Title: [246990] releases/WebKitGTK/webkit-2.24
- Revision
- 246990
- Author
- [email protected]
- Date
- 2019-07-01 04:03:17 -0700 (Mon, 01 Jul 2019)
Log Message
Merge r245509 - Wait to get frame until after layout has been run
https://bugs.webkit.org/show_bug.cgi?id=197999
<rdar://problem/50800345>
Reviewed by Alex Christensen.
Source/WebCore:
The current frame can change when layout runs, so don't bother retrieving
the frame until the final layout pass is complete.
Test: fast/dom/window-inner-width-crash.html
* page/DOMWindow.cpp:
(WebCore::DOMWindow::innerHeight const): Move frame access past the
layout operation.
(WebCore::DOMWindow::innerWidth const): Ditto.
(WebCore::DOMWindow::scrollX const): Ditto.
(WebCore::DOMWindow::scrollY const): Ditto.
LayoutTests:
* fast/dom/window-inner-width-crash-expected.txt: Added.
* fast/dom/window-inner-width-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (246989 => 246990)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-07-01 11:03:12 UTC (rev 246989)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-07-01 11:03:17 UTC (rev 246990)
@@ -1,3 +1,14 @@
+2019-05-19 Brent Fulgham <[email protected]>
+
+ Wait to get frame until after layout has been run
+ https://bugs.webkit.org/show_bug.cgi?id=197999
+ <rdar://problem/50800345>
+
+ Reviewed by Alex Christensen.
+
+ * fast/dom/window-inner-width-crash-expected.txt: Added.
+ * fast/dom/window-inner-width-crash.html: Added.
+
2019-05-28 Yacine Bandou <[email protected]>
[MSE][GStreamer] update the readyState correctly in MediaPlayerPrivateGStreamerMSE
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash-expected.txt (0 => 246990)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash-expected.txt 2019-07-01 11:03:17 UTC (rev 246990)
@@ -0,0 +1,4 @@
+This test passes if it does not crash.
+
+
+
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash.html (0 => 246990)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/window-inner-width-crash.html 2019-07-01 11:03:17 UTC (rev 246990)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function runTest() {
+ button.autofocus = true;
+ body.appendChild(paragraph);
+ var testVal = window[0].innerWidth;
+}
+
+function fireSelect() {
+ input.select();
+}
+
+function appendToSelect() {
+ select.appendChild(frame);
+}
+</script>
+</head>
+<body id="body" _onload_="runTest()">
+ <p>This test passes if it does not crash.</p>
+ <iframe id="frame"></iframe>
+ <p id="paragraph">
+ <button id="button" _onkeydown_="appendToSelect()"></button>
+ <style _onload_="fireSelect()"></style>
+ <li></li>
+ <select id="select">
+ <input id="input" for="" _onblur_="appendToSelect()"></input>
+ </select>
+</body>
+</html>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (246989 => 246990)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:12 UTC (rev 246989)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:17 UTC (rev 246990)
@@ -1,3 +1,23 @@
+2019-05-19 Brent Fulgham <[email protected]>
+
+ Wait to get frame until after layout has been run
+ https://bugs.webkit.org/show_bug.cgi?id=197999
+ <rdar://problem/50800345>
+
+ Reviewed by Alex Christensen.
+
+ The current frame can change when layout runs, so don't bother retrieving
+ the frame until the final layout pass is complete.
+
+ Test: fast/dom/window-inner-width-crash.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::innerHeight const): Move frame access past the
+ layout operation.
+ (WebCore::DOMWindow::innerWidth const): Ditto.
+ (WebCore::DOMWindow::scrollX const): Ditto.
+ (WebCore::DOMWindow::scrollY const): Ditto.
+
2019-05-17 Brent Fulgham <[email protected]>
Hardening: Prevent FrameLoader crash due to SetForScope
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/page/DOMWindow.cpp (246989 => 246990)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/page/DOMWindow.cpp 2019-07-01 11:03:12 UTC (rev 246989)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/page/DOMWindow.cpp 2019-07-01 11:03:17 UTC (rev 246990)
@@ -1237,14 +1237,17 @@
int DOMWindow::innerHeight() const
{
- auto* frame = this->frame();
- if (!frame)
+ if (!frame())
return 0;
-
+
// Force enough layout in the parent document to ensure that the FrameView has been resized.
if (auto* frameElement = this->frameElement())
frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, HeightDimensionsCheck);
+ auto* frame = this->frame();
+ if (!frame)
+ return 0;
+
FrameView* view = frame->view();
if (!view)
return 0;
@@ -1254,8 +1257,7 @@
int DOMWindow::innerWidth() const
{
- auto* frame = this->frame();
- if (!frame)
+ if (!frame())
return 0;
// Force enough layout in the parent document to ensure that the FrameView has been resized.
@@ -1262,6 +1264,10 @@
if (auto* frameElement = this->frameElement())
frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, WidthDimensionsCheck);
+ auto* frame = this->frame();
+ if (!frame)
+ return 0;
+
FrameView* view = frame->view();
if (!view)
return 0;
@@ -1311,7 +1317,16 @@
frame->document()->updateLayoutIgnorePendingStylesheets();
- return view->mapFromLayoutToCSSUnits(view->contentsScrollPosition().x());
+ // Layout may have affected the current frame:
+ auto* frameAfterLayout = this->frame();
+ if (!frameAfterLayout)
+ return 0;
+
+ FrameView* viewAfterLayout = frameAfterLayout->view();
+ if (!viewAfterLayout)
+ return 0;
+
+ return viewAfterLayout->mapFromLayoutToCSSUnits(viewAfterLayout->contentsScrollPosition().x());
}
int DOMWindow::scrollY() const
@@ -1330,7 +1345,16 @@
frame->document()->updateLayoutIgnorePendingStylesheets();
- return view->mapFromLayoutToCSSUnits(view->contentsScrollPosition().y());
+ // Layout may have affected the current frame:
+ auto* frameAfterLayout = this->frame();
+ if (!frameAfterLayout)
+ return 0;
+
+ FrameView* viewAfterLayout = frameAfterLayout->view();
+ if (!viewAfterLayout)
+ return 0;
+
+ return viewAfterLayout->mapFromLayoutToCSSUnits(viewAfterLayout->contentsScrollPosition().y());
}
bool DOMWindow::closed() const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
