Diff
Modified: trunk/LayoutTests/ChangeLog (102828 => 102829)
--- trunk/LayoutTests/ChangeLog 2011-12-14 22:38:06 UTC (rev 102828)
+++ trunk/LayoutTests/ChangeLog 2011-12-14 22:52:08 UTC (rev 102829)
@@ -1,3 +1,14 @@
+2011-12-14 Brady Eidson <[email protected]>
+
+ <rdar://problem/10576732> and https://bugs.webkit.org/show_bug.cgi?id=74533
+ REGRESSION(r102619): Reproducible crash closing window with video + poster image inside an object element
+
+ Reviewed by Darin Adler.
+
+ * media/crash-closing-page-with-media-as-plugin-fallback-expected.txt: Added.
+ * media/crash-closing-page-with-media-as-plugin-fallback.html: Added.
+ * media/resources/video-with-poster-as-object-fallback.html: Added.
+
2011-12-14 Ryosuke Niwa <[email protected]>
Skip fast/forms/select/menulist-onchange-fired-with-key-up-down.html on Mac since
Added: trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback-expected.txt (0 => 102829)
--- trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback-expected.txt (rev 0)
+++ trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback-expected.txt 2011-12-14 22:52:08 UTC (rev 102829)
@@ -0,0 +1,6 @@
+This test makes sure that closing a window with a video element that has a poster image doesn't crash (radar 10576732 and https://bugs.webkit.org/show_bug.cgi?id=74533)
+If it doesn't crash, it passes.
+Click here to open test window
+Closed the window without crashing!
+
+
Added: trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback.html (0 => 102829)
--- trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback.html (rev 0)
+++ trunk/LayoutTests/media/crash-closing-page-with-media-as-plugin-fallback.html 2011-12-14 22:52:08 UTC (rev 102829)
@@ -0,0 +1,41 @@
+<script>
+var childWindow;
+</script>
+This test makes sure that closing a window with a video element that has a poster image doesn't crash (radar 10576732 and https://bugs.webkit.org/show_bug.cgi?id=74533)<br>
+If it doesn't crash, it passes.<br>
+<button id="button" _onclick_="childWindow = window.open('resources/video-with-poster-as-object-fallback.html')">
+ Click here to open test window
+</button><br>
+<div id="result"></div><br>
+
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+ layoutTestController.overridePreference("WebKitPageCacheSupportsPluginsPreferenceKey", 1);
+ layoutTestController.setCanOpenWindows(true);
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+ var button = document.getElementById("button");
+ eventSender.mouseMoveTo(button.offsetParent.offsetLeft + button.offsetLeft + button.offsetWidth / 2, button.offsetParent.offsetTop + button.offsetTop + button.offsetHeight / 2);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function childLoaded()
+{
+ childWindow.close();
+ setTimeout("checkClosed()", 0);
+}
+
+function checkClosed()
+{
+ if (childWindow.closed) {
+ document.getElementById("result").innerText = "Closed the window without crashing!";
+ if (window.layoutTestController)
+ setTimeout("layoutTestController.notifyDone();", 0);
+ }
+ setTimeout("checkClosed()", 0);
+}
+
+</script>
Added: trunk/LayoutTests/media/resources/video-with-poster-as-object-fallback.html (0 => 102829)
--- trunk/LayoutTests/media/resources/video-with-poster-as-object-fallback.html (rev 0)
+++ trunk/LayoutTests/media/resources/video-with-poster-as-object-fallback.html 2011-12-14 22:52:08 UTC (rev 102829)
@@ -0,0 +1,10 @@
+<script src=""
+<body _onload_="opener.childLoaded()">
+<object height="500" width="500">
+<video id="theVideo" controls="controls" poster="../content/abe.png" preload="auto">
+</video>
+<script>
+document.getElementById("theVideo").src = "" '../content/counting');
+</script>
+</object>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (102828 => 102829)
--- trunk/Source/WebCore/ChangeLog 2011-12-14 22:38:06 UTC (rev 102828)
+++ trunk/Source/WebCore/ChangeLog 2011-12-14 22:52:08 UTC (rev 102829)
@@ -1,3 +1,21 @@
+2011-12-14 Brady Eidson <[email protected]>
+
+ <rdar://problem/10576732> and https://bugs.webkit.org/show_bug.cgi?id=74533
+ REGRESSION(r102619): Reproducible crash closing window with video + poster image inside an object element
+
+ Reviewed by Darin Adler.
+
+ Test: media/crash-closing-page-with-media-as-plugin-fallback.html
+
+ Switch HTMLPlugInImageElement from using document activation callbacks to using the ActiveDOMObject
+ mechanism which will prevent the unnecessary (and crashy) work at Document teardown:
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::HTMLPlugInImageElement):
+ (WebCore::HTMLPlugInImageElement::canSuspend):
+ (WebCore::HTMLPlugInImageElement::suspend):
+ (WebCore::HTMLPlugInImageElement::resume):
+ * html/HTMLPlugInImageElement.h:
+
2011-12-14 Adrienne Walker <[email protected]>
[chromium] Compositor needs to set texture filtering on canvas layers
Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (102828 => 102829)
--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2011-12-14 22:38:06 UTC (rev 102828)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2011-12-14 22:52:08 UTC (rev 102829)
@@ -37,6 +37,7 @@
HTMLPlugInImageElement::HTMLPlugInImageElement(const QualifiedName& tagName, Document* document, bool createdByParser, PreferPlugInsForImagesOption preferPlugInsForImagesOption)
: HTMLPlugInElement(tagName, document)
+ , ActiveDOMObject(document, this)
// m_needsWidgetUpdate(!createdByParser) allows HTMLObjectElement to delay
// widget updates until after all children are parsed. For HTMLEmbedElement
// this delay is unnecessary, but it is simpler to make both classes share
@@ -202,27 +203,16 @@
setNeedsStyleRecalc();
}
-void HTMLPlugInImageElement::willMoveToNewOwnerDocument()
+bool HTMLPlugInImageElement::canSuspend() const
{
- if (m_needsDocumentActivationCallbacks)
- document()->unregisterForDocumentActivationCallbacks(this);
-
- if (m_imageLoader)
- m_imageLoader->elementWillMoveToNewOwnerDocument();
-
- HTMLPlugInElement::willMoveToNewOwnerDocument();
+ return true;
}
-void HTMLPlugInImageElement::didMoveToNewOwnerDocument()
+void HTMLPlugInImageElement::suspend(ReasonForSuspension reason)
{
- if (m_needsDocumentActivationCallbacks)
- document()->registerForDocumentActivationCallbacks(this);
-
- HTMLPlugInElement::didMoveToNewOwnerDocument();
-}
+ if (reason != DocumentWillBecomeInactive)
+ return;
-void HTMLPlugInImageElement::documentWillBecomeInactive()
-{
if (RenderStyle* rs = renderStyle()) {
m_customStyleForPageCache = RenderStyle::clone(rs);
m_customStyleForPageCache->setDisplay(NONE);
@@ -232,11 +222,9 @@
if (m_customStyleForPageCache)
recalcStyle(Force);
-
- HTMLPlugInElement::documentWillBecomeInactive();
}
-void HTMLPlugInImageElement::documentDidBecomeActive()
+void HTMLPlugInImageElement::resume()
{
clearHasCustomStyleForRenderer();
@@ -244,8 +232,6 @@
m_customStyleForPageCache = 0;
recalcStyle(Force);
}
-
- HTMLPlugInElement::documentDidBecomeActive();
}
PassRefPtr<RenderStyle> HTMLPlugInImageElement::customStyleForRenderer()
Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.h (102828 => 102829)
--- trunk/Source/WebCore/html/HTMLPlugInImageElement.h 2011-12-14 22:38:06 UTC (rev 102828)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.h 2011-12-14 22:52:08 UTC (rev 102829)
@@ -21,8 +21,8 @@
#ifndef HTMLPlugInImageElement_h
#define HTMLPlugInImageElement_h
+#include "ActiveDOMObject.h"
#include "HTMLPlugInElement.h"
-
#include "RenderStyle.h"
#include <wtf/OwnPtr.h>
@@ -42,7 +42,7 @@
};
// Base class for HTMLObjectElement and HTMLEmbedElement
-class HTMLPlugInImageElement : public HTMLPlugInElement {
+class HTMLPlugInImageElement : public HTMLPlugInElement, public ActiveDOMObject {
public:
virtual ~HTMLPlugInImageElement();
@@ -53,7 +53,7 @@
const String& serviceType() const { return m_serviceType; }
const String& url() const { return m_url; }
bool shouldPreferPlugInsForImages() const { return m_shouldPreferPlugInsForImages; }
-
+
protected:
HTMLPlugInImageElement(const QualifiedName& tagName, Document*, bool createdByParser, PreferPlugInsForImagesOption);
@@ -73,11 +73,9 @@
bool allowedToLoadFrameURL(const String& url);
bool wouldLoadAsNetscapePlugin(const String& url, const String& serviceType);
- virtual void willMoveToNewOwnerDocument() OVERRIDE;
- virtual void didMoveToNewOwnerDocument() OVERRIDE;
-
- virtual void documentWillBecomeInactive() OVERRIDE;
- virtual void documentDidBecomeActive() OVERRIDE;
+ virtual bool canSuspend() const OVERRIDE;
+ virtual void suspend(ReasonForSuspension) OVERRIDE;
+ virtual void resume() OVERRIDE;
virtual PassRefPtr<RenderStyle> customStyleForRenderer() OVERRIDE;
