Diff
Modified: branches/safari-611.3.10.0-branch/Source/WebCore/ChangeLog (279526 => 279527)
--- branches/safari-611.3.10.0-branch/Source/WebCore/ChangeLog 2021-07-03 00:33:25 UTC (rev 279526)
+++ branches/safari-611.3.10.0-branch/Source/WebCore/ChangeLog 2021-07-03 01:11:12 UTC (rev 279527)
@@ -1,3 +1,40 @@
+2021-07-02 Ruben Turcios <rubent...@apple.com>
+
+ Cherry-pick r278964. rdar://problem/79474157
+
+ Protect Element before calling dispatchMouseEvent() on it
+ https://bugs.webkit.org/show_bug.cgi?id=226767
+ <rdar://problem/79009112>
+
+ Reviewed by Ryosuke Niwa.
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::updateMouseEventTargetNode):
+ (WebCore::EventHandler::dispatchMouseEvent):
+ * page/PointerLockController.cpp:
+ (WebCore::PointerLockController::dispatchLockedMouseEvent):
+ * page/Quirks.cpp:
+ (WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278964 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-06-16 Chris Dumez <cdu...@apple.com>
+
+ Protect Element before calling dispatchMouseEvent() on it
+ https://bugs.webkit.org/show_bug.cgi?id=226767
+ <rdar://problem/79009112>
+
+ Reviewed by Ryosuke Niwa.
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::updateMouseEventTargetNode):
+ (WebCore::EventHandler::dispatchMouseEvent):
+ * page/PointerLockController.cpp:
+ (WebCore::PointerLockController::dispatchLockedMouseEvent):
+ * page/Quirks.cpp:
+ (WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
+
2021-06-21 Alan Coon <alanc...@apple.com>
Cherry-pick r279010. rdar://problem/79574790
Modified: branches/safari-611.3.10.0-branch/Source/WebCore/dom/Element.cpp (279526 => 279527)
--- branches/safari-611.3.10.0-branch/Source/WebCore/dom/Element.cpp 2021-07-03 00:33:25 UTC (rev 279526)
+++ branches/safari-611.3.10.0-branch/Source/WebCore/dom/Element.cpp 2021-07-03 01:11:12 UTC (rev 279527)
@@ -385,6 +385,7 @@
if (mouseEvent->type().isEmpty())
return true; // Shouldn't happen.
+ Ref protectedThis { *this };
bool didNotSwallowEvent = true;
if (dispatchPointerEventIfNeeded(*this, mouseEvent.get(), platformEvent, didNotSwallowEvent) == ShouldIgnoreMouseEvent::Yes)
Modified: branches/safari-611.3.10.0-branch/Source/WebCore/page/EventHandler.cpp (279526 => 279527)
--- branches/safari-611.3.10.0-branch/Source/WebCore/page/EventHandler.cpp 2021-07-03 00:33:25 UTC (rev 279526)
+++ branches/safari-611.3.10.0-branch/Source/WebCore/page/EventHandler.cpp 2021-07-03 01:11:12 UTC (rev 279527)
@@ -2547,8 +2547,8 @@
enteredElementsChain.shrink(enteredElementsChain.size() - i);
}
- if (m_lastElementUnderMouse)
- m_lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
+ if (auto lastElementUnderMouse = m_lastElementUnderMouse)
+ lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
for (auto& chain : leftElementsChain) {
if (hasCapturingMouseLeaveListener || chain->hasEventListeners(eventNames().pointerleaveEvent) || chain->hasEventListeners(eventNames().mouseleaveEvent))
@@ -2555,8 +2555,8 @@
chain->dispatchMouseEvent(platformMouseEvent, eventNames().mouseleaveEvent, 0, m_elementUnderMouse.get());
}
- if (m_elementUnderMouse)
- m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
+ if (auto elementUnderMouse = m_elementUnderMouse)
+ elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
for (auto& chain : WTF::makeReversedRange(enteredElementsChain)) {
if (hasCapturingMouseEnterListener || chain->hasEventListeners(eventNames().pointerenterEvent) || chain->hasEventListeners(eventNames().mouseenterEvent))
@@ -2640,8 +2640,10 @@
updateMouseEventTargetNode(eventType, targetNode, platformMouseEvent, fireMouseOverOut);
- if (m_elementUnderMouse && !m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
- return false;
+ if (auto elementUnderMouse = m_elementUnderMouse) {
+ if (!elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
+ return false;
+ }
if (eventType != eventNames().mousedownEvent)
return true;
Modified: branches/safari-611.3.10.0-branch/Source/WebCore/page/PointerLockController.cpp (279526 => 279527)
--- branches/safari-611.3.10.0-branch/Source/WebCore/page/PointerLockController.cpp 2021-07-03 00:33:25 UTC (rev 279526)
+++ branches/safari-611.3.10.0-branch/Source/WebCore/page/PointerLockController.cpp 2021-07-03 01:11:12 UTC (rev 279527)
@@ -181,11 +181,12 @@
if (!m_element || !m_element->document().frame())
return;
- m_element->dispatchMouseEvent(event, eventType, event.clickCount());
+ Ref protectedElement { *m_element };
+ protectedElement->dispatchMouseEvent(event, eventType, event.clickCount());
// Create click events
if (eventType == eventNames().mouseupEvent)
- m_element->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
+ protectedElement->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
}
void PointerLockController::dispatchLockedWheelEvent(const PlatformWheelEvent& event)
Modified: branches/safari-611.3.10.0-branch/Source/WebCore/page/Quirks.cpp (279526 => 279527)
--- branches/safari-611.3.10.0-branch/Source/WebCore/page/Quirks.cpp 2021-07-03 00:33:25 UTC (rev 279526)
+++ branches/safari-611.3.10.0-branch/Source/WebCore/page/Quirks.cpp 2021-07-03 01:11:12 UTC (rev 279527)
@@ -1192,11 +1192,12 @@
if (isStorageAccessQuirkDomainAndElement(m_document->url(), element)) {
return requestStorageAccessAndHandleClick([element = makeWeakPtr(element), platformEvent, eventType, detail, relatedTarget] (ShouldDispatchClick shouldDispatchClick) mutable {
- if (!element)
+ RefPtr protectedElement { element.get() };
+ if (!protectedElement)
return;
if (shouldDispatchClick == ShouldDispatchClick::Yes)
- element->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
+ protectedElement->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
});
}
