/crash-on-navigation-iframe.html (0 => 262553)
--- branches/safari-609-branch/LayoutTests/http/tests/notifications/resources/crash-on-navigation-iframe.html (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/notifications/resources/crash-on-navigation-iframe.html 2020-06-04 19:00:39 UTC (rev 262553)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+new Notification("FOO");
+setTimeout(() => {
+ location.reload();
+}, 10);
+top.frameLoaded();
+</script>
+</body>
+</html>
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (262552 => 262553)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-06-04 19:00:36 UTC (rev 262552)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-06-04 19:00:39 UTC (rev 262553)
@@ -1,5 +1,54 @@
2020-06-04 Alan Coon <alanc...@apple.com>
+ Cherry-pick r262196. rdar://problem/63951363
+
+ Crash under WebNotificationManager::removeNotificationFromContextMap()
+ https://bugs.webkit.org/show_bug.cgi?id=212410
+ <rdar://63496726>
+
+ Reviewed by Alex Christensen.
+
+ Source/WebKit:
+
+ Protect the notification object in WebNotificationManager::didDestroyNotification() since
+ removing it from m_notificationIDMap will deref it and may end up destroying the notification
+ object otherwise.
+
+ Test: http/tests/notifications/crash-on-navigation.html
+
+ * WebProcess/Notifications/WebNotificationManager.cpp:
+ (WebKit::WebNotificationManager::didDestroyNotification):
+
+ LayoutTests:
+
+ Add layout test coverage.
+
+ * http/tests/notifications/crash-on-navigation-expected.txt: Added.
+ * http/tests/notifications/crash-on-navigation.html: Added.
+ * http/tests/notifications/resources/crash-on-navigation-iframe.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262196 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-05-27 Chris Dumez <cdu...@apple.com>
+
+ Crash under WebNotificationManager::removeNotificationFromContextMap()
+ https://bugs.webkit.org/show_bug.cgi?id=212410
+ <rdar://63496726>
+
+ Reviewed by Alex Christensen.
+
+ Protect the notification object in WebNotificationManager::didDestroyNotification() since
+ removing it from m_notificationIDMap will deref it and may end up destroying the notification
+ object otherwise.
+
+ Test: http/tests/notifications/crash-on-navigation.html
+
+ * WebProcess/Notifications/WebNotificationManager.cpp:
+ (WebKit::WebNotificationManager::didDestroyNotification):
+
+2020-06-04 Alan Coon <alanc...@apple.com>
+
Cherry-pick r261246. rdar://problem/63951358
pointermove event sometimes has incorrect pointerType of 'mouse' on touch interactions
Modified: branches/safari-609-branch/Source/WebKit/WebProcess/Notifications/WebNotificationManager.cpp (262552 => 262553)
--- branches/safari-609-branch/Source/WebKit/WebProcess/Notifications/WebNotificationManager.cpp 2020-06-04 19:00:36 UTC (rev 262552)
+++ branches/safari-609-branch/Source/WebKit/WebProcess/Notifications/WebNotificationManager.cpp 2020-06-04 19:00:39 UTC (rev 262553)
@@ -204,6 +204,8 @@
void WebNotificationManager::didDestroyNotification(Notification* notification, WebPage* page)
{
#if ENABLE(NOTIFICATIONS)
+ auto protectedNotification = makeRefPtr(notification);
+
uint64_t notificationID = m_notificationMap.take(notification);
if (!notificationID)
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
