[webkit-changes] [188712] trunk/Source/WebCore

Thu, 20 Aug 2015 15:37:58 -0700

Title: [188712] trunk/Source/WebCore
Revision
188712
Author
bda...@apple.com
Date
2015-08-20 15:37:22 -0700 (Thu, 20 Aug 2015)

Log Message

WK1 can re-enter layout during FrameView destruction and crash
https://bugs.webkit.org/show_bug.cgi?id=148237
-and corresponding-
rdar://problem/22356782

Reviewed by Zalan Bujtas.

This is a safe fix for the time being. We won't resetScrollbars() for a FrameView 
that is in the PageCache because resetting scrollbars can re-enter layout for the 
Frame's new FrameView, which leads to updating pages in the page cache, which 
leads to a crash because we're in the process of destroying something
in the page cache. We should not be able to get into this mess at all.
* page/FrameView.cpp:
(WebCore::FrameView::~FrameView):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (188711 => 188712)


--- trunk/Source/WebCore/ChangeLog	2015-08-20 22:32:10 UTC (rev 188711)
+++ trunk/Source/WebCore/ChangeLog	2015-08-20 22:37:22 UTC (rev 188712)
@@ -1,3 +1,20 @@
+2015-08-20  Beth Dakin  <bda...@apple.com>
+
+        WK1 can re-enter layout during FrameView destruction and crash
+        https://bugs.webkit.org/show_bug.cgi?id=148237
+        -and corresponding-
+        rdar://problem/22356782
+
+        Reviewed by Zalan Bujtas.
+
+        This is a safe fix for the time being. We won't resetScrollbars() for a FrameView 
+        that is in the PageCache because resetting scrollbars can re-enter layout for the 
+        Frame's new FrameView, which leads to updating pages in the page cache, which 
+        leads to a crash because we're in the process of destroying something
+        in the page cache. We should not be able to get into this mess at all.
+        * page/FrameView.cpp:
+        (WebCore::FrameView::~FrameView):
+
 2015-08-20  Chris Dumez  <cdu...@apple.com>
 
         Default value for createNodeIterator() / createTreeWalker()'s whatToShow parameter should be 0xFFFFFFFF

Modified: trunk/Source/WebCore/page/FrameView.cpp (188711 => 188712)


--- trunk/Source/WebCore/page/FrameView.cpp	2015-08-20 22:32:10 UTC (rev 188711)
+++ trunk/Source/WebCore/page/FrameView.cpp	2015-08-20 22:37:22 UTC (rev 188712)
@@ -267,8 +267,14 @@
         m_postLayoutTasksTimer.stop();
     
     removeFromAXObjectCache();
-    resetScrollbars();
 
+    // FIXME: This is a safe fix for rdar://problem/22356782. We won't resetScrollbars() for a FrameView that is in
+    // the PageCache because resetting scrollbars can re-enter layout for the Frame's new FrameView, which leads to
+    // updating pages in the page cache, which leads to a crash because we're in the process of destroying something
+    // in the page cache. We should not be able to get into this mess at all.
+    if (frame().view() == this)
+        resetScrollbars();
+
     // Custom scrollbars should already be destroyed at this point
     ASSERT(!horizontalScrollbar() || !horizontalScrollbar()->isCustomScrollbar());
     ASSERT(!verticalScrollbar() || !verticalScrollbar()->isCustomScrollbar());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to