[webkit-changes] [223313] trunk

Fri, 13 Oct 2017 17:45:22 -0700

Title: [223313] trunk
Revision
223313
Author
[email protected]
Date
2017-10-13 17:44:53 -0700 (Fri, 13 Oct 2017)

Log Message

Protect FrameView during style calculations
https://bugs.webkit.org/show_bug.cgi?id=178300
<rdar://problem/34869329>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Protect the FrameView during layout and style updates in case arbitrary script
is run that might clear it.

Test: fast/html/marquee-reparent-check.html

* page/FrameView.cpp:
(WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive):

LayoutTests:

* fast/html/marquee-reparent-check-expected.txt: Added.
* fast/html/marquee-reparent-check.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (223312 => 223313)


--- trunk/LayoutTests/ChangeLog	2017-10-14 00:42:56 UTC (rev 223312)
+++ trunk/LayoutTests/ChangeLog	2017-10-14 00:44:53 UTC (rev 223313)
@@ -1,3 +1,14 @@
+2017-10-13  Brent Fulgham  <[email protected]>
+
+        Protect FrameView during style calculations
+        https://bugs.webkit.org/show_bug.cgi?id=178300
+        <rdar://problem/34869329>
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/html/marquee-reparent-check-expected.txt: Added.
+        * fast/html/marquee-reparent-check.html: Added.
+
 2017-10-13  Ryan Haddad  <[email protected]>
 
         Mark http/tests/cache-storage/cache-clearing-origin.https.html as flaky.

Added: trunk/LayoutTests/fast/html/marquee-reparent-check-expected.txt (0 => 223313)


--- trunk/LayoutTests/fast/html/marquee-reparent-check-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/html/marquee-reparent-check-expected.txt	2017-10-14 00:44:53 UTC (rev 223313)
@@ -0,0 +1,7 @@
+The test passes if it does not ASSERT in debug builds.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+ 
+TEST

Added: trunk/LayoutTests/fast/html/marquee-reparent-check.html (0 => 223313)


--- trunk/LayoutTests/fast/html/marquee-reparent-check.html	                        (rev 0)
+++ trunk/LayoutTests/fast/html/marquee-reparent-check.html	2017-10-14 00:44:53 UTC (rev 223313)
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+description("The test passes if it does not ASSERT in debug builds.");
+
+var innerMarquee;
+var outerMarquee;
+
+function runTest() {
+    innerMarquee = document.getElementById("innerMarquee");
+    outerMarquee = document.getElementById("outerMarquee");
+
+    document.execCommand("createLink", false, "#foo");
+    document.getElementById("htmlTableHeader").innerHTML = "TEST";
+}
+
+function blurHandler() {
+    document.getElementById("htmlTextArea").setSelectionRange(0, 0, "foo");
+}
+
+function focusHandler() {
+    document.getElementById("htmlTextArea").click();
+    innerMarquee.appendChild(outerMarquee);
+}
+</script>
+</head>
+<body>
+    <div id="divElement">
+    </div>
+    <marquee id="outerMarquee">
+        <output>
+            <base target="divElement"></base>
+        </output>
+    </marquee>
+    <a href=""
+        <textarea id="htmlTextArea" _onfocus_="focusHandler()" _onblur_="blurHandler()" autofocus="autofocus">Test Text Area</textarea>
+    </a>
+    <table id="testTable">
+        <tbody>
+            <tr>
+                <th id="htmlTableHeader">
+                    <marquee id="innerMarquee">
+                        <svg>
+                            <mesh _onload_="runTest()">
+                            </mesh>
+                        </svg>
+                    </marquee>
+                </th>
+            </tr>
+        </tbody>
+    </table>
+    <keygen autofocus="autofocus">
+    <iframe>Test Frame</iframe>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (223312 => 223313)


--- trunk/Source/WebCore/ChangeLog	2017-10-14 00:42:56 UTC (rev 223312)
+++ trunk/Source/WebCore/ChangeLog	2017-10-14 00:44:53 UTC (rev 223313)
@@ -1,3 +1,19 @@
+2017-10-13  Brent Fulgham  <[email protected]>
+
+        Protect FrameView during style calculations
+        https://bugs.webkit.org/show_bug.cgi?id=178300
+        <rdar://problem/34869329>
+
+        Reviewed by Ryosuke Niwa.
+
+        Protect the FrameView during layout and style updates in case arbitrary script
+        is run that might clear it.
+
+        Test: fast/html/marquee-reparent-check.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive):
+
 2017-10-13  Per Arne Vollan  <[email protected]>
 
         Crash under ResourceHandleCFURLConnectionDelegateWithOperationQueue::didSendBodyData

Modified: trunk/Source/WebCore/page/FrameView.cpp (223312 => 223313)


--- trunk/Source/WebCore/page/FrameView.cpp	2017-10-14 00:42:56 UTC (rev 223312)
+++ trunk/Source/WebCore/page/FrameView.cpp	2017-10-14 00:44:53 UTC (rev 223313)
@@ -4568,6 +4568,9 @@
     // FIXME: We should find an approach that does not require a loop at all.
     const unsigned maxUpdatePasses = 25;
 
+    // Style updates can trigger script, which can cause this FrameView to be destroyed.
+    Ref<FrameView> protectedThis(*this);
+
     AnimationUpdateBlock animationUpdateBlock(&frame().animation());
 
     using DescendantsDeque = Deque<Ref<FrameView>, 16>;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to