- Revision
- 257031
- Author
- alanc...@apple.com
- Date
- 2020-02-19 18:59:53 -0800 (Wed, 19 Feb 2020)
Log Message
Cherry-pick r256859. rdar://problem/59576018
[macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=207899
<rdar://problem/55658207>
Reviewed by Tim Horton and Simon Fraser.
Source/WebCore:
Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
focused frame no longer has a FrameView.
Test: editing/selection/selection-change-in-disconnected-frame-crash.html
* page/mac/ServicesOverlayController.mm:
(WebCore::ServicesOverlayController::buildSelectionHighlight):
Source/WebKit:
Add another missing null check on iOS, for the case where FrameView is null.
* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::platformEditorState const):
Tools:
Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
* WebKitTestRunner/TestController.cpp:
(WTR::updateTestOptionsFromTestHeader):
* WebKitTestRunner/TestOptions.h:
(WTR::TestOptions::hasSameInitializationOptions const):
* WebKitTestRunner/cocoa/TestControllerCocoa.mm:
(WTR::TestController::platformCreateWebView):
LayoutTests:
Add a new layout test to verify that we don't crash under this circumstance.
* editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
* editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-609-branch/LayoutTests/ChangeLog (257030 => 257031)
--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/LayoutTests/ChangeLog 2020-02-20 02:59:53 UTC (rev 257031)
@@ -1,3 +1,67 @@
+2020-02-19 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r256859. rdar://problem/59576018
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Source/WebCore:
+
+ Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
+ focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
+ This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
+ it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
+ it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
+ focused frame no longer has a FrameView.
+
+ Test: editing/selection/selection-change-in-disconnected-frame-crash.html
+
+ * page/mac/ServicesOverlayController.mm:
+ (WebCore::ServicesOverlayController::buildSelectionHighlight):
+
+ Source/WebKit:
+
+ Add another missing null check on iOS, for the case where FrameView is null.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::platformEditorState const):
+
+ Tools:
+
+ Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
+
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+ (WTR::TestController::platformCreateWebView):
+
+ LayoutTests:
+
+ Add a new layout test to verify that we don't crash under this circumstance.
+
+ * editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
+ * editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-18 Wenson Hsieh <wenson_hs...@apple.com>
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Add a new layout test to verify that we don't crash under this circumstance.
+
+ * editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
+ * editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
+
2020-02-18 Alan Coon <alanc...@apple.com>
Apply patch. rdar://problem/59465474
Added: branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash-expected.txt (0 => 257031)
--- branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash-expected.txt (rev 0)
+++ branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash-expected.txt 2020-02-20 02:59:53 UTC (rev 257031)
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+
+
Added: branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash.html (0 => 257031)
--- branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash.html (rev 0)
+++ branches/safari-609-branch/LayoutTests/editing/selection/selection-change-in-disconnected-frame-crash.html 2020-02-20 02:59:53 UTC (rev 257031)
@@ -0,0 +1,23 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ enableServiceControls=true ] -->
+<html>
+<head>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ addEventListener("load", () => {
+ const frame = document.querySelector("iframe");
+ const frameSet = document.createElement("frameset");
+ const frameDocument = frame.contentDocument;
+
+ frameDocument.getSelection().selectAllChildren(frameDocument.body);
+ frameSet._onblur_ = () => document.body.appendChild(frame);
+ frame.focus();
+ });
+</script>
+</head>
+<body>
+ <p>This test passes if it does not crash.</p>
+ <iframe srcdoc="<body>Hello</body>"></iframe>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (257030 => 257031)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-02-20 02:59:53 UTC (rev 257031)
@@ -1,3 +1,74 @@
+2020-02-19 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r256859. rdar://problem/59576018
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Source/WebCore:
+
+ Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
+ focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
+ This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
+ it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
+ it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
+ focused frame no longer has a FrameView.
+
+ Test: editing/selection/selection-change-in-disconnected-frame-crash.html
+
+ * page/mac/ServicesOverlayController.mm:
+ (WebCore::ServicesOverlayController::buildSelectionHighlight):
+
+ Source/WebKit:
+
+ Add another missing null check on iOS, for the case where FrameView is null.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::platformEditorState const):
+
+ Tools:
+
+ Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
+
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+ (WTR::TestController::platformCreateWebView):
+
+ LayoutTests:
+
+ Add a new layout test to verify that we don't crash under this circumstance.
+
+ * editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
+ * editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-18 Wenson Hsieh <wenson_hs...@apple.com>
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
+ focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
+ This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
+ it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
+ it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
+ focused frame no longer has a FrameView.
+
+ Test: editing/selection/selection-change-in-disconnected-frame-crash.html
+
+ * page/mac/ServicesOverlayController.mm:
+ (WebCore::ServicesOverlayController::buildSelectionHighlight):
+
2020-02-18 Alan Coon <alanc...@apple.com>
Apply patch. rdar://problem/59465474
Modified: branches/safari-609-branch/Source/WebCore/page/mac/ServicesOverlayController.mm (257030 => 257031)
--- branches/safari-609-branch/Source/WebCore/page/mac/ServicesOverlayController.mm 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Source/WebCore/page/mac/ServicesOverlayController.mm 2020-02-20 02:59:53 UTC (rev 257031)
@@ -544,7 +544,9 @@
if (!mainFrameView)
return;
- FrameView* viewForRange = selectionRange->ownerDocument().view();
+ RefPtr<FrameView> viewForRange = selectionRange->ownerDocument().view();
+ if (!viewForRange)
+ return;
for (auto& rect : m_currentSelectionRects) {
IntRect currentRect = snappedIntRect(rect);
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (257030 => 257031)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-02-20 02:59:53 UTC (rev 257031)
@@ -1,5 +1,69 @@
2020-02-19 Russell Epstein <repst...@apple.com>
+ Cherry-pick r256859. rdar://problem/59576018
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Source/WebCore:
+
+ Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
+ focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
+ This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
+ it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
+ it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
+ focused frame no longer has a FrameView.
+
+ Test: editing/selection/selection-change-in-disconnected-frame-crash.html
+
+ * page/mac/ServicesOverlayController.mm:
+ (WebCore::ServicesOverlayController::buildSelectionHighlight):
+
+ Source/WebKit:
+
+ Add another missing null check on iOS, for the case where FrameView is null.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::platformEditorState const):
+
+ Tools:
+
+ Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
+
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+ (WTR::TestController::platformCreateWebView):
+
+ LayoutTests:
+
+ Add a new layout test to verify that we don't crash under this circumstance.
+
+ * editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
+ * editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-18 Wenson Hsieh <wenson_hs...@apple.com>
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Add another missing null check on iOS, for the case where FrameView is null.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::platformEditorState const):
+
+2020-02-19 Russell Epstein <repst...@apple.com>
+
Cherry-pick r256790. rdar://problem/59576023
Data detectors do not trigger on macCatalyst
Modified: branches/safari-609-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (257030 => 257031)
--- branches/safari-609-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2020-02-20 02:59:53 UTC (rev 257031)
@@ -208,6 +208,11 @@
void WebPage::platformEditorState(Frame& frame, EditorState& result, IncludePostLayoutDataHint shouldIncludePostLayoutData) const
{
FrameView* view = frame.view();
+ if (!view) {
+ result.isMissingPostLayoutData = true;
+ return;
+ }
+
if (frame.editor().hasComposition()) {
RefPtr<Range> compositionRange = frame.editor().compositionRange();
Vector<WebCore::SelectionRect> compositionRects;
@@ -227,7 +232,7 @@
// to avoid the need to force a synchronous layout here to compute these entries. If we
// have a composition or are using a hardware keyboard then we send the full editor state
// immediately so that the UIProcess can update UI, including the position of the caret.
- bool needsLayout = !frame.view() || frame.view()->needsLayout();
+ bool needsLayout = view->needsLayout();
bool requiresPostLayoutData = frame.editor().hasComposition();
#if !PLATFORM(MACCATALYST)
requiresPostLayoutData |= m_keyboardIsAttached;
Modified: branches/safari-609-branch/Tools/ChangeLog (257030 => 257031)
--- branches/safari-609-branch/Tools/ChangeLog 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Tools/ChangeLog 2020-02-20 02:59:53 UTC (rev 257031)
@@ -1,3 +1,71 @@
+2020-02-19 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r256859. rdar://problem/59576018
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Source/WebCore:
+
+ Mitigates a null pointer crash in ServicesOverlayController::buildPotentialHighlightsIfNeeded(), wherein the
+ focused frame may not have a FrameView when the ServicesOverlayController's selection invalidation timer fires.
