[webkit-changes] [225719] trunk

[zalan]

Title: [225719] trunk

Revision

225719

Author

za...@apple.com

Date

2017-12-08 19:51:25 -0800 (Fri, 08 Dec 2017)

Log Message

Document::updateLayout() could destroy current frame.
https://bugs.webkit.org/show_bug.cgi?id=180525
<rdar://problem/35906836>

Reviewed by Simon Fraser.

Source/WebCore:

Early return when Document::updateLayout() triggers Frame destruction.

Test: fast/frames/crash-when-iframe-is-remove-in-eventhandler.html

* dom/TreeScope.cpp:
(WebCore::absolutePointIfNotClipped):

LayoutTests:

* fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt: Added.
* fast/frames/crash-when-iframe-is-remove-in-eventhandler.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/TreeScope.cpp

Added Paths

• trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt
• trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html

Diff

Modified: trunk/LayoutTests/ChangeLog (225718 => 225719)

--- trunk/LayoutTests/ChangeLog	2017-12-09 03:44:33 UTC (rev 225718)
+++ trunk/LayoutTests/ChangeLog	2017-12-09 03:51:25 UTC (rev 225719)
@@ -1,3 +1,14 @@
+2017-12-08  Zalan Bujtas  <za...@apple.com>
+
+        Document::updateLayout() could destroy current frame.
+        https://bugs.webkit.org/show_bug.cgi?id=180525
+        <rdar://problem/35906836>
+
+        Reviewed by Simon Fraser.
+
+        * fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt: Added.
+        * fast/frames/crash-when-iframe-is-remove-in-eventhandler.html: Added.
+
 2017-12-08  Youenn Fablet  <you...@apple.com>
 
         Service Worker should use a correct user agent

Added: trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt (0 => 225719)

--- trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt	2017-12-09 03:51:25 UTC (rev 225719)
@@ -0,0 +1 @@
+PASS if no crash.  

Added: trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html (0 => 225719)

--- trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html	2017-12-09 03:51:25 UTC (rev 225719)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<span id=span></span>
+<span id=wrapper></span>
+<textarea id=textarea _onfocus_="eventhandler()"></textarea>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.offsetHeight;
+textarea.autofocus = true;
+var iframe = document.createElement("iframe");
+span.appendChild(iframe);
+wrapper.appendChild(textarea);
+iframe.contentDocument.caretRangeFromPoint();
+
+function eventhandler() {
+    textarea.insertAdjacentElement("beforeBegin", span);
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (225718 => 225719)

--- trunk/Source/WebCore/ChangeLog	2017-12-09 03:44:33 UTC (rev 225718)
+++ trunk/Source/WebCore/ChangeLog	2017-12-09 03:51:25 UTC (rev 225719)
@@ -1,3 +1,18 @@
+2017-12-08  Zalan Bujtas  <za...@apple.com>
+
+        Document::updateLayout() could destroy current frame.
+        https://bugs.webkit.org/show_bug.cgi?id=180525
+        <rdar://problem/35906836>
+
+        Reviewed by Simon Fraser.
+
+        Early return when Document::updateLayout() triggers Frame destruction.
+
+        Test: fast/frames/crash-when-iframe-is-remove-in-eventhandler.html
+
+        * dom/TreeScope.cpp:
+        (WebCore::absolutePointIfNotClipped):
+
 2017-12-08  Chris Dumez  <cdu...@apple.com>
 
         ServiceWorkerGlobalScope is a global object and should be marked as [ImplicitThis] in the IDL

Modified: trunk/Source/WebCore/dom/TreeScope.cpp (225718 => 225719)

--- trunk/Source/WebCore/dom/TreeScope.cpp	2017-12-09 03:44:33 UTC (rev 225718)
+++ trunk/Source/WebCore/dom/TreeScope.cpp	2017-12-09 03:51:25 UTC (rev 225719)
@@ -296,13 +296,14 @@
 
 static std::optional<LayoutPoint> absolutePointIfNotClipped(Document& document, const LayoutPoint& clientPoint)
 {
-    auto* frame = document.frame();
-    auto* view = document.view();
-    if (!frame || !view)
+    if (!document.frame() || !document.view())
         return std::nullopt;
 
-    if (frame->settings().visualViewportEnabled()) {
+    if (document.frame()->settings().visualViewportEnabled()) {
         document.updateLayout();
+        if (!document.view() || !document.hasLivingRenderTree())
+            return std::nullopt;
+        auto* view = document.view();
         FloatPoint layoutViewportPoint = view->clientToLayoutViewportPoint(clientPoint);
         FloatRect layoutViewportBounds({ }, view->layoutViewportRect().size());
         if (!layoutViewportBounds.contains(layoutViewportPoint))
@@ -310,6 +311,8 @@
         return LayoutPoint(view->layoutViewportToAbsolutePoint(layoutViewportPoint));
     }
 
+    auto* frame = document.frame();
+    auto* view = document.view();
     float scaleFactor = frame->pageZoomFactor() * frame->frameScaleFactor();
 
     LayoutPoint absolutePoint = clientPoint;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes