[webkit-changes] [226276] trunk

Fri, 22 Dec 2017 13:42:04 -0800

Title: [226276] trunk
Revision
226276
Author
[email protected]
Date
2017-12-22 13:41:02 -0800 (Fri, 22 Dec 2017)

Log Message

Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
https://bugs.webkit.org/show_bug.cgi?id=181132
<rdar://problem/35143540>

Reviewed by Simon Fraser.

Source/WebCore:

Test: fast/animation/request-animation-frame-remove-iframe-in-callback.html

* dom/ScriptedAnimationController.cpp:
(WebCore::ScriptedAnimationController::serviceScriptedAnimations): Hold a reference to the
  document and pass that along to InspectorInstrumentation::willFireAnimationFrame rather
  than dereferencing the m_document member, which may have gotten cleared by an earlier
  callback.

LayoutTests:

* fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt: Added.
* fast/animation/request-animation-frame-remove-iframe-in-callback.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (226275 => 226276)


--- trunk/LayoutTests/ChangeLog	2017-12-22 21:23:39 UTC (rev 226275)
+++ trunk/LayoutTests/ChangeLog	2017-12-22 21:41:02 UTC (rev 226276)
@@ -1,3 +1,14 @@
+2017-12-22  Dan Bernstein  <[email protected]>
+
+        Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
+        https://bugs.webkit.org/show_bug.cgi?id=181132
+        <rdar://problem/35143540>
+
+        Reviewed by Simon Fraser.
+
+        * fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt: Added.
+        * fast/animation/request-animation-frame-remove-iframe-in-callback.html: Added.
+
 2017-12-22  Chris Dumez  <[email protected]>
 
         [Service Workers] Implement "Soft Update" algorithm

Added: trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt (0 => 226276)


--- trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt	2017-12-22 21:41:02 UTC (rev 226276)
@@ -0,0 +1 @@
+Test passes if it does not crash.

Added: trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback.html (0 => 226276)


--- trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback.html	                        (rev 0)
+++ trunk/LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback.html	2017-12-22 21:41:02 UTC (rev 226276)
@@ -0,0 +1,19 @@
+Test passes if it does not crash.
+<iframe id=target></iframe>
+<span id=result></span>
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    const target = document.getElementById("target");
+    const contentWindow = target.contentWindow;
+    contentWindow.requestAnimationFrame(() => {
+        target.remove();
+        if (window.testRunner) {
+            setTimeout(() => { testRunner.notifyDone(); }, 0);
+        }
+    });
+    contentWindow.requestAnimationFrame(() => { });
+</script>

Modified: trunk/Source/WebCore/ChangeLog (226275 => 226276)


--- trunk/Source/WebCore/ChangeLog	2017-12-22 21:23:39 UTC (rev 226275)
+++ trunk/Source/WebCore/ChangeLog	2017-12-22 21:41:02 UTC (rev 226276)
@@ -1,3 +1,19 @@
+2017-12-22  Dan Bernstein  <[email protected]>
+
+        Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
+        https://bugs.webkit.org/show_bug.cgi?id=181132
+        <rdar://problem/35143540>
+
+        Reviewed by Simon Fraser.
+
+        Test: fast/animation/request-animation-frame-remove-iframe-in-callback.html
+
+        * dom/ScriptedAnimationController.cpp:
+        (WebCore::ScriptedAnimationController::serviceScriptedAnimations): Hold a reference to the
+          document and pass that along to InspectorInstrumentation::willFireAnimationFrame rather
+          than dereferencing the m_document member, which may have gotten cleared by an earlier
+          callback.
+
 2017-12-22  Chris Dumez  <[email protected]>
 
         importScripts() inside a service worker should ensure that the response has a _javascript_ MIME type

Modified: trunk/Source/WebCore/dom/ScriptedAnimationController.cpp (226275 => 226276)


--- trunk/Source/WebCore/dom/ScriptedAnimationController.cpp	2017-12-22 21:23:39 UTC (rev 226275)
+++ trunk/Source/WebCore/dom/ScriptedAnimationController.cpp	2017-12-22 21:41:02 UTC (rev 226276)
@@ -209,11 +209,12 @@
     // Invoking callbacks may detach elements from our document, which clears the document's
     // reference to us, so take a defensive reference.
     Ref<ScriptedAnimationController> protectedThis(*this);
+    Ref<Document> protectedDocument(*m_document);
 
     for (auto& callback : callbacks) {
         if (!callback->m_firedOrCancelled) {
             callback->m_firedOrCancelled = true;
-            InspectorInstrumentationCookie cookie = InspectorInstrumentation::willFireAnimationFrame(*m_document, callback->m_id);
+            InspectorInstrumentationCookie cookie = InspectorInstrumentation::willFireAnimationFrame(protectedDocument, callback->m_id);
             if (callback->m_useLegacyTimeBase)
                 callback->handleEvent(legacyHighResNowMs);
             else

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to