+ This is possible if, while being focused, the newly focused subframe is unparented and reparented, which causes
+ it to momentarily have a null view. During this time, if a selection change had occurred earlier in the runloop,
+ it will schedule the page overlay controller invalidation timer, which will fire and discover that the currently
+ focused frame no longer has a FrameView.
+
+ Test: editing/selection/selection-change-in-disconnected-frame-crash.html
+
+ * page/mac/ServicesOverlayController.mm:
+ (WebCore::ServicesOverlayController::buildSelectionHighlight):
+
+ Source/WebKit:
+
+ Add another missing null check on iOS, for the case where FrameView is null.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::platformEditorState const):
+
+ Tools:
+
+ Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
+
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+ (WTR::TestController::platformCreateWebView):
+
+ LayoutTests:
+
+ Add a new layout test to verify that we don't crash under this circumstance.
+
+ * editing/selection/selection-change-in-disconnected-frame-crash-expected.txt: Added.
+ * editing/selection/selection-change-in-disconnected-frame-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-18 Wenson Hsieh <wenson_hs...@apple.com>
+
+ [macOS] Web process may crash under ServicesOverlayController::buildPotentialHighlightsIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=207899
+ <rdar://problem/55658207>
+
+ Reviewed by Tim Horton and Simon Fraser.
+
+ Make it possible to run tests on macOS with services controls enabled, via a new TestOptions flag.
+
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+ (WTR::TestController::platformCreateWebView):
+
2020-02-17 Alan Coon <alanc...@apple.com>
Cherry-pick r256632. rdar://problem/59478906
Modified: branches/safari-609-branch/Tools/WebKitTestRunner/TestController.cpp (257030 => 257031)
--- branches/safari-609-branch/Tools/WebKitTestRunner/TestController.cpp 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Tools/WebKitTestRunner/TestController.cpp 2020-02-20 02:59:53 UTC (rev 257031)
@@ -1436,6 +1436,8 @@
testOptions.shouldIgnoreMetaViewport = parseBooleanTestHeaderValue(value);
else if (key == "spellCheckingDots")
testOptions.shouldShowSpellCheckingDots = parseBooleanTestHeaderValue(value);
+ else if (key == "enableServiceControls")
+ testOptions.enableServiceControls = parseBooleanTestHeaderValue(value);
else if (key == "enableEditableImages")
testOptions.enableEditableImages = parseBooleanTestHeaderValue(value);
else if (key == "editable")
Modified: branches/safari-609-branch/Tools/WebKitTestRunner/TestOptions.h (257030 => 257031)
--- branches/safari-609-branch/Tools/WebKitTestRunner/TestOptions.h 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Tools/WebKitTestRunner/TestOptions.h 2020-02-20 02:59:53 UTC (rev 257031)
@@ -88,6 +88,7 @@
bool checkForWorldLeaks { false };
bool shouldIgnoreMetaViewport { false };
bool shouldShowSpellCheckingDots { false };
+ bool enableServiceControls { false };
bool enableEditableImages { false };
bool editable { false };
bool enableUndoManagerAPI { false };
@@ -147,6 +148,7 @@
|| runSingly != options.runSingly
|| checkForWorldLeaks != options.checkForWorldLeaks
|| shouldShowSpellCheckingDots != options.shouldShowSpellCheckingDots
+ || enableServiceControls != options.enableServiceControls
|| shouldIgnoreMetaViewport != options.shouldIgnoreMetaViewport
|| enableEditableImages != options.enableEditableImages
|| editable != options.editable
Modified: branches/safari-609-branch/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm (257030 => 257031)
--- branches/safari-609-branch/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm 2020-02-20 02:59:46 UTC (rev 257030)
+++ branches/safari-609-branch/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm 2020-02-20 02:59:53 UTC (rev 257031)
@@ -144,8 +144,8 @@
[copiedConfiguration setIgnoresViewportScaleLimits:YES];
if (options.useCharacterSelectionGranularity)
[copiedConfiguration setSelectionGranularity:WKSelectionGranularityCharacter];
- if (options.useCharacterSelectionGranularity)
- [copiedConfiguration setSelectionGranularity:WKSelectionGranularityCharacter];
+#else
+ [copiedConfiguration _setServiceControlsEnabled:options.enableServiceControls];
#endif
if (options.enableAttachmentElement)