Title: [146935] trunk/Source
- Revision
- 146935
- Author
- rn...@webkit.org
- Date
- 2013-03-26 15:03:16 -0700 (Tue, 26 Mar 2013)
Log Message
Heap-use-after-free regression
https://bugs.webkit.org/show_bug.cgi?id=113337
Reviewed by Abhishek Arya and Alexey Proskuryakov.
Source/WebCore:
Use RefPtr instead of raw pointer in m_associatedFormControls.
* dom/Document.cpp:
(WebCore::Document::didAssociateFormControlsTimerFired):
* dom/Document.h:
(Document):
* loader/EmptyClients.h:
(WebCore::EmptyChromeClient::didAssociateFormControls):
* page/ChromeClient.h:
(WebCore::ChromeClient::didAssociateFormControls):
Source/WebKit/chromium:
* src/ChromeClientImpl.cpp:
(WebKit::ChromeClientImpl::didAssociateFormControls):
* src/ChromeClientImpl.h:
(ChromeClientImpl):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (146934 => 146935)
--- trunk/Source/WebCore/ChangeLog 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebCore/ChangeLog 2013-03-26 22:03:16 UTC (rev 146935)
@@ -1,3 +1,21 @@
+2013-03-26 Ryosuke Niwa <rn...@webkit.org>
+
+ Heap-use-after-free regression
+ https://bugs.webkit.org/show_bug.cgi?id=113337
+
+ Reviewed by Abhishek Arya and Alexey Proskuryakov.
+
+ Use RefPtr instead of raw pointer in m_associatedFormControls.
+
+ * dom/Document.cpp:
+ (WebCore::Document::didAssociateFormControlsTimerFired):
+ * dom/Document.h:
+ (Document):
+ * loader/EmptyClients.h:
+ (WebCore::EmptyChromeClient::didAssociateFormControls):
+ * page/ChromeClient.h:
+ (WebCore::ChromeClient::didAssociateFormControls):
+
2013-03-26 Alexey Proskuryakov <a...@apple.com>
<rdar://problem/13194263> Crashes in NetworkProcess due to threading issues
Modified: trunk/Source/WebCore/dom/Document.cpp (146934 => 146935)
--- trunk/Source/WebCore/dom/Document.cpp 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-03-26 22:03:16 UTC (rev 146935)
@@ -6195,7 +6195,7 @@
if (!frame() || !frame()->page())
return;
- Vector<Element*> associatedFormControls;
+ Vector<RefPtr<Element> > associatedFormControls;
copyToVector(m_associatedFormControls, associatedFormControls);
frame()->page()->chrome()->client()->didAssociateFormControls(associatedFormControls);
Modified: trunk/Source/WebCore/dom/Document.h (146934 => 146935)
--- trunk/Source/WebCore/dom/Document.h 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebCore/dom/Document.h 2013-03-26 22:03:16 UTC (rev 146935)
@@ -1599,7 +1599,7 @@
#endif
Timer<Document> m_didAssociateFormControlsTimer;
- HashSet<Element*> m_associatedFormControls;
+ HashSet<RefPtr<Element> > m_associatedFormControls;
};
Modified: trunk/Source/WebCore/loader/EmptyClients.h (146934 => 146935)
--- trunk/Source/WebCore/loader/EmptyClients.h 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebCore/loader/EmptyClients.h 2013-03-26 22:03:16 UTC (rev 146935)
@@ -209,7 +209,7 @@
virtual bool isEmptyChromeClient() const { return true; }
- virtual void didAssociateFormControls(const Vector<Element*>&) { }
+ virtual void didAssociateFormControls(const Vector<RefPtr<Element> >&) { }
virtual bool shouldNotifyOnFormChanges() { return false; }
};
Modified: trunk/Source/WebCore/page/ChromeClient.h (146934 => 146935)
--- trunk/Source/WebCore/page/ChromeClient.h 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebCore/page/ChromeClient.h 2013-03-26 22:03:16 UTC (rev 146935)
@@ -382,7 +382,7 @@
// FIXME: Port should return true using heuristic based on scrollable(RenderBox).
virtual bool shouldAutoscrollForDragAndDrop(RenderBox*) const { return false; }
- virtual void didAssociateFormControls(const Vector<Element*>&) { };
+ virtual void didAssociateFormControls(const Vector<RefPtr<Element> >&) { };
virtual bool shouldNotifyOnFormChanges() { return false; };
protected:
Modified: trunk/Source/WebKit/chromium/ChangeLog (146934 => 146935)
--- trunk/Source/WebKit/chromium/ChangeLog 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebKit/chromium/ChangeLog 2013-03-26 22:03:16 UTC (rev 146935)
@@ -1,3 +1,15 @@
+2013-03-26 Ryosuke Niwa <rn...@webkit.org>
+
+ Heap-use-after-free regression
+ https://bugs.webkit.org/show_bug.cgi?id=113337
+
+ Reviewed by Abhishek Arya and Alexey Proskuryakov.
+
+ * src/ChromeClientImpl.cpp:
+ (WebKit::ChromeClientImpl::didAssociateFormControls):
+ * src/ChromeClientImpl.h:
+ (ChromeClientImpl):
+
2013-03-26 Tony Chang <t...@chromium.org>
Autogenerate the scrollAnimatorEnabled setting in Settings.in
Modified: trunk/Source/WebKit/chromium/src/ChromeClientImpl.cpp (146934 => 146935)
--- trunk/Source/WebKit/chromium/src/ChromeClientImpl.cpp 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebKit/chromium/src/ChromeClientImpl.cpp 2013-03-26 22:03:16 UTC (rev 146935)
@@ -1145,7 +1145,7 @@
}
#endif
-void ChromeClientImpl::didAssociateFormControls(const Vector<Element*>& elements)
+void ChromeClientImpl::didAssociateFormControls(const Vector<RefPtr<Element> >& elements)
{
if (!m_webView->autofillClient())
return;
Modified: trunk/Source/WebKit/chromium/src/ChromeClientImpl.h (146934 => 146935)
--- trunk/Source/WebKit/chromium/src/ChromeClientImpl.h 2013-03-26 21:46:47 UTC (rev 146934)
+++ trunk/Source/WebKit/chromium/src/ChromeClientImpl.h 2013-03-26 22:03:16 UTC (rev 146935)
@@ -234,7 +234,7 @@
virtual bool isPointerLocked();
#endif
- virtual void didAssociateFormControls(const Vector<WebCore::Element*>&) OVERRIDE;
+ virtual void didAssociateFormControls(const Vector<RefPtr<WebCore::Element> >&) OVERRIDE;
virtual bool shouldNotifyOnFormChanges() OVERRIDE;
private:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
