[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

mitz at apple.com mitz at apple.com
Sun Feb 20 22:54:58 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 37aadf5936e8cca6399af8c7c0b53db47837c9c5
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Jan 13 18:21:15 2011 +0000

    <rdar://problem/8098442> Crash in Widget::setFrameRect()
    https://bugs.webkit.org/show_bug.cgi?id=52375
    
    Reviewed by Simon Fraser.
    
    Source/WebCore:
    
    Test: plugins/destroy-on-setwindow.html
    
    * platform/mac/WidgetMac.mm:
    (WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
    out to the view.
    (WebCore::Widget::getOuterView): Coding style fix.
    (WebCore::Widget::paint): Protect the Widget from being deleted as a result of calling out to
    the views. This is precautionary, since this function does not applear to access member variables
    after such calls.
    * platform/wx/WidgetWx.cpp:
    (WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
    out to the platform widget.
    
    LayoutTests:
    
    * plugins/destroy-on-setwindow-expected.txt: Added.
    * plugins/destroy-on-setwindow.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75720 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d3cb36b..cfdaa2f 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-01-13  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        <rdar://problem/8098442> Crash in Widget::setFrameRect()
+        https://bugs.webkit.org/show_bug.cgi?id=52375
+
+        * plugins/destroy-on-setwindow-expected.txt: Added.
+        * plugins/destroy-on-setwindow.html: Added.
+
 2011-01-13  Tony Chang  <tony at chromium.org>
 
         Reviewed by Kent Tamura.
diff --git a/LayoutTests/plugins/destroy-on-setwindow-expected.txt b/LayoutTests/plugins/destroy-on-setwindow-expected.txt
new file mode 100644
index 0000000..cabf6b6
--- /dev/null
+++ b/LayoutTests/plugins/destroy-on-setwindow-expected.txt
@@ -0,0 +1,3 @@
+Test that a plug-in that causes its Widget to be destroyed during setWindow does not cause a crash.
+
+
diff --git a/LayoutTests/plugins/destroy-on-setwindow.html b/LayoutTests/plugins/destroy-on-setwindow.html
new file mode 100644
index 0000000..9976ed4
--- /dev/null
+++ b/LayoutTests/plugins/destroy-on-setwindow.html
@@ -0,0 +1,23 @@
+<p>
+    Test that a plug-in that causes its Widget to be destroyed during setWindow does not cause a crash.
+</p>
+<embed id="plug-in" type="application/x-webkit-test-netscape" onSetWindow="handleSetWindow()">
+<script>
+    var plugIn = document.getElementById("plug-in");
+    var count = 0;
+
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    function handleSetWindow()
+    {
+        count++;
+
+        if (count == 2)
+            plugIn.style.width = "500px";
+        else if (count == 3)
+            plugIn.parentNode.removeChild(plugIn);
+    }
+
+    handleSetWindow();
+</script>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 6acb9b8..b8492b7 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2011-01-13  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        <rdar://problem/8098442> Crash in Widget::setFrameRect()
+        https://bugs.webkit.org/show_bug.cgi?id=52375
+
+        Test: plugins/destroy-on-setwindow.html
+
+        * platform/mac/WidgetMac.mm:
+        (WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
+        out to the view.
+        (WebCore::Widget::getOuterView): Coding style fix.
+        (WebCore::Widget::paint): Protect the Widget from being deleted as a result of calling out to
+        the views. This is precautionary, since this function does not applear to access member variables
+        after such calls.
+        * platform/wx/WidgetWx.cpp:
+        (WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
+        out to the platform widget.
+
 2011-01-13  Csaba Osztrogonác  <ossy at webkit.org>
 
         Unreviewed buildfix after r75715.
diff --git a/Source/WebCore/platform/mac/WidgetMac.mm b/Source/WebCore/platform/mac/WidgetMac.mm
index e8bb81d..2c1b52f 100644
--- a/Source/WebCore/platform/mac/WidgetMac.mm
+++ b/Source/WebCore/platform/mac/WidgetMac.mm
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2006, 2008, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2005, 2006, 2008, 2010, 2011 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -170,25 +170,29 @@ void Widget::setFrameRect(const IntRect& rect)
     m_frame = rect;
 
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
-    NSView *v = getOuterView();
-    if (!v)
+    NSView *outerView = getOuterView();
+    if (!outerView)
         return;
 
-    NSRect visibleRect = [v visibleRect];
+    // Take a reference to this Widget, because sending messages to outerView can invoke arbitrary
+    // code, which can deref it.
+    RefPtr<Widget> protectedThis(this);
+
+    NSRect visibleRect = [outerView visibleRect];
     NSRect f = rect;
-    if (!NSEqualRects(f, [v frame])) {
-        [v setFrame:f];
-        [v setNeedsDisplay:NO];
-    } else if (!NSEqualRects(visibleRect, m_data->previousVisibleRect) && [v respondsToSelector:@selector(visibleRectDidChange)])
-        [v visibleRectDidChange];
+    if (!NSEqualRects(f, [outerView frame])) {
+        [outerView setFrame:f];
+        [outerView setNeedsDisplay:NO];
+    } else if (!NSEqualRects(visibleRect, m_data->previousVisibleRect) && [outerView respondsToSelector:@selector(visibleRectDidChange)])
+        [outerView visibleRectDidChange];
 
     m_data->previousVisibleRect = visibleRect;
     END_BLOCK_OBJC_EXCEPTIONS;
 }
 
-NSView* Widget::getOuterView() const
+NSView *Widget::getOuterView() const
 {
-    NSView* view = platformWidget();
+    NSView *view = platformWidget();
 
     // If this widget's view is a WebCoreFrameScrollView then we
     // resize its containing view, a WebFrameView.
@@ -205,6 +209,11 @@ void Widget::paint(GraphicsContext* p, const IntRect& r)
     if (p->paintingDisabled())
         return;
     NSView *view = getOuterView();
+
+    // Take a reference to this Widget, because sending messages to the views can invoke arbitrary
+    // code, which can deref it.
+    RefPtr<Widget> protectedThis(this);
+
     NSGraphicsContext *currentContext = [NSGraphicsContext currentContext];
     if (currentContext == [[view window] graphicsContext] || ![currentContext isDrawingToScreen]) {
         // This is the common case of drawing into a window or printing.
@@ -261,6 +270,7 @@ void Widget::paint(GraphicsContext* p, const IntRect& r)
 void Widget::setIsSelected(bool isSelected)
 {
     NSView *view = platformWidget();
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
     if ([view respondsToSelector:@selector(webPlugInSetIsSelected:)])
         [view webPlugInSetIsSelected:isSelected];
diff --git a/Source/WebCore/platform/wx/WidgetWx.cpp b/Source/WebCore/platform/wx/WidgetWx.cpp
index 9de4c3d..7591a5b 100644
--- a/Source/WebCore/platform/wx/WidgetWx.cpp
+++ b/Source/WebCore/platform/wx/WidgetWx.cpp
@@ -80,6 +80,10 @@ IntRect Widget::frameRect() const
 
 void Widget::setFrameRect(const IntRect& rect)
 {
+    // Take a reference to this Widget, because calling functions of the PlatformWidget can invoke arbitrary
+    // code, which can deref it.
+    RefPtr<Widget> protectedThis(this);
+
     if (PlatformWidget widget = platformWidget())
         widget->SetSize(rect);
     

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list