Heap-use-after-free regression
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Mar 2013 22:03:16 +0000 (22:03 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Mar 2013 22:03:16 +0000 (22:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=113337

Reviewed by Abhishek Arya and Alexey Proskuryakov.

Source/WebCore:

Use RefPtr instead of raw pointer in m_associatedFormControls.

* dom/Document.cpp:
(WebCore::Document::didAssociateFormControlsTimerFired):
* dom/Document.h:
(Document):
* loader/EmptyClients.h:
(WebCore::EmptyChromeClient::didAssociateFormControls):
* page/ChromeClient.h:
(WebCore::ChromeClient::didAssociateFormControls):

Source/WebKit/chromium:

* src/ChromeClientImpl.cpp:
(WebKit::ChromeClientImpl::didAssociateFormControls):
* src/ChromeClientImpl.h:
(ChromeClientImpl):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@146935 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/loader/EmptyClients.h
Source/WebCore/page/ChromeClient.h
Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/src/ChromeClientImpl.cpp
Source/WebKit/chromium/src/ChromeClientImpl.h

index 731104c..d52a916 100644 (file)
@@ -1,3 +1,21 @@
+2013-03-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Heap-use-after-free regression
+        https://bugs.webkit.org/show_bug.cgi?id=113337
+
+        Reviewed by Abhishek Arya and Alexey Proskuryakov.
+
+        Use RefPtr instead of raw pointer in m_associatedFormControls.
+
+        * dom/Document.cpp:
+        (WebCore::Document::didAssociateFormControlsTimerFired):
+        * dom/Document.h:
+        (Document):
+        * loader/EmptyClients.h:
+        (WebCore::EmptyChromeClient::didAssociateFormControls):
+        * page/ChromeClient.h:
+        (WebCore::ChromeClient::didAssociateFormControls):
+
 2013-03-26  Alexey Proskuryakov  <ap@apple.com>
 
         <rdar://problem/13194263> Crashes in NetworkProcess due to threading issues
index 470fa05..7f05241 100644 (file)
@@ -6195,7 +6195,7 @@ void Document::didAssociateFormControlsTimerFired(Timer<Document>* timer)
     if (!frame() || !frame()->page())
         return;
 
-    Vector<Element*> associatedFormControls;
+    Vector<RefPtr<Element> > associatedFormControls;
     copyToVector(m_associatedFormControls, associatedFormControls);
 
     frame()->page()->chrome()->client()->didAssociateFormControls(associatedFormControls);
index 05e7c69..c66ec36 100644 (file)
@@ -1599,7 +1599,7 @@ private:
 #endif
 
     Timer<Document> m_didAssociateFormControlsTimer;
-    HashSet<Element*> m_associatedFormControls;
+    HashSet<RefPtr<Element> > m_associatedFormControls;
 
 };
 
index 3a90361..add5018 100644 (file)
@@ -209,7 +209,7 @@ public:
     
     virtual bool isEmptyChromeClient() const { return true; }
 
-    virtual void didAssociateFormControls(const Vector<Element*>&) { }
+    virtual void didAssociateFormControls(const Vector<RefPtr<Element> >&) { }
     virtual bool shouldNotifyOnFormChanges() { return false; }
 };
 
index a1482cf..f46a243 100644 (file)
@@ -382,7 +382,7 @@ public:
     // FIXME: Port should return true using heuristic based on scrollable(RenderBox).
     virtual bool shouldAutoscrollForDragAndDrop(RenderBox*) const { return false; }
 
-    virtual void didAssociateFormControls(const Vector<Element*>&) { };
+    virtual void didAssociateFormControls(const Vector<RefPtr<Element> >&) { };
     virtual bool shouldNotifyOnFormChanges() { return false; };
 
 protected:
index bc121e8..7d872b5 100644 (file)
@@ -1,3 +1,15 @@
+2013-03-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Heap-use-after-free regression
+        https://bugs.webkit.org/show_bug.cgi?id=113337
+
+        Reviewed by Abhishek Arya and Alexey Proskuryakov.
+
+        * src/ChromeClientImpl.cpp:
+        (WebKit::ChromeClientImpl::didAssociateFormControls):
+        * src/ChromeClientImpl.h:
+        (ChromeClientImpl):
+
 2013-03-26  Tony Chang  <tony@chromium.org>
 
         Autogenerate the scrollAnimatorEnabled setting in Settings.in
index a502a7e..d45df3e 100644 (file)
@@ -1145,7 +1145,7 @@ void ChromeClientImpl::annotatedRegionsChanged()
 }
 #endif
 
-void ChromeClientImpl::didAssociateFormControls(const Vector<Element*>& elements)
+void ChromeClientImpl::didAssociateFormControls(const Vector<RefPtr<Element> >& elements)
 {
     if (!m_webView->autofillClient())
         return;
index 57b3169..dbccd4b 100644 (file)
@@ -234,7 +234,7 @@ public:
     virtual bool isPointerLocked();
 #endif
 
-    virtual void didAssociateFormControls(const Vector<WebCore::Element*>&) OVERRIDE;
+    virtual void didAssociateFormControls(const Vector<RefPtr<WebCore::Element> >&) OVERRIDE;
     virtual bool shouldNotifyOnFormChanges() OVERRIDE;
 
 private: