<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[189694] releases/WebKitGTK/webkit-2.10/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/189694">189694</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-09-14 01:37:43 -0700 (Mon, 14 Sep 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/188765">r188765</a> - HistoryItems will null CachedPages should never be left in the list of items;
causes crash
https://bugs.webkit.org/show_bug.cgi?id=148237
-and corresponding-
rdar://problem/22356782
Reviewed by Brady Eidson.
Setting the CachedPage to nullptr will destroy the CachedPage, destroy the
FrameView, re-enter layout, and potentially try to modify items in the PageCache
based on that layout. So, we should not modify CachedPage in this way while the
item is still in the list of HistoryItems.
* history/PageCache.cpp:
(WebCore::PageCache::take):
(WebCore::PageCache::remove):
(WebCore::PageCache::prune):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCorehistoryPageCachecpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/history/PageCache.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit210SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (189693 => 189694)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-09-14 08:35:52 UTC (rev 189693)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-09-14 08:37:43 UTC (rev 189694)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2015-08-21 Beth Dakin <bdakin@apple.com>
+
+ HistoryItems will null CachedPages should never be left in the list of items;
+ causes crash
+ https://bugs.webkit.org/show_bug.cgi?id=148237
+ -and corresponding-
+ rdar://problem/22356782
+
+ Reviewed by Brady Eidson.
+
+ Setting the CachedPage to nullptr will destroy the CachedPage, destroy the
+ FrameView, re-enter layout, and potentially try to modify items in the PageCache
+ based on that layout. So, we should not modify CachedPage in this way while the
+ item is still in the list of HistoryItems.
+ * history/PageCache.cpp:
+ (WebCore::PageCache::take):
+ (WebCore::PageCache::remove):
+ (WebCore::PageCache::prune):
+
</ins><span class="cx"> 2015-08-19 Wenson Hsieh <wenson_hsieh@apple.com>
</span><span class="cx">
</span><span class="cx"> Select validation does not correctly work when handling change event
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCorehistoryPageCachecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/history/PageCache.cpp (189693 => 189694)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/history/PageCache.cpp 2015-09-14 08:35:52 UTC (rev 189693)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/history/PageCache.cpp 2015-09-14 08:37:43 UTC (rev 189694)
</span><span class="lines">@@ -396,8 +396,8 @@
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- std::unique_ptr<CachedPage> cachedPage = WTF::move(item.m_cachedPage);
</del><span class="cx"> m_items.remove(&item);
</span><ins>+ std::unique_ptr<CachedPage> cachedPage = WTF::move(item.m_cachedPage);
</ins><span class="cx">
</span><span class="cx"> if (cachedPage->hasExpired()) {
</span><span class="cx"> LOG(PageCache, "Not restoring page for %s from back/forward cache because cache entry has expired", item.url().string().ascii().data());
</span><span class="lines">@@ -432,17 +432,16 @@
</span><span class="cx"> if (!item.m_cachedPage)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- item.m_cachedPage = nullptr;
</del><span class="cx"> m_items.remove(&item);
</span><ins>+ item.m_cachedPage = nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void PageCache::prune(PruningReason pruningReason)
</span><span class="cx"> {
</span><span class="cx"> while (pageCount() > maxSize()) {
</span><del>- auto& oldestItem = m_items.first();
</del><ins>+ auto oldestItem = m_items.takeFirst();
</ins><span class="cx"> oldestItem->m_cachedPage = nullptr;
</span><span class="cx"> oldestItem->m_pruningReason = pruningReason;
</span><del>- m_items.removeFirst();
</del><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>