svg/text/select-text-inside-non-static-position.html crashes under ScrollingStateTree...
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 00:15:01 +0000 (00:15 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 00:15:01 +0000 (00:15 +0000)
https://bugs.webkit.org/show_bug.cgi?id=193930

Reviewed by Tim Horton.

ScrollingStateTree::unparentChildrenAndDestroyNode() should make a copy of the 'children' vector
before iterating, since iteration mutates the array.

Tested by ASan tests.

* page/scrolling/ScrollingStateNode.h:
(WebCore::ScrollingStateNode::takeChildren):
* page/scrolling/ScrollingStateTree.cpp:
(WebCore::ScrollingStateTree::unparentChildrenAndDestroyNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240610 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/page/scrolling/ScrollingStateNode.h
Source/WebCore/page/scrolling/ScrollingStateTree.cpp

index 0f4b636..b9260e6 100644 (file)
@@ -1,5 +1,22 @@
 2019-01-28  Simon Fraser  <simon.fraser@apple.com>
 
+        svg/text/select-text-inside-non-static-position.html crashes under ScrollingStateTree::unparentChildrenAndDestroyNode()
+        https://bugs.webkit.org/show_bug.cgi?id=193930
+
+        Reviewed by Tim Horton.
+
+        ScrollingStateTree::unparentChildrenAndDestroyNode() should make a copy of the 'children' vector
+        before iterating, since iteration mutates the array.
+
+        Tested by ASan tests.
+
+        * page/scrolling/ScrollingStateNode.h:
+        (WebCore::ScrollingStateNode::takeChildren):
+        * page/scrolling/ScrollingStateTree.cpp:
+        (WebCore::ScrollingStateTree::unparentChildrenAndDestroyNode):
+
+2019-01-28  Simon Fraser  <simon.fraser@apple.com>
+
         css3/filters/blur-filter-page-scroll-self.html crashes under WebCore::ScrollingStateNode::ScrollingStateNode
         https://bugs.webkit.org/show_bug.cgi?id=193925
 
index a0747ec..1153088 100644 (file)
@@ -236,6 +236,7 @@ public:
     ScrollingNodeID parentNodeID() const { return m_parent ? m_parent->scrollingNodeID() : 0; }
 
     Vector<RefPtr<ScrollingStateNode>>* children() const { return m_children.get(); }
+    std::unique_ptr<Vector<RefPtr<ScrollingStateNode>>> takeChildren() { return WTFMove(m_children); }
 
     void appendChild(Ref<ScrollingStateNode>&&);
     void insertChild(Ref<ScrollingStateNode>&&, size_t index);
index 5fa1229..8382a67 100644 (file)
@@ -227,12 +227,12 @@ void ScrollingStateTree::unparentChildrenAndDestroyNode(ScrollingNodeID nodeID)
         m_rootStateNode = nullptr;
 
     if (auto* children = protectedNode->children()) {
-        for (auto child : *children) {
+        auto isolatedChildren = protectedNode->takeChildren();
+        for (auto child : *isolatedChildren) {
             child->removeFromParent();
             LOG_WITH_STREAM(Scrolling, stream << " moving " << child->scrollingNodeID() << " to unparented nodes");
             m_unparentedNodes.add(child->scrollingNodeID(), WTFMove(child));
         }
-        children->clear();
     }
     
     protectedNode->removeFromParent();