Title: [216906] branches/safari-604.1.21-branch/Source/WebCore
- Revision
- 216906
- Author
- matthew_han...@apple.com
- Date
- 2017-05-15 23:19:34 -0700 (Mon, 15 May 2017)
Log Message
Cherry-pick r216863. rdar://problem/31963192
Modified Paths
Diff
Modified: branches/safari-604.1.21-branch/Source/WebCore/ChangeLog (216905 => 216906)
--- branches/safari-604.1.21-branch/Source/WebCore/ChangeLog 2017-05-16 06:19:30 UTC (rev 216905)
+++ branches/safari-604.1.21-branch/Source/WebCore/ChangeLog 2017-05-16 06:19:34 UTC (rev 216906)
@@ -1,5 +1,31 @@
2017-05-15 Matthew Hanson <matthew_han...@apple.com>
+ Cherry-pick r216863. rdar://problem/31963192
+
+ 2017-05-15 Brent Fulgham <bfulg...@apple.com>
+
+ [iOS WK1] Do not try to dispatch messages to subframes if their documents have not been constructed yet.
+ https://bugs.webkit.org/show_bug.cgi?id=172059
+ <rdar://problem/31963192>
+
+ Reviewed by Zalan Bujtas.
+
+ On iOS WK1 we can end up in an inconsistent state, where
+ 1. The web thread is inside a newly-injected iframe's document's constructor and
+ 2. waiting on a delegate callback on the main thread
+ while the main thread
+ (a) Evaluates arbitrary _javascript_ that modifies storage which
+ (b) Triggers an event dispatch.
+
+ * storage/StorageEventDispatcher.cpp:
+ (WebCore::StorageEventDispatcher::dispatchSessionStorageEvents): If the sub-frame's document
+ is in an inconsistent state, skip it.
+ (WebCore::StorageEventDispatcher::dispatchLocalStorageEvents): Ditto.
+ (WebCore::StorageEventDispatcher::dispatchSessionStorageEventsToFrames): Ditto.
+ (WebCore::StorageEventDispatcher::dispatchLocalStorageEventsToFrames): Ditto.
+
+2017-05-15 Matthew Hanson <matthew_han...@apple.com>
+
Cherry-pick r216836. rdar://problem/31899730
2017-05-13 Eric Carlson <eric.carl...@apple.com>
Modified: branches/safari-604.1.21-branch/Source/WebCore/storage/StorageEventDispatcher.cpp (216905 => 216906)
--- branches/safari-604.1.21-branch/Source/WebCore/storage/StorageEventDispatcher.cpp 2017-05-16 06:19:30 UTC (rev 216905)
+++ branches/safari-604.1.21-branch/Source/WebCore/storage/StorageEventDispatcher.cpp 2017-05-16 06:19:34 UTC (rev 216906)
@@ -50,6 +50,8 @@
// Send events only to our page.
for (Frame* frame = &page->mainFrame(); frame; frame = frame->tree().traverseNext()) {
+ if (!frame->document())
+ continue;
if (sourceFrame != frame && frame->document()->securityOrigin().equal(securityOrigin.securityOrigin().ptr()))
frames.append(frame);
}
@@ -68,6 +70,8 @@
// Send events to every page.
for (auto& pageInGroup : page->group().pages()) {
for (Frame* frame = &pageInGroup->mainFrame(); frame; frame = frame->tree().traverseNext()) {
+ if (!frame->document())
+ continue;
if (sourceFrame != frame && frame->document()->securityOrigin().equal(securityOrigin.securityOrigin().ptr()))
frames.append(frame);
}
@@ -82,6 +86,8 @@
for (auto& frame : frames) {
auto result = frame->document()->domWindow()->sessionStorage();
+ if (!frame->document())
+ continue;
if (!result.hasException())
frame->document()->enqueueWindowEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, url, result.releaseReturnValue()));
}
@@ -94,6 +100,8 @@
for (auto& frame : frames) {
auto result = frame->document()->domWindow()->localStorage();
+ if (!frame->document())
+ continue;
if (!result.hasException())
frame->document()->enqueueWindowEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, url, result.releaseReturnValue()));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
