Diff
Modified: trunk/Source/WebCore/ChangeLog (170223 => 170224)
--- trunk/Source/WebCore/ChangeLog 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/ChangeLog 2014-06-20 23:44:01 UTC (rev 170224)
@@ -1,3 +1,39 @@
+2014-06-20 Beth Dakin <[email protected]>
+
+ https://bugs.webkit.org/show_bug.cgi?id=134117
+ Unreproducible crashes under WebCore::ScrollingTree::updateTreeFromStateNode()
+ from messaging a deleted Obj-C object
+ -and corresponding-
+ <rdar://problem/17149252>
+
+ Reviewed by Simon Fraser.
+
+ This is a speculative fix. It makes LayerRepresentation retain m_platformLayer.
+
+ * WebCore.exp.in:
+ * page/scrolling/ScrollingStateNode.h:
+ (WebCore::LayerRepresentation::LayerRepresentation):
+ (WebCore::LayerRepresentation::~LayerRepresentation):
+ (WebCore::LayerRepresentation::operator=):
+ (WebCore::LayerRepresentation::operator==):
+ (WebCore::LayerRepresentation::operator ==): Deleted.
+
+ Make this ASSERT an ASSERT_WITH_SECURITY_IMPLICATION
+ * page/scrolling/ScrollingTree.cpp:
+ (WebCore::ScrollingTree::updateTreeFromStateNode):
+
+ Moved ScrollingStateNodeMac.mm, which was empty anyway, to cocoa/
+ ScrollingStateNode.mm so that iOS can use it too.
+ * page/scrolling/cocoa: Added.
+ * page/scrolling/cocoa/ScrollingStateNode.mm: Copied from page/scrolling/mac/ScrollingStateNodeMac.mm.
+
+ Actual implementation for retain and release.
+ (WebCore::LayerRepresentation::retainPlatformLayer):
+ (WebCore::LayerRepresentation::releasePlatformLayer):
+
+ Deleted.
+ * page/scrolling/mac/ScrollingStateNodeMac.mm: Removed.
+
2014-06-19 Zalan Bujtas <[email protected]>
Introduce RenderLayer::offsetFromAncestorLayer() to make convertToLayerCoords() calls with
Modified: trunk/Source/WebCore/WebCore.exp.in (170223 => 170224)
--- trunk/Source/WebCore/WebCore.exp.in 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/WebCore.exp.in 2014-06-20 23:44:01 UTC (rev 170224)
@@ -805,6 +805,8 @@
__ZN7WebCore19LayerFlushSchedulerC2EPNS_25LayerFlushSchedulerClientE
__ZN7WebCore19LayerFlushSchedulerD1Ev
__ZN7WebCore19LayerFlushSchedulerD2Ev
+__ZN7WebCore19LayerRepresentation19retainPlatformLayerEP7CALayer
+__ZN7WebCore19LayerRepresentation20releasePlatformLayerEP7CALayer
__ZN7WebCore19MediaSessionManager12removeClientEPNS_25MediaSessionManagerClientE
__ZN7WebCore19MediaSessionManager12restrictionsENS_12MediaSession9MediaTypeE
__ZN7WebCore19MediaSessionManager13sharedManagerEv
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (170223 => 170224)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2014-06-20 23:44:01 UTC (rev 170224)
@@ -3125,7 +3125,6 @@
931CBD0F161A44E900E4C874 /* ScrollingStateScrollingNode.h in Headers */ = {isa = PBXBuildFile; fileRef = 931CBD09161A44E900E4C874 /* ScrollingStateScrollingNode.h */; settings = {ATTRIBUTES = (Private, ); }; };
931CBD10161A44E900E4C874 /* ScrollingStateTree.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 931CBD0A161A44E900E4C874 /* ScrollingStateTree.cpp */; };
931CBD11161A44E900E4C874 /* ScrollingStateTree.h in Headers */ = {isa = PBXBuildFile; fileRef = 931CBD0B161A44E900E4C874 /* ScrollingStateTree.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 931CBD13161A44F800E4C874 /* ScrollingStateNodeMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = 931CBD12161A44F800E4C874 /* ScrollingStateNodeMac.mm */; };
931D72F615FE695300C4C07E /* LayoutMilestones.h in Headers */ = {isa = PBXBuildFile; fileRef = 931D72F515FE695300C4C07E /* LayoutMilestones.h */; settings = {ATTRIBUTES = (Private, ); }; };
9326DC0C09DAD5D600AFC847 /* CharsetData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 656581AC09D14EE6000E61D7 /* CharsetData.cpp */; };
9327A94209968D1A0068A546 /* HTMLOptionsCollection.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9327A94109968D1A0068A546 /* HTMLOptionsCollection.cpp */; };
@@ -3311,6 +3310,7 @@
93EB355F09E37FD600F43799 /* MouseEventWithHitTestResults.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 93EB355E09E37FD600F43799 /* MouseEventWithHitTestResults.cpp */; };
93EC44A1188F4BB800661DF1 /* WheelEventDeltaTracker.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 93EC449F188F4BB800661DF1 /* WheelEventDeltaTracker.cpp */; };
93EC44A2188F4BB800661DF1 /* WheelEventDeltaTracker.h in Headers */ = {isa = PBXBuildFile; fileRef = 93EC44A0188F4BB800661DF1 /* WheelEventDeltaTracker.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 93EF7D551954F13900DFB71D /* ScrollingStateNode.mm in Sources */ = {isa = PBXBuildFile; fileRef = 93EF7D541954E98F00DFB71D /* ScrollingStateNode.mm */; };
93F198E508245E59001E9ABC /* HTMLDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = F523D23C02DE4396018635CA /* HTMLDocument.h */; settings = {ATTRIBUTES = (Private, ); }; };
93F198E608245E59001E9ABC /* HTMLElement.h in Headers */ = {isa = PBXBuildFile; fileRef = F523D23F02DE4396018635CA /* HTMLElement.h */; settings = {ATTRIBUTES = (Private, ); }; };
93F198F608245E59001E9ABC /* TextResourceDecoder.h in Headers */ = {isa = PBXBuildFile; fileRef = F523D27902DE43D7018635CA /* TextResourceDecoder.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -10216,7 +10216,6 @@
931CBD09161A44E900E4C874 /* ScrollingStateScrollingNode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScrollingStateScrollingNode.h; sourceTree = "<group>"; };
931CBD0A161A44E900E4C874 /* ScrollingStateTree.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScrollingStateTree.cpp; sourceTree = "<group>"; };
931CBD0B161A44E900E4C874 /* ScrollingStateTree.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScrollingStateTree.h; sourceTree = "<group>"; };
- 931CBD12161A44F800E4C874 /* ScrollingStateNodeMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ScrollingStateNodeMac.mm; sourceTree = "<group>"; };
931D72F515FE695300C4C07E /* LayoutMilestones.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LayoutMilestones.h; sourceTree = "<group>"; };
9327A94109968D1A0068A546 /* HTMLOptionsCollection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLOptionsCollection.cpp; sourceTree = "<group>"; };
932871BF0B20DEB70049035A /* PlatformMenuDescription.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = PlatformMenuDescription.h; sourceTree = "<group>"; };
@@ -10430,6 +10429,7 @@
93EEC1F509C2877700C515D1 /* ProcessingInstruction.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ProcessingInstruction.idl; sourceTree = "<group>"; };
93EEC1F609C2877700C515D1 /* Text.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Text.idl; sourceTree = "<group>"; };
