Title: [283868] trunk
- Revision
- 283868
- Author
- [email protected]
- Date
- 2021-10-09 13:38:20 -0700 (Sat, 09 Oct 2021)
Log Message
Remove scrollbars explicitly when destroying render tree
https://bugs.webkit.org/show_bug.cgi?id=229274
Patch by Rob Buis <[email protected]> on 2021-10-09
Reviewed by Simon Fraser.
Source/WebCore:
Scrollbars in FrameViews that are hosted by RenderWidget need the RenderView
to exist because of RenderScrollbarPart. So when we are destroying the render tree
the RenderView will be destroyed too, so before that happens remove the scrollbars
and its RenderScrollbarParts.
Test: editing/inserting/insert-html-crash-02.html
* page/FrameView.cpp:
(WebCore::FrameView::willBeDestroyed):
* page/FrameView.h:
* platform/Widget.h:
(WebCore::Widget::willBeDestroyed):
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::willBeDestroyed):
LayoutTests:
* editing/inserting/insert-html-crash-02-expected.txt: Added.
* editing/inserting/insert-html-crash-02.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (283867 => 283868)
--- trunk/LayoutTests/ChangeLog 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/LayoutTests/ChangeLog 2021-10-09 20:38:20 UTC (rev 283868)
@@ -1,3 +1,13 @@
+2021-10-09 Rob Buis <[email protected]>
+
+ Remove scrollbars explicitly when destroying render tree
+ https://bugs.webkit.org/show_bug.cgi?id=229274
+
+ Reviewed by Simon Fraser.
+
+ * editing/inserting/insert-html-crash-02-expected.txt: Added.
+ * editing/inserting/insert-html-crash-02.html: Added.
+
2021-10-08 Devin Rousso <[email protected]>
[GPU Process] support rendering Apple Pay logos
Added: trunk/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt (0 => 283868)
--- trunk/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt 2021-10-09 20:38:20 UTC (rev 283868)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/editing/inserting/insert-html-crash-02.html (0 => 283868)
--- trunk/LayoutTests/editing/inserting/insert-html-crash-02.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-html-crash-02.html 2021-10-09 20:38:20 UTC (rev 283868)
@@ -0,0 +1,22 @@
+<style>
+ iframe, iframe::-webkit-scrollbar {
+ block-