Title: [226105] releases/WebKitGTK/webkit-2.18
- Revision
- 226105
- Author
- carlo...@webkit.org
- Date
- 2017-12-18 23:50:23 -0800 (Mon, 18 Dec 2017)
Log Message
Merge r225719 - Document::updateLayout() could destroy current frame.
https://bugs.webkit.org/show_bug.cgi?id=180525
<rdar://problem/35906836>
Reviewed by Simon Fraser.
Source/WebCore:
Early return when Document::updateLayout() triggers Frame destruction.
Test: fast/frames/crash-when-iframe-is-remove-in-eventhandler.html
* dom/TreeScope.cpp:
(WebCore::absolutePointIfNotClipped):
LayoutTests:
* fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt: Added.
* fast/frames/crash-when-iframe-is-remove-in-eventhandler.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (226104 => 226105)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-12-19 07:48:30 UTC (rev 226104)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-12-19 07:50:23 UTC (rev 226105)
@@ -1,3 +1,14 @@
+2017-12-08 Zalan Bujtas <za...@apple.com>
+
+ Document::updateLayout() could destroy current frame.
+ https://bugs.webkit.org/show_bug.cgi?id=180525
+ <rdar://problem/35906836>
+
+ Reviewed by Simon Fraser.
+
+ * fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt: Added.
+ * fast/frames/crash-when-iframe-is-remove-in-eventhandler.html: Added.
+
2017-11-30 Alex Christensen <achristen...@webkit.org>
Extra PerformanceEntryList entry after iframe navigation
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt (0 => 226105)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt 2017-12-19 07:50:23 UTC (rev 226105)
@@ -0,0 +1 @@
+PASS if no crash.
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html (0 => 226105)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html 2017-12-19 07:50:23 UTC (rev 226105)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<span id=span></span>
+<span id=wrapper></span>
+<textarea id=textarea _onfocus_="eventhandler()"></textarea>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.offsetHeight;
+textarea.autofocus = true;
+var iframe = document.createElement("iframe");
+span.appendChild(iframe);
+wrapper.appendChild(textarea);
+iframe.contentDocument.caretRangeFromPoint();
+
+function eventhandler() {
+ textarea.insertAdjacentElement("beforeBegin", span);
+}
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog (226104 => 226105)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-12-19 07:48:30 UTC (rev 226104)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-12-19 07:50:23 UTC (rev 226105)
@@ -1,3 +1,18 @@
+2017-12-08 Zalan Bujtas <za...@apple.com>
+
+ Document::updateLayout() could destroy current frame.
+ https://bugs.webkit.org/show_bug.cgi?id=180525
+ <rdar://problem/35906836>
+
+ Reviewed by Simon Fraser.
+
+ Early return when Document::updateLayout() triggers Frame destruction.
+
+ Test: fast/frames/crash-when-iframe-is-remove-in-eventhandler.html
+
+ * dom/TreeScope.cpp:
+ (WebCore::absolutePointIfNotClipped):
+
2017-12-05 Alex Christensen <achristen...@webkit.org>
Fix non-unified build after r225381
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/TreeScope.cpp (226104 => 226105)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/TreeScope.cpp 2017-12-19 07:48:30 UTC (rev 226104)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/TreeScope.cpp 2017-12-19 07:50:23 UTC (rev 226105)
@@ -298,13 +298,14 @@
static std::optional<LayoutPoint> absolutePointIfNotClipped(Document& document, const LayoutPoint& clientPoint)
{
- auto* frame = document.frame();
- auto* view = document.view();
- if (!frame || !view)
+ if (!document.frame() || !document.view())
return std::nullopt;
- if (frame->settings().visualViewportEnabled()) {
+ if (document.frame()->settings().visualViewportEnabled()) {
document.updateLayout();
+ if (!document.view() || !document.hasLivingRenderTree())
+ return std::nullopt;
+ auto* view = document.view();
FloatPoint layoutViewportPoint = view->clientToLayoutViewportPoint(clientPoint);
FloatRect layoutViewportBounds({ }, view->layoutViewportRect().size());
if (!layoutViewportBounds.contains(layoutViewportPoint))
@@ -312,6 +313,8 @@
return LayoutPoint(view->layoutViewportToAbsolutePoint(layoutViewportPoint));
}
+ auto* frame = document.frame();
+ auto* view = document.view();
float scaleFactor = frame->pageZoomFactor() * frame->frameScaleFactor();
LayoutPoint absolutePoint = clientPoint;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
