[webkit-changes] [289567] trunk/Source/WebCore

[commit-queue]

Title: [289567] trunk/Source/WebCore

Revision

289567

Author

commit-qu...@webkit.org

Date

2022-02-10 12:23:37 -0800 (Thu, 10 Feb 2022)

Log Message

Crash in in WebCore::CSSStyleSheet::didMutateRules
https://bugs.webkit.org/show_bug.cgi?id=236450

Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2022-02-10
Reviewed by Antti Koivisto.

Replace the raw pointer rule in RuleMutationScope with a RefPtr so it can be accessible
for the scope.

* css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::RuleMutationScope::~RuleMutationScope):
* css/CSSStyleSheet.h:

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/css/CSSStyleSheet.cpp
• trunk/Source/WebCore/css/CSSStyleSheet.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (289566 => 289567)

--- trunk/Source/WebCore/ChangeLog	2022-02-10 20:13:19 UTC (rev 289566)
+++ trunk/Source/WebCore/ChangeLog	2022-02-10 20:23:37 UTC (rev 289567)
@@ -1,3 +1,17 @@
+2022-02-10  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        Crash in in WebCore::CSSStyleSheet::didMutateRules
+        https://bugs.webkit.org/show_bug.cgi?id=236450
+
+        Reviewed by Antti Koivisto.
+
+        Replace the raw pointer rule in RuleMutationScope with a RefPtr so it can be accessible 
+        for the scope.
+
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::RuleMutationScope::~RuleMutationScope):
+        * css/CSSStyleSheet.h:
+
 2022-02-10  Tim Nguyen  <n...@apple.com>
 
         Unreviewed, update BundleResourceLoader WorkQueue identifier

Modified: trunk/Source/WebCore/css/CSSStyleSheet.cpp (289566 => 289567)

--- trunk/Source/WebCore/css/CSSStyleSheet.cpp	2022-02-10 20:13:19 UTC (rev 289566)
+++ trunk/Source/WebCore/css/CSSStyleSheet.cpp	2022-02-10 20:23:37 UTC (rev 289567)
@@ -418,7 +418,7 @@
 CSSStyleSheet::RuleMutationScope::~RuleMutationScope()
 {
     if (m_styleSheet)
-        m_styleSheet->didMutateRules(m_mutationType, m_contentsWereClonedForMutation, m_insertedKeyframesRule, m_modifiedKeyframesRuleName);
+        m_styleSheet->didMutateRules(m_mutationType, m_contentsWereClonedForMutation, m_insertedKeyframesRule.get(), m_modifiedKeyframesRuleName);
 }
 
 }

Modified: trunk/Source/WebCore/css/CSSStyleSheet.h (289566 => 289567)

--- trunk/Source/WebCore/css/CSSStyleSheet.h	2022-02-10 20:13:19 UTC (rev 289566)
+++ trunk/Source/WebCore/css/CSSStyleSheet.h	2022-02-10 20:23:37 UTC (rev 289567)
@@ -109,7 +109,7 @@
         CSSStyleSheet* m_styleSheet;
         RuleMutationType m_mutationType;
         WhetherContentsWereClonedForMutation m_contentsWereClonedForMutation;
-        StyleRuleKeyframes* m_insertedKeyframesRule;
+        RefPtr<StyleRuleKeyframes> m_insertedKeyframesRule;
         String m_modifiedKeyframesRuleName;
     };
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes