[webkit-changes] [166372] trunk/Source/WebCore

Thu, 27 Mar 2014 15:28:20 -0700

Title: [166372] trunk/Source/WebCore
Revision
166372
Author
simon.fra...@apple.com
Date
2014-03-27 15:28:02 -0700 (Thu, 27 Mar 2014)

Log Message

Fix crash when RenderView is cleared inside of frame flattening layout
https://bugs.webkit.org/show_bug.cgi?id=130864

Reviewed by Dan Bernstein.

Navigating on http://wallstcheatsheet.com pages on iOS in WebKit1 would
sometimes crash when, inside the inChildFrameLayoutWithFrameFlattening clause,
our frame's RenderView would be null after doing a layout from the root frame,
possibly also when WebCore was being re-entered from another thread.

Add a null check to fix this.

Crash was timing-dependent and hard to test.

* page/FrameView.cpp:
(WebCore::FrameView::layout):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (166371 => 166372)


--- trunk/Source/WebCore/ChangeLog	2014-03-27 22:00:46 UTC (rev 166371)
+++ trunk/Source/WebCore/ChangeLog	2014-03-27 22:28:02 UTC (rev 166372)
@@ -1,3 +1,22 @@
+2014-03-27  Simon Fraser  <simon.fra...@apple.com>
+
+        Fix crash when RenderView is cleared inside of frame flattening layout
+        https://bugs.webkit.org/show_bug.cgi?id=130864
+
+        Reviewed by Dan Bernstein.
+        
+        Navigating on http://wallstcheatsheet.com pages on iOS in WebKit1 would
+        sometimes crash when, inside the inChildFrameLayoutWithFrameFlattening clause,
+        our frame's RenderView would be null after doing a layout from the root frame,
+        possibly also when WebCore was being re-entered from another thread.
+        
+        Add a null check to fix this.
+        
+        Crash was timing-dependent and hard to test.
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::layout):
+
 2014-03-27  Antti Koivisto  <an...@apple.com>
 
         Remove some unnecessary branches from LiveNodeList traversal

Modified: trunk/Source/WebCore/page/FrameView.cpp (166371 => 166372)


--- trunk/Source/WebCore/page/FrameView.cpp	2014-03-27 22:00:46 UTC (rev 166371)
+++ trunk/Source/WebCore/page/FrameView.cpp	2014-03-27 22:28:02 UTC (rev 166372)
@@ -1080,7 +1080,7 @@
     if (inChildFrameLayoutWithFrameFlattening) {
         startLayoutAtMainFrameViewIfNeeded(allowSubtree);
         RenderElement* root = m_layoutRoot ? m_layoutRoot : frame().document()->renderView();
-        if (!root->needsLayout())
+        if (!root || !root->needsLayout())
             return;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to