93EEC1F709C2877700C515D1 /* WheelEvent.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = WheelEvent.idl; sourceTree = "<group>"; };
+ 93EF7D541954E98F00DFB71D /* ScrollingStateNode.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ScrollingStateNode.mm; sourceTree = "<group>"; };
93F19B1908245E59001E9ABC /* Info.plist */ = {isa = PBXFileReference; indentWidth = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; };
93F19B1A08245E5A001E9ABC /* WebCore.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = WebCore.framework; sourceTree = BUILT_PRODUCTS_DIR; };
93F1D31A0558CC5C00821BC0 /* libicucore.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libicucore.dylib; path = /usr/lib/libicucore.dylib; sourceTree = "<absolute>"; };
@@ -15033,6 +15033,7 @@
1AF62EE114DA22A70041556C /* scrolling */ = {
isa = PBXGroup;
children = (
+ 93EF7D531954E98F00DFB71D /* cocoa */,
0FC4E406187F82D30045882C /* ios */,
1AF62EE214DA22A70041556C /* mac */,
0FFD4D5E18651FA300512F6E /* AsyncScrollingCoordinator.cpp */,
@@ -15078,7 +15079,6 @@
children = (
9391A990162746CB00297330 /* ScrollingCoordinatorMac.h */,
1AF62EE314DA22A70041556C /* ScrollingCoordinatorMac.mm */,
- 931CBD12161A44F800E4C874 /* ScrollingStateNodeMac.mm */,
0FA88EBC16A8D1BD00F99984 /* ScrollingStateFrameScrollingNodeMac.mm */,
1AF62F2314DAFE910041556C /* ScrollingThreadMac.mm */,
93C38C01164473DD00091EB2 /* ScrollingTreeFixedNode.h */,
@@ -17856,6 +17856,14 @@
tabWidth = 4;
usesTabs = 0;
};
+ 93EF7D531954E98F00DFB71D /* cocoa */ = {
+ isa = PBXGroup;
+ children = (
+ 93EF7D541954E98F00DFB71D /* ScrollingStateNode.mm */,
+ );
+ path = cocoa;
+ sourceTree = "<group>";
+ };
971145FE14EF006E00674FD9 /* Modules */ = {
isa = PBXGroup;
children = (
@@ -27694,6 +27702,7 @@
A17C81220F2A5CF7005DAAEB /* HTMLElementFactory.cpp in Sources */,
977B37231228721700B81FF8 /* HTMLElementStack.cpp in Sources */,
A871D45F0A127CBC00B12A68 /* HTMLEmbedElement.cpp in Sources */,
+ 93EF7D551954F13900DFB71D /* ScrollingStateNode.mm in Sources */,
977B3869122883E900B81FF8 /* HTMLEntityParser.cpp in Sources */,
977B386B122883E900B81FF8 /* HTMLEntitySearch.cpp in Sources */,
A8BC04921214F69600B5F122 /* HTMLEntityTable.cpp in Sources */,
@@ -29127,7 +29136,6 @@
1AF62EE614DA22A70041556C /* ScrollingCoordinatorMac.mm in Sources */,
93C38BFE164473C700091EB2 /* ScrollingStateFixedNode.cpp in Sources */,
931CBD0C161A44E900E4C874 /* ScrollingStateNode.cpp in Sources */,
- 931CBD13161A44F800E4C874 /* ScrollingStateNodeMac.mm in Sources */,
931CBD0E161A44E900E4C874 /* ScrollingStateScrollingNode.cpp in Sources */,
0FA88EBD16A8D1BD00F99984 /* ScrollingStateFrameScrollingNodeMac.mm in Sources */,
0FB8890E167D30160010CDA5 /* ScrollingStateStickyNode.cpp in Sources */,
Modified: trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h (170223 => 170224)
--- trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/page/scrolling/ScrollingStateNode.h 2014-06-20 23:44:01 UTC (rev 170224)
@@ -71,14 +71,32 @@
: m_platformLayer(platformLayer)
, m_layerID(0)
, m_representation(PlatformLayerRepresentation)
- { }
+ {
+ retainPlatformLayer(platformLayer);
+ }
LayerRepresentation(GraphicsLayer::PlatformLayerID layerID)
: m_graphicsLayer(nullptr)
, m_layerID(layerID)
, m_representation(PlatformLayerIDRepresentation)
- { }
-
+ {
+ }
+
+ LayerRepresentation(const LayerRepresentation& other)
+ : m_platformLayer(other.m_platformLayer)
+ , m_layerID(other.m_layerID)
+ , m_representation(other.m_representation)
+ {
+ if (m_representation == PlatformLayerRepresentation)
+ retainPlatformLayer(m_platformLayer);
+ }
+
+ ~LayerRepresentation()
+ {
+ if (m_representation == PlatformLayerRepresentation)
+ releasePlatformLayer(m_platformLayer);
+ }
+
operator GraphicsLayer*() const
{
ASSERT(m_representation == GraphicsLayerRepresentation);
@@ -101,9 +119,21 @@
ASSERT(m_representation != PlatformLayerRepresentation);
return m_layerID;
}
-
- bool operator ==(const LayerRepresentation& other) const
+
+ LayerRepresentation& operator=(const LayerRepresentation& other)
{
+ m_platformLayer = other.m_platformLayer;
+ m_layerID = other.m_layerID;
+ m_representation = other.m_representation;
+
+ if (m_representation == PlatformLayerRepresentation)
+ retainPlatformLayer(m_platformLayer);
+
+ return *this;
+ }
+
+ bool operator==(const LayerRepresentation& other) const
+ {
if (m_representation != other.m_representation)
return false;
switch (m_representation) {
@@ -141,6 +171,9 @@
bool representsPlatformLayerID() const { return m_representation == PlatformLayerIDRepresentation; }
private:
+ void retainPlatformLayer(PlatformLayer*);
+ void releasePlatformLayer(PlatformLayer*);
+
union {
GraphicsLayer* m_graphicsLayer;
PlatformLayer *m_platformLayer;
Modified: trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp (170223 => 170224)
--- trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp 2014-06-20 23:44:01 UTC (rev 170224)
@@ -184,7 +184,7 @@
if (parentNodeID) {
auto parentIt = m_nodeMap.find(parentNodeID);
- ASSERT(parentIt != m_nodeMap.end());
+ ASSERT_WITH_SECURITY_IMPLICATION(parentIt != m_nodeMap.end());
if (parentIt != m_nodeMap.end()) {
ScrollingTreeNode* parent = parentIt->value;
node->setParent(parent);
Copied: trunk/Source/WebCore/page/scrolling/cocoa/ScrollingStateNode.mm (from rev 170206, trunk/Source/WebCore/page/scrolling/mac/ScrollingStateNodeMac.mm) (0 => 170224)
--- trunk/Source/WebCore/page/scrolling/cocoa/ScrollingStateNode.mm (rev 0)
+++ trunk/Source/WebCore/page/scrolling/cocoa/ScrollingStateNode.mm 2014-06-20 23:44:01 UTC (rev 170224)
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ScrollingStateNode.h"
+
+#include "GraphicsLayer.h"
+#include "ScrollingStateTree.h"
+
+#if ENABLE(ASYNC_SCROLLING)
+
+namespace WebCore {
+
+void LayerRepresentation::retainPlatformLayer(PlatformLayer* layer)
+{
+ [layer retain];
+}
+
+void LayerRepresentation::releasePlatformLayer(PlatformLayer* layer)
+{
+ [layer release];
+}
+
+} // namespace WebCore
+
+#endif // ENABLE(ASYNC_SCROLLING)
Deleted: trunk/Source/WebCore/page/scrolling/mac/ScrollingStateNodeMac.mm (170223 => 170224)
--- trunk/Source/WebCore/page/scrolling/mac/ScrollingStateNodeMac.mm 2014-06-20 23:40:21 UTC (rev 170223)
+++ trunk/Source/WebCore/page/scrolling/mac/ScrollingStateNodeMac.mm 2014-06-20 23:44:01 UTC (rev 170224)
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "ScrollingStateNode.h"
-
-#include "GraphicsLayer.h"
-#include "ScrollingStateTree.h"
-
-#if ENABLE(ASYNC_SCROLLING)
-
-namespace WebCore {
-
-} // namespace WebCore
-
-#endif // ENABLE(ASYNC_SCROLLING)
