Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(43)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 794123004: Make TreeScopeEventContext have a RefPtr to TreeScope.rootNode to guard TreeScope. (Closed)

Created:
6 years ago by hayato
Modified:
6 years ago
Reviewers:
esprehn, dglazkov
CC:
blink-reviews, kochi
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

Make TreeScopeEventContext have a RefPtr to TreeScope.rootNode to guard TreeScope. This fixes a use-after-free caused by TreeScope being freed while TreeScopeEventContext still needs it. Because TreeScope itself isn't a RefCounted, guard it by having a RefPtr to treeScope.rootNode(), instead. BUG=442806 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187435

Patch Set 1 #

Total comments: 2

Patch Set 2 : Yet another miinimization #

Unified diffs Side-by-side diffs Delta from patch set Stats (+23 lines, -2 lines) Patch
A LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html View 1 1 chunk +14 lines, -0 lines 0 comments Download
A LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash-expected.txt View 1 chunk +3 lines, -0 lines 0 comments Download
M Source/core/events/TreeScopeEventContext.h View 2 chunks +2 lines, -0 lines 0 comments Download
M Source/core/events/TreeScopeEventContext.cpp View 3 chunks +4 lines, -2 lines 0 comments Download

Messages

Total messages: 7 (2 generated)
hayato
PTAL
6 years ago (2014-12-17 11:20:47 UTC) #2
dglazkov
lgtm https://codereview.chromium.org/794123004/diff/1/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html File LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html (right): https://codereview.chromium.org/794123004/diff/1/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html#newcode6 LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html:6: doc = document.implementation.createDocument('.', 'doc', docType); Interesting! Why is ...
6 years ago (2014-12-17 16:48:55 UTC) #3
hayato
Thank you for the review. https://codereview.chromium.org/794123004/diff/1/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html File LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html (right): https://codereview.chromium.org/794123004/diff/1/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html#newcode6 LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html:6: doc = document.implementation.createDocument('.', 'doc', ...
6 years ago (2014-12-18 05:54:29 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/794123004/20001
6 years ago (2014-12-18 05:55:53 UTC) #6
commit-bot: I haz the power
6 years ago (2014-12-18 07:06:53 UTC) #7
Message was sent while issue was closed. 
Committed patchset #2 (id:20001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=187435

Powered by Google App Engine
This is Rietveld 408576698