Skip to site navigation (Press enter)

[webkit-changes] [94131] branches/chromium/835/Source/WebCore

cevans Tue, 30 Aug 2011 17:12:13 -0700

Title: [94131] branches/chromium/835/Source/WebCore

Revision: 94131
Author: [email protected]
Date: 2011-08-30 17:13:16 -0700 (Tue, 30 Aug 2011)

Log Message

Merge 94107
BUG=88684
Review URL: http://codereview.chromium.org/7810012


Modified Paths

branches/chromium/835/Source/WebCore/page/FrameView.cpp
branches/chromium/835/Source/WebCore/page/FrameView.h
branches/chromium/835/Source/WebCore/rendering/RenderBox.cpp
branches/chromium/835/Source/WebCore/rendering/RenderScrollbar.cpp


Added Paths

branches/chromium/835/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html

Diff

Copied: branches/chromium/835/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html (from rev 94107, trunk/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html) (0 => 94131)


--- branches/chromium/835/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html	                        (rev 0)
+++ branches/chromium/835/Source/WebCore/manual-tests/custom-scrollbar-renderer-removed-crash.html	2011-08-31 00:13:16 UTC (rev 94131)
@@ -0,0 +1,11 @@
+<html>
+<body>
+Reload page and mouse click quickly in the black box.
+<style>
+::-webkit-scrollbar { width: 1000; }
+</style>
+<script>setTimeout("try { document.body.offsetTop; child = document.body; child.parentNode.removeChild(child); } catch(e) {}", 100);</script>
+<svg>
+</svg>
+</body>
+</html>

Modified: branches/chromium/835/Source/WebCore/page/FrameView.cpp (94130 => 94131)


--- branches/chromium/835/Source/WebCore/page/FrameView.cpp	2011-08-31 00:03:40 UTC (rev 94130)
+++ branches/chromium/835/Source/WebCore/page/FrameView.cpp	2011-08-31 00:13:16 UTC (rev 94131)
@@ -2446,6 +2446,23 @@
     return false;
 }
 
+void FrameView::clearOwningRendererForCustomScrollbars(RenderBox* box)
+{
+    const HashSet<RefPtr<Widget> >* viewChildren = children();
+    HashSet<RefPtr<Widget> >::const_iterator end = viewChildren->end();
+    for (HashSet<RefPtr<Widget> >::const_iterator current = viewChildren->begin(); current != end; ++current) {
+        Widget* widget = current->get();
+        if (widget->isScrollbar()) {
+            Scrollbar* scrollbar = static_cast<Scrollbar*>(widget);
+            if (scrollbar->isCustomScrollbar()) {
+                RenderScrollbar* customScrollbar = toRenderScrollbar(scrollbar);
+                if (customScrollbar->owningRenderer() == box)
+                    customScrollbar->clearOwningRenderer();
+            }
+        }
+    }
+}
+
 FrameView* FrameView::parentFrameView() const
 {
     if (Widget* parentView = parent()) {

Modified: branches/chromium/835/Source/WebCore/page/FrameView.h (94130 => 94131)


--- branches/chromium/835/Source/WebCore/page/FrameView.h	2011-08-31 00:03:40 UTC (rev 94130)
+++ branches/chromium/835/Source/WebCore/page/FrameView.h	2011-08-31 00:13:16 UTC (rev 94131)
@@ -286,6 +286,8 @@
 
     void setAnimatorsAreActive();
 
+    void clearOwningRendererForCustomScrollbars(RenderBox*);
+
 protected:
     virtual bool scrollContentsFastPath(const IntSize& scrollDelta, const IntRect& rectToScroll, const IntRect& clipRect);
     virtual void scrollContentsSlowPath(const IntRect& updateRect);

Modified: branches/chromium/835/Source/WebCore/rendering/RenderBox.cpp (94130 => 94131)


--- branches/chromium/835/Source/WebCore/rendering/RenderBox.cpp	2011-08-31 00:03:40 UTC (rev 94130)
+++ branches/chromium/835/Source/WebCore/rendering/RenderBox.cpp	2011-08-31 00:13:16 UTC (rev 94131)
@@ -200,6 +200,11 @@
     if (style() && (style()->logicalHeight().isPercent() || style()->logicalMinHeight().isPercent() || style()->logicalMaxHeight().isPercent()))
         RenderBlock::removePercentHeightDescendant(this);
 
+    // If this renderer is owning renderer for the frameview's custom scrollbars,
+    // we need to clear it from the scrollbar. See webkit bug 64737.
+    if (style() && style()->hasPseudoStyle(SCROLLBAR) && frame() && frame()->view())
+        frame()->view()->clearOwningRendererForCustomScrollbars(this);
+
     // If the following assertion fails, logicalHeight()/logicalMinHeight()/
     // logicalMaxHeight() values are changed from a percent value to a non-percent
     // value during laying out. It causes a use-after-free bug.

Modified: branches/chromium/835/Source/WebCore/rendering/RenderScrollbar.cpp (94130 => 94131)


--- branches/chromium/835/Source/WebCore/rendering/RenderScrollbar.cpp	2011-08-31 00:03:40 UTC (rev 94130)
+++ branches/chromium/835/Source/WebCore/rendering/RenderScrollbar.cpp	2011-08-31 00:13:16 UTC (rev 94131)
@@ -149,7 +149,7 @@
 
 PassRefPtr<RenderStyle> RenderScrollbar::getScrollbarPseudoStyle(ScrollbarPart partType, PseudoId pseudoId)
 {
-    if (!m_owner)
+    if (!owningRenderer())
         return 0;
 
     s_styleResolvePart = partType;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes