- Revision
- 292047
- Author
- alanc...@apple.com
- Date
- 2022-03-29 11:21:32 -0700 (Tue, 29 Mar 2022)
Log Message
Cherry-pick r292042. rdar://problem/89434696
Unreviewed, fix UAF after r291980
Source/WebCore:
* page/FrameView.h:
(WebCore::FrameView::overrideSizeForCSSDefaultViewportUnits): Added.
(WebCore::FrameView::overrideSizeForCSSSmallViewportUnits): Added.
(WebCore::FrameView::overrideSizeForCSSLargeViewportUnits): Added.
* page/FrameView.cpp:
(WebCore::FrameView::setSizeForCSSDefaultViewportUnits):
(WebCore::FrameView::overrideWidthForCSSDefaultViewportUnits):
(WebCore::FrameView::resetOverriddenWidthForCSSDefaultViewportUnits):
(WebCore::FrameView::setOverrideSizeForCSSDefaultViewportUnits): Renamed from `overrideSizeForCSSDefaultViewportUnits`.
(WebCore::FrameView::setSizeForCSSSmallViewportUnits):
(WebCore::FrameView::overrideWidthForCSSSmallViewportUnits):
(WebCore::FrameView::resetOverriddenWidthForCSSSmallViewportUnits):
(WebCore::FrameView::setOverrideSizeForCSSSmallViewportUnits): Renamed from `overrideSizeForCSSSmallViewportUnits`.
(WebCore::FrameView::setSizeForCSSLargeViewportUnits):
(WebCore::FrameView::overrideWidthForCSSLargeViewportUnits):
(WebCore::FrameView::resetOverriddenWidthForCSSLargeViewportUnits):
(WebCore::FrameView::setOverrideSizeForCSSLargeViewportUnits): Renamed from `overrideSizeForCSSLargeViewportUnits`.
(WebCore::FrameView::copyCSSViewportSizeOverrides): Deleted.
Expose `OverrideViewportSize` so that we can copy those members specifically instead of
having to keep alive the old `FrameView` when transitioning to a new page.
Source/WebKit:
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage):
Expose `OverrideViewportSize` so that we can copy those members specifically instead of
having to keep alive the old `FrameView` when transitioning to a new page.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292042 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-613.2.4.0-branch/Source/WebCore/ChangeLog (292046 => 292047)
--- branches/safari-613.2.4.0-branch/Source/WebCore/ChangeLog 2022-03-29 18:21:31 UTC (rev 292046)
+++ branches/safari-613.2.4.0-branch/Source/WebCore/ChangeLog 2022-03-29 18:21:32 UTC (rev 292047)
@@ -1,3 +1,66 @@
+2022-03-29 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r292042. rdar://problem/89434696
+
+ Unreviewed, fix UAF after r291980
+
+ Source/WebCore:
+
+ * page/FrameView.h:
+ (WebCore::FrameView::overrideSizeForCSSDefaultViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSSmallViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSLargeViewportUnits): Added.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::setSizeForCSSDefaultViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSDefaultViewportUnits): Renamed from `overrideSizeForCSSDefaultViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSSmallViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSSmallViewportUnits): Renamed from `overrideSizeForCSSSmallViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSLargeViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSLargeViewportUnits): Renamed from `overrideSizeForCSSLargeViewportUnits`.
+ (WebCore::FrameView::copyCSSViewportSizeOverrides): Deleted.
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
+ Source/WebKit:
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage):
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292042 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-29 Devin Rousso <drou...@apple.com>
+
+ Unreviewed, fix UAF after r291980
+
+ * page/FrameView.h:
+ (WebCore::FrameView::overrideSizeForCSSDefaultViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSSmallViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSLargeViewportUnits): Added.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::setSizeForCSSDefaultViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSDefaultViewportUnits): Renamed from `overrideSizeForCSSDefaultViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSSmallViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSSmallViewportUnits): Renamed from `overrideSizeForCSSSmallViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSLargeViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSLargeViewportUnits): Renamed from `overrideSizeForCSSLargeViewportUnits`.
+ (WebCore::FrameView::copyCSSViewportSizeOverrides): Deleted.
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
2022-03-28 Alan Coon <alanc...@apple.com>
Cherry-pick r291622. rdar://problem/90935942
Modified: branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.cpp (292046 => 292047)
--- branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.cpp 2022-03-29 18:21:31 UTC (rev 292046)
+++ branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.cpp 2022-03-29 18:21:32 UTC (rev 292047)
@@ -5605,20 +5605,20 @@
void FrameView::setSizeForCSSDefaultViewportUnits(FloatSize size)
{
- overrideSizeForCSSDefaultViewportUnits({ size.width(), size.height() });
+ setOverrideSizeForCSSDefaultViewportUnits({ size.width(), size.height() });
}
void FrameView::overrideWidthForCSSDefaultViewportUnits(float width)
{
- overrideSizeForCSSDefaultViewportUnits({ width, m_defaultViewportSizeOverride ? m_defaultViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSDefaultViewportUnits({ width, m_defaultViewportSizeOverride ? m_defaultViewportSizeOverride->height : std::nullopt });
}
void FrameView::resetOverriddenWidthForCSSDefaultViewportUnits()
{
- overrideSizeForCSSDefaultViewportUnits({ { }, m_defaultViewportSizeOverride ? m_defaultViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSDefaultViewportUnits({ { }, m_defaultViewportSizeOverride ? m_defaultViewportSizeOverride->height : std::nullopt });
}
-void FrameView::overrideSizeForCSSDefaultViewportUnits(OverrideViewportSize size)
+void FrameView::setOverrideSizeForCSSDefaultViewportUnits(OverrideViewportSize size)
{
if (m_defaultViewportSizeOverride == size)
return;
@@ -5646,20 +5646,20 @@
void FrameView::setSizeForCSSSmallViewportUnits(FloatSize size)
{
- overrideSizeForCSSSmallViewportUnits({ size.width(), size.height() });
+ setOverrideSizeForCSSSmallViewportUnits({ size.width(), size.height() });
}
void FrameView::overrideWidthForCSSSmallViewportUnits(float width)
{
- overrideSizeForCSSSmallViewportUnits({ width, m_smallViewportSizeOverride ? m_smallViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSSmallViewportUnits({ width, m_smallViewportSizeOverride ? m_smallViewportSizeOverride->height : std::nullopt });
}
void FrameView::resetOverriddenWidthForCSSSmallViewportUnits()
{
- overrideSizeForCSSSmallViewportUnits({ { }, m_smallViewportSizeOverride ? m_smallViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSSmallViewportUnits({ { }, m_smallViewportSizeOverride ? m_smallViewportSizeOverride->height : std::nullopt });
}
-void FrameView::overrideSizeForCSSSmallViewportUnits(OverrideViewportSize size)
+void FrameView::setOverrideSizeForCSSSmallViewportUnits(OverrideViewportSize size)
{
if (m_smallViewportSizeOverride && *m_smallViewportSizeOverride == size)
return;
@@ -5687,20 +5687,20 @@
void FrameView::setSizeForCSSLargeViewportUnits(FloatSize size)
{
- overrideSizeForCSSLargeViewportUnits({ size.width(), size.height() });
+ setOverrideSizeForCSSLargeViewportUnits({ size.width(), size.height() });
}
void FrameView::overrideWidthForCSSLargeViewportUnits(float width)
{
- overrideSizeForCSSLargeViewportUnits({ width, m_largeViewportSizeOverride ? m_largeViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSLargeViewportUnits({ width, m_largeViewportSizeOverride ? m_largeViewportSizeOverride->height : std::nullopt });
}
void FrameView::resetOverriddenWidthForCSSLargeViewportUnits()
{
- overrideSizeForCSSLargeViewportUnits({ { }, m_largeViewportSizeOverride ? m_largeViewportSizeOverride->height : std::nullopt });
+ setOverrideSizeForCSSLargeViewportUnits({ { }, m_largeViewportSizeOverride ? m_largeViewportSizeOverride->height : std::nullopt });
}
-void FrameView::overrideSizeForCSSLargeViewportUnits(OverrideViewportSize size)
+void FrameView::setOverrideSizeForCSSLargeViewportUnits(OverrideViewportSize size)
{
if (m_largeViewportSizeOverride && *m_largeViewportSizeOverride == size)
return;
@@ -5748,13 +5748,6 @@
return rectForFixedPositionLayout().size();
}
-void FrameView::copyCSSViewportSizeOverrides(FrameView& view)
-{
- m_defaultViewportSizeOverride = view.m_defaultViewportSizeOverride;
- m_smallViewportSizeOverride = view.m_smallViewportSizeOverride;
- m_largeViewportSizeOverride = view.m_largeViewportSizeOverride;
-}
-
bool FrameView::shouldPlaceVerticalScrollbarOnLeft() const
{
return renderView() && renderView()->shouldPlaceVerticalScrollbarOnLeft();
Modified: branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.h (292046 => 292047)
--- branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.h 2022-03-29 18:21:31 UTC (rev 292046)
+++ branches/safari-613.2.4.0-branch/Source/WebCore/page/FrameView.h 2022-03-29 18:21:32 UTC (rev 292047)
@@ -228,14 +228,27 @@
WEBCORE_EXPORT void adjustViewSize();
+ struct OverrideViewportSize {
+ std::optional<float> width;
+ std::optional<float> height;
+
+ bool operator==(const OverrideViewportSize& rhs) const { return rhs.width == width && rhs.height == height; }
+ };
+
+ WEBCORE_EXPORT void setOverrideSizeForCSSDefaultViewportUnits(OverrideViewportSize);
+ std::optional<OverrideViewportSize> overrideSizeForCSSDefaultViewportUnits() const { return m_defaultViewportSizeOverride; }
WEBCORE_EXPORT void setSizeForCSSDefaultViewportUnits(FloatSize);
void clearSizeOverrideForCSSDefaultViewportUnits();
FloatSize sizeForCSSDefaultViewportUnits() const;
+ WEBCORE_EXPORT void setOverrideSizeForCSSSmallViewportUnits(OverrideViewportSize);
+ std::optional<OverrideViewportSize> overrideSizeForCSSSmallViewportUnits() const { return m_smallViewportSizeOverride; }
WEBCORE_EXPORT void setSizeForCSSSmallViewportUnits(FloatSize);
void clearSizeOverrideForCSSSmallViewportUnits();
FloatSize sizeForCSSSmallViewportUnits() const;
+ WEBCORE_EXPORT void setOverrideSizeForCSSLargeViewportUnits(OverrideViewportSize);
+ std::optional<OverrideViewportSize> overrideSizeForCSSLargeViewportUnits() const { return m_largeViewportSizeOverride; }
WEBCORE_EXPORT void setSizeForCSSLargeViewportUnits(FloatSize);
void clearSizeOverrideForCSSLargeViewportUnits();
FloatSize sizeForCSSLargeViewportUnits() const;
@@ -242,8 +255,6 @@
FloatSize sizeForCSSDynamicViewportUnits() const;
- WEBCORE_EXPORT void copyCSSViewportSizeOverrides(FrameView&);
-
IntRect windowClipRect() const final;
WEBCORE_EXPORT IntRect windowClipRectForFrameOwner(const HTMLFrameOwnerElement*, bool clipToLayerContents) const;
@@ -863,23 +874,14 @@
void willDoLayout(WeakPtr<RenderElement> layoutRoot);
void didLayout(WeakPtr<RenderElement> layoutRoot);
- struct OverrideViewportSize {
- std::optional<float> width;
- std::optional<float> height;
-
- bool operator==(const OverrideViewportSize& rhs) const { return rhs.width == width && rhs.height == height; }
- };
FloatSize calculateSizeForCSSViewportUnitsOverride(std::optional<OverrideViewportSize>) const;
- void overrideSizeForCSSDefaultViewportUnits(OverrideViewportSize);
void overrideWidthForCSSDefaultViewportUnits(float);
void resetOverriddenWidthForCSSDefaultViewportUnits();
- void overrideSizeForCSSSmallViewportUnits(OverrideViewportSize);
void overrideWidthForCSSSmallViewportUnits(float);
void resetOverriddenWidthForCSSSmallViewportUnits();
- void overrideSizeForCSSLargeViewportUnits(OverrideViewportSize);
void overrideWidthForCSSLargeViewportUnits(float);
void resetOverriddenWidthForCSSLargeViewportUnits();
Modified: branches/safari-613.2.4.0-branch/Source/WebKit/ChangeLog (292046 => 292047)
--- branches/safari-613.2.4.0-branch/Source/WebKit/ChangeLog 2022-03-29 18:21:31 UTC (rev 292046)
+++ branches/safari-613.2.4.0-branch/Source/WebKit/ChangeLog 2022-03-29 18:21:32 UTC (rev 292047)
@@ -1,3 +1,50 @@
+2022-03-29 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r292042. rdar://problem/89434696
+
+ Unreviewed, fix UAF after r291980
+
+ Source/WebCore:
+
+ * page/FrameView.h:
+ (WebCore::FrameView::overrideSizeForCSSDefaultViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSSmallViewportUnits): Added.
+ (WebCore::FrameView::overrideSizeForCSSLargeViewportUnits): Added.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::setSizeForCSSDefaultViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSDefaultViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSDefaultViewportUnits): Renamed from `overrideSizeForCSSDefaultViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSSmallViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSSmallViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSSmallViewportUnits): Renamed from `overrideSizeForCSSSmallViewportUnits`.
+ (WebCore::FrameView::setSizeForCSSLargeViewportUnits):
+ (WebCore::FrameView::overrideWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::resetOverriddenWidthForCSSLargeViewportUnits):
+ (WebCore::FrameView::setOverrideSizeForCSSLargeViewportUnits): Renamed from `overrideSizeForCSSLargeViewportUnits`.
+ (WebCore::FrameView::copyCSSViewportSizeOverrides): Deleted.
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
+ Source/WebKit:
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage):
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292042 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-29 Devin Rousso <drou...@apple.com>
+
+ Unreviewed, fix UAF after r291980
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage):
+ Expose `OverrideViewportSize` so that we can copy those members specifically instead of
+ having to keep alive the old `FrameView` when transitioning to a new page.
+
2022-03-28 Alan Coon <alanc...@apple.com>
Cherry-pick r291622. rdar://problem/90935942
Modified: branches/safari-613.2.4.0-branch/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (292046 => 292047)
--- branches/safari-613.2.4.0-branch/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2022-03-29 18:21:31 UTC (rev 292046)
+++ branches/safari-613.2.4.0-branch/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2022-03-29 18:21:32 UTC (rev 292047)
@@ -1520,6 +1520,10 @@
auto oldView = m_frame->coreFrame()->view();
+ auto overrideSizeForCSSDefaultViewportUnits = oldView ? oldView->overrideSizeForCSSDefaultViewportUnits() : std::nullopt;
+ auto overrideSizeForCSSSmallViewportUnits = oldView ? oldView->overrideSizeForCSSSmallViewportUnits() : std::nullopt;
+ auto overrideSizeForCSSLargeViewportUnits = oldView ? oldView->overrideSizeForCSSLargeViewportUnits() : std::nullopt;
+
#if USE(COORDINATED_GRAPHICS)
if (oldView)
fixedVisibleContentRect = oldView->fixedVisibleContentRect();
@@ -1546,9 +1550,15 @@
RefPtr<FrameView> view = m_frame->coreFrame()->view();
- if (view && oldView)
- view->copyCSSViewportSizeOverrides(*oldView);
+ if (overrideSizeForCSSDefaultViewportUnits)
+ view->setOverrideSizeForCSSDefaultViewportUnits(*overrideSizeForCSSDefaultViewportUnits);
+ if (overrideSizeForCSSSmallViewportUnits)
+ view->setOverrideSizeForCSSSmallViewportUnits(*overrideSizeForCSSSmallViewportUnits);
+
+ if (overrideSizeForCSSLargeViewportUnits)
+ view->setOverrideSizeForCSSLargeViewportUnits(*overrideSizeForCSSLargeViewportUnits);
+
if (int width = webPage->minimumSizeForAutoLayout().width()) {
int height = std::max(webPage->minimumSizeForAutoLayout().height(), 1);
view->enableFixedWidthAutoSizeMode(true, { width, height });
