Title: [188712] trunk/Source/WebCore
- Revision
- 188712
- Author
- bda...@apple.com
- Date
- 2015-08-20 15:37:22 -0700 (Thu, 20 Aug 2015)
Log Message
WK1 can re-enter layout during FrameView destruction and crash
https://bugs.webkit.org/show_bug.cgi?id=148237
-and corresponding-
rdar://problem/22356782
Reviewed by Zalan Bujtas.
This is a safe fix for the time being. We won't resetScrollbars() for a FrameView
that is in the PageCache because resetting scrollbars can re-enter layout for the
Frame's new FrameView, which leads to updating pages in the page cache, which
leads to a crash because we're in the process of destroying something
in the page cache. We should not be able to get into this mess at all.
* page/FrameView.cpp:
(WebCore::FrameView::~FrameView):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (188711 => 188712)
--- trunk/Source/WebCore/ChangeLog 2015-08-20 22:32:10 UTC (rev 188711)
+++ trunk/Source/WebCore/ChangeLog 2015-08-20 22:37:22 UTC (rev 188712)
@@ -1,3 +1,20 @@
+2015-08-20 Beth Dakin <bda...@apple.com>
+
+ WK1 can re-enter layout during FrameView destruction and crash
+ https://bugs.webkit.org/show_bug.cgi?id=148237
+ -and corresponding-
+ rdar://problem/22356782
+
+ Reviewed by Zalan Bujtas.
+
+ This is a safe fix for the time being. We won't resetScrollbars() for a FrameView
+ that is in the PageCache because resetting scrollbars can re-enter layout for the
+ Frame's new FrameView, which leads to updating pages in the page cache, which
+ leads to a crash because we're in the process of destroying something
+ in the page cache. We should not be able to get into this mess at all.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::~FrameView):
+
2015-08-20 Chris Dumez <cdu...@apple.com>
Default value for createNodeIterator() / createTreeWalker()'s whatToShow parameter should be 0xFFFFFFFF
Modified: trunk/Source/WebCore/page/FrameView.cpp (188711 => 188712)
--- trunk/Source/WebCore/page/FrameView.cpp 2015-08-20 22:32:10 UTC (rev 188711)
+++ trunk/Source/WebCore/page/FrameView.cpp 2015-08-20 22:37:22 UTC (rev 188712)
@@ -267,8 +267,14 @@
m_postLayoutTasksTimer.stop();
removeFromAXObjectCache();
- resetScrollbars();
+ // FIXME: This is a safe fix for rdar://problem/22356782. We won't resetScrollbars() for a FrameView that is in
+ // the PageCache because resetting scrollbars can re-enter layout for the Frame's new FrameView, which leads to
+ // updating pages in the page cache, which leads to a crash because we're in the process of destroying something
+ // in the page cache. We should not be able to get into this mess at all.
+ if (frame().view() == this)
+ resetScrollbars();
+
// Custom scrollbars should already be destroyed at this point
ASSERT(!horizontalScrollbar() || !horizontalScrollbar()->isCustomScrollbar());
ASSERT(!verticalScrollbar() || !verticalScrollbar()->isCustomScrollbar());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes