Title: [94107] trunk/Source/WebCore
- Revision
- 94107
- Author
- [email protected]
- Date
- 2011-08-30 13:45:11 -0700 (Tue, 30 Aug 2011)
Log Message
Removed m_owner accessed in custom scrollbars.
https://bugs.webkit.org/show_bug.cgi?id=64737
Reviewed by David Hyatt.
Problem does not reproduce in DRT, even with Eventhandler tricks
and gc(). So, adding a manual test.
* manual-tests/custom-scrollbar-renderer-removed-crash.html: Added.
* page/FrameView.cpp:
(WebCore::FrameView::clearOwningRendererForCustomScrollbars):
* page/FrameView.h:
* rendering/RenderBox.cpp:
(WebCore::RenderBox::willBeDestroyed): when this renderbox is getting
destroyed, clear the custom scrollbar in this frameview having this renderbox
as its owning renderer.
* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::getScrollbarPseudoStyle): fix the null check.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (94106 => 94107)
--- trunk/Source/WebCore/ChangeLog 2011-08-30 20:43:14 UTC (rev 94106)
+++ trunk/Source/WebCore/ChangeLog 2011-08-30 20:45:11 UTC (rev 94107)
@@ -1,3 +1,24 @@
+2011-08-30 Abhishek Arya <[email protected]>
+
+ Removed m_owner accessed in custom scrollbars.
+ https://bugs.webkit.org/show_bug.cgi?id=64737
+
+ Reviewed by David Hyatt.
+
+ Problem does not reproduce in DRT, even with Eventhandler tricks
+ and gc(). So, adding a manual test.
+
+ * manual-tests/custom-scrollbar-renderer-removed-crash.html: Added.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::clearOwningRendererForCustomScrollbars):
+ * page/FrameView.h:
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::willBeDestroyed): when this renderbox is getting
+ destroyed, clear the custom scrollbar in this frameview having this renderbox
+ as its owning renderer.
+ * rendering/RenderScrollbar.cpp:
+ (WebCore::RenderScrollbar::getScrollbarPseudoStyle): fix the null check.
+
2011-08-30 Caio Marcelo de Oliveira Filho <[email protected]>
Emit last progress notification before calling dispatchDidFinishLoad
Added: trunk/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html (0 => 94107)
--- trunk/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html (rev 0)
+++ trunk/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html 2011-08-30 20:45:11 UTC (rev 94107)
@@ -0,0 +1,11 @@
+<html>
+<body>
+Reload page and mouse click quickly in the black box.
+<style>
+::-webkit-scrollbar { width: 1000; }
+</style>
+<script>setTimeout("try { document.body.offsetTop; child = document.body; child.parentNode.removeChild(child); } catch(e) {}", 100);</script>
+<svg>
+</svg>
+</body>
+</html>
Modified: trunk/Source/WebCore/page/FrameView.cpp (94106 => 94107)
--- trunk/Source/WebCore/page/FrameView.cpp 2011-08-30 20:43:14 UTC (rev 94106)
+++ trunk/Source/WebCore/page/FrameView.cpp 2011-08-30 20:45:11 UTC (rev 94107)
@@ -2551,6 +2551,23 @@
return false;
}
+void FrameView::clearOwningRendererForCustomScrollbars(RenderBox* box)
+{
+ const HashSet<RefPtr<Widget> >* viewChildren = children();
+ HashSet<RefPtr<Widget> >::const_iterator end = viewChildren->end();
+ for (HashSet<RefPtr<Widget> >::const_iterator current = viewChildren->begin(); current != end; ++current) {
+ Widget* widget = current->get();
+ if (widget->isScrollbar()) {
+ Scrollbar* scrollbar = static_cast<Scrollbar*>(widget);
+ if (scrollbar->isCustomScrollbar()) {
+ RenderScrollbar* customScrollbar = toRenderScrollbar(scrollbar);
+ if (customScrollbar->owningRenderer() == box)
+ customScrollbar->clearOwningRenderer();
+ }
+ }
+ }
+}
+
FrameView* FrameView::parentFrameView() const
{
if (Widget* parentView = parent()) {
Modified: trunk/Source/WebCore/page/FrameView.h (94106 => 94107)
--- trunk/Source/WebCore/page/FrameView.h 2011-08-30 20:43:14 UTC (rev 94106)
+++ trunk/Source/WebCore/page/FrameView.h 2011-08-30 20:45:11 UTC (rev 94107)
@@ -289,6 +289,8 @@
RenderBox* embeddedContentBox() const;
+ void clearOwningRendererForCustomScrollbars(RenderBox*);
+
protected:
virtual bool scrollContentsFastPath(const IntSize& scrollDelta, const LayoutRect& rectToScroll, const LayoutRect& clipRect);
virtual void scrollContentsSlowPath(const LayoutRect& updateRect);
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (94106 => 94107)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2011-08-30 20:43:14 UTC (rev 94106)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2011-08-30 20:45:11 UTC (rev 94107)
@@ -202,6 +202,11 @@
if (style() && (style()->logicalHeight().isPercent() || style()->logicalMinHeight().isPercent() || style()->logicalMaxHeight().isPercent()))
RenderBlock::removePercentHeightDescendant(this);
+ // If this renderer is owning renderer for the frameview's custom scrollbars,
+ // we need to clear it from the scrollbar. See webkit bug 64737.
+ if (style() && style()->hasPseudoStyle(SCROLLBAR) && frame() && frame()->view())
+ frame()->view()->clearOwningRendererForCustomScrollbars(this);
+
// If the following assertion fails, logicalHeight()/logicalMinHeight()/
// logicalMaxHeight() values are changed from a percent value to a non-percent
// value during laying out. It causes a use-after-free bug.
Modified: trunk/Source/WebCore/rendering/RenderScrollbar.cpp (94106 => 94107)
--- trunk/Source/WebCore/rendering/RenderScrollbar.cpp 2011-08-30 20:43:14 UTC (rev 94106)
+++ trunk/Source/WebCore/rendering/RenderScrollbar.cpp 2011-08-30 20:45:11 UTC (rev 94107)
@@ -149,7 +149,7 @@
PassRefPtr<RenderStyle> RenderScrollbar::getScrollbarPseudoStyle(ScrollbarPart partType, PseudoId pseudoId)
{
- if (!m_owner)
+ if (!owningRenderer())
return 0;
s_styleResolvePart = partType;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
