FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/
38055732>
Reviewed by Zalan Bujtas.
Source/WebCore:
In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
Test: editing/selection/iframe-update-selection-appearance.html
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::appearanceUpdateTimerFired):
LayoutTests:
Add a new layout test that passes if we didn't crash.
* editing/selection/iframe-update-selection-appearance-expected.txt: Added.
* editing/selection/iframe-update-selection-appearance.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513
268f45cc-cd09-0410-ab3c-
d52691b4dbfc