Title: [270307] branches/safari-610-branch/Source/WebCore
- Revision
- 270307
- Author
- [email protected]
- Date
- 2020-12-01 09:58:29 -0800 (Tue, 01 Dec 2020)
Log Message
Cherry-pick r269695. rdar://problem/71836652
Protect ScheduledURLNavigation member
https://bugs.webkit.org/show_bug.cgi?id=218593
Patch by Rob Buis <[email protected]> on 2020-11-11
Reviewed by Alex Christensen.
Protect ScheduledURLNavigation member m_url by using a copy since
ScheduledURLNavigation itself is not protected and may be cancelled
(and thus deleted) just at the time it is sending a message to the
UIProcess which encodes the passed m_url member variable.
* loader/NavigationScheduler.cpp:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269695 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610-branch/Source/WebCore/ChangeLog (270306 => 270307)
--- branches/safari-610-branch/Source/WebCore/ChangeLog 2020-12-01 17:47:08 UTC (rev 270306)
+++ branches/safari-610-branch/Source/WebCore/ChangeLog 2020-12-01 17:58:29 UTC (rev 270307)
@@ -1,3 +1,36 @@
+2020-12-01 Alan Coon <[email protected]>
+
+ Cherry-pick r269695. rdar://problem/71836652
+
+ Protect ScheduledURLNavigation member
+ https://bugs.webkit.org/show_bug.cgi?id=218593
+
+ Patch by Rob Buis <[email protected]> on 2020-11-11
+ Reviewed by Alex Christensen.
+
+ Protect ScheduledURLNavigation member m_url by using a copy since
+ ScheduledURLNavigation itself is not protected and may be cancelled
+ (and thus deleted) just at the time it is sending a message to the
+ UIProcess which encodes the passed m_url member variable.
+
+ * loader/NavigationScheduler.cpp:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269695 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-11-11 Rob Buis <[email protected]>
+
+ Protect ScheduledURLNavigation member
+ https://bugs.webkit.org/show_bug.cgi?id=218593
+
+ Reviewed by Alex Christensen.
+
+ Protect ScheduledURLNavigation member m_url by using a copy since
+ ScheduledURLNavigation itself is not protected and may be cancelled
+ (and thus deleted) just at the time it is sending a message to the
+ UIProcess which encodes the passed m_url member variable.
+
+ * loader/NavigationScheduler.cpp:
+
2020-11-16 Russell Epstein <[email protected]>
Cherry-pick r268979. rdar://problem/71446613
Modified: branches/safari-610-branch/Source/WebCore/loader/NavigationScheduler.cpp (270306 => 270307)
--- branches/safari-610-branch/Source/WebCore/loader/NavigationScheduler.cpp 2020-12-01 17:47:08 UTC (rev 270306)
+++ branches/safari-610-branch/Source/WebCore/loader/NavigationScheduler.cpp 2020-12-01 17:58:29 UTC (rev 270307)
@@ -134,7 +134,8 @@
m_haveToldClient = true;
UserGestureIndicator gestureIndicator(userGestureToForward());
- frame.loader().clientRedirected(m_url, delay(), WallTime::now() + timer.nextFireInterval(), lockBackForwardList());
+ Ref<Frame> protectedFrame(frame);
+ frame.loader().clientRedirected(URL(m_url), delay(), WallTime::now() + timer.nextFireInterval(), lockBackForwardList());
}
void didStopTimer(Frame& frame, NewLoadInProgress newLoadInProgress) override
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
