Title: [218228] trunk
- Revision
- 218228
- Author
- [email protected]
- Date
- 2017-06-13 17:19:21 -0700 (Tue, 13 Jun 2017)
Log Message
Synchronous media query callbacks on nested frames could produced a detached FrameView.
https://bugs.webkit.org/show_bug.cgi?id=173330
Reviewed by Simon Fraser.
Source/WebCore:
This patch fixes the crash when the nested frame's media query callback triggers navigation on the mainframe.
webkit.org/b/173329 is to track whether we should allow synchronous callback firing from FrameView::layout().
Covered by show-modal-dialog-during-execCommand.html.
* page/FrameView.cpp:
(WebCore::FrameView::layout):
LayoutTests:
* TestExpectations: ASSERT(frame()->view() == this) still fires due to the unexpected navigation, but we clearly
manage to recover from it. Unskip it (debug) when webkit.org/b/173329 is resolved.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (218227 => 218228)
--- trunk/LayoutTests/ChangeLog 2017-06-14 00:14:09 UTC (rev 218227)
+++ trunk/LayoutTests/ChangeLog 2017-06-14 00:19:21 UTC (rev 218228)
@@ -1,3 +1,13 @@
+2017-06-13 Zalan Bujtas <[email protected]>
+
+ Synchronous media query callbacks on nested frames could produced a detached FrameView.
+ https://bugs.webkit.org/show_bug.cgi?id=173330
+
+ Reviewed by Simon Fraser.
+
+ * TestExpectations: ASSERT(frame()->view() == this) still fires due to the unexpected navigation, but we clearly
+ manage to recover from it. Unskip it (debug) when webkit.org/b/173329 is resolved.
+
2017-06-13 Chris Fleizach <[email protected]>
AX[macOS]: Expose Inline property as an accessibility attribute
Modified: trunk/LayoutTests/TestExpectations (218227 => 218228)
--- trunk/LayoutTests/TestExpectations 2017-06-14 00:14:09 UTC (rev 218227)
+++ trunk/LayoutTests/TestExpectations 2017-06-14 00:19:21 UTC (rev 218228)
@@ -38,7 +38,7 @@
http/tests/preload/viewport [ Skip ]
# window.showModalDialog is only tested in DumpRenderTree on Mac.
-editing/execCommand/show-modal-dialog-during-execCommand.html [ Skip ]
+[ Debug ] editing/execCommand/show-modal-dialog-during-execCommand.html [ Skip ]
fast/shadow-dom/touch-event-on-text-assigned-to-slot.html [ Skip ]
Modified: trunk/Source/WebCore/ChangeLog (218227 => 218228)
--- trunk/Source/WebCore/ChangeLog 2017-06-14 00:14:09 UTC (rev 218227)
+++ trunk/Source/WebCore/ChangeLog 2017-06-14 00:19:21 UTC (rev 218228)
@@ -1,3 +1,18 @@
+2017-06-13 Zalan Bujtas <[email protected]>
+
+ Synchronous media query callbacks on nested frames could produced a detached FrameView.
+ https://bugs.webkit.org/show_bug.cgi?id=173330
+
+ Reviewed by Simon Fraser.
+
+ This patch fixes the crash when the nested frame's media query callback triggers navigation on the mainframe.
+ webkit.org/b/173329 is to track whether we should allow synchronous callback firing from FrameView::layout().
+
+ Covered by show-modal-dialog-during-execCommand.html.
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::layout):
+
2017-06-13 Chris Fleizach <[email protected]>
AX[macOS]: Expose Inline property as an accessibility attribute
Modified: trunk/Source/WebCore/page/FrameView.cpp (218227 => 218228)
--- trunk/Source/WebCore/page/FrameView.cpp 2017-06-14 00:14:09 UTC (rev 218227)
+++ trunk/Source/WebCore/page/FrameView.cpp 2017-06-14 00:19:21 UTC (rev 218228)
@@ -1517,8 +1517,13 @@
bool neededFullRepaint = m_needsFullRepaint;
- if (!subtree && !downcast<RenderView>(*root).printing())
+ if (!subtree && !downcast<RenderView>(*root).printing()) {
adjustViewSize();
+ // FIXME: Firing media query callbacks synchronously on nested frames could produced a detached FrameView here by
+ // navigating away from the current document (see webkit.org/b/173329).
+ if (hasOneRef())
+ return;
+ }
m_layoutPhase = InPostLayout;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
