Issue 25004008: Harden FrameSelection methods against JS running inside recalcStyle

Issue 25004008: Harden FrameSelection methods against JS running inside recalcStyle (Closed)

Created:
7 years, 2 months ago by esprehn

Modified:
7 years, 2 months ago

Reviewers:
abarth-chromium, eseidel, inferno

CC:
blink-reviews, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

Harden FrameSelection methods against JS running inside recalcStyle RenderView::selectionBounds and repaintSelection both call into updateStyleIfNeeded which is not safe since the JS that can run as the result of the recalcStyle can free the RenderView. Instead FrameSelection should be doing this and adding the needed RefPtrs to ensure it doesn't use free'd FrameViews or RenderViews. Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=159575

Patch Set 1 #

Total comments: 2

Patch Set 2 : fix build #

Created: 7 years, 2 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+13 lines, -11 lines)			Patch
	M	Source/core/editing/FrameSelection.cpp	View	1	4 chunks	+13 lines, -7 lines	0 comments	Download
	M	Source/core/rendering/RenderView.cpp	View	1	2 chunks	+0 lines, -4 lines	0 comments	Download

Messages

Total messages: 11 (0 generated)

Expand Messages | Collapse Messages

esprehn

FrameSelection is scary and full of unsafe code. I don't have good test cases for ...

7 years, 2 months ago (2013-09-27 22:44:53 UTC) #1

abarth-chromium

https://codereview.chromium.org/25004008/diff/1/Source/core/editing/FrameSelection.cpp File Source/core/editing/FrameSelection.cpp (left): https://codereview.chromium.org/25004008/diff/1/Source/core/editing/FrameSelection.cpp#oldcode1558 Source/core/editing/FrameSelection.cpp:1558: if (RenderView* view = m_frame->document()->renderView()) Should we bail out ...

7 years, 2 months ago (2013-09-27 22:55:00 UTC) #2

esprehn

On 2013/09/27 22:55:00, abarth wrote: > https://codereview.chromium.org/25004008/diff/1/Source/core/editing/FrameSelection.cpp > File Source/core/editing/FrameSelection.cpp (left): > > https://codereview.chromium.org/25004008/diff/1/Source/core/editing/FrameSelection.cpp#oldcode1558 > ...

7 years, 2 months ago (2013-09-27 22:58:47 UTC) #3

eseidel

https://codereview.chromium.org/25004008/diff/1/Source/core/rendering/RenderView.cpp File Source/core/rendering/RenderView.cpp (left): https://codereview.chromium.org/25004008/diff/1/Source/core/rendering/RenderView.cpp#oldcode631 Source/core/rendering/RenderView.cpp:631: document().updateStyleIfNeeded(); Should these be ASSERT(!document->needsStylin())

7 years, 2 months ago (2013-09-27 23:04:26 UTC) #4

esprehn

On 2013/09/27 23:04:26, eseidel wrote: > https://codereview.chromium.org/25004008/diff/1/Source/core/rendering/RenderView.cpp > File Source/core/rendering/RenderView.cpp (left): > > https://codereview.chromium.org/25004008/diff/1/Source/core/rendering/RenderView.cpp#oldcode631 > ...

7 years, 2 months ago (2013-09-27 23:14:59 UTC) #5

esprehn

On 2013/09/27 23:14:59, esprehn wrote: > On 2013/09/27 23:04:26, eseidel wrote: > > > https://codereview.chromium.org/25004008/diff/1/Source/core/rendering/RenderView.cpp ...

7 years, 2 months ago (2013-10-04 04:44:05 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/esprehn@chromium.org/25004008/1

7 years, 2 months ago (2013-10-04 14:54:15 UTC) #8

commit-bot: I haz the power

Sorry for I got bad news for ya. Compile failed with a clobber build on ...

7 years, 2 months ago (2013-10-04 15:20:35 UTC) #9

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/esprehn@chromium.org/25004008/19001

7 years, 2 months ago (2013-10-14 10:06:27 UTC) #10

Message was sent while issue was closed.

Change committed as 159575

Expand Messages | Collapse Messages