WebKit GIT trees - WebKit-https.git/commit

FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/38055732>

Reviewed by Zalan Bujtas.

Source/WebCore:

In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer.

Test: editing/selection/iframe-update-selection-appearance.html

* editing/FrameSelection.cpp:
(WebCore::FrameSelection::appearanceUpdateTimerFired):

LayoutTests:

Add a new layout test that passes if we didn't crash.

* editing/selection/iframe-update-selection-appearance-expected.txt: Added.
* editing/selection/iframe-update-selection-appearance.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	wenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 11 Apr 2018 03:44:00 +0000 (03:44 +0000)
committer	wenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 11 Apr 2018 03:44:00 +0000 (03:44 +0000)
commit	172510e8ae7f599133389d290e89b44fc64ac635
tree	7ef8063cc813135e53ef0bf8317a5b7334fff753	tree \| snapshot
parent	242331e611ba9d387f2b0067da39adaa76a031b5	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/editing/selection/iframe-update-selection-appearance-expected.txt	[new file with mode: 0644]	blob
LayoutTests/editing/selection/iframe-update-selection-appearance.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/editing/FrameSelection.cpp		diff \| blob \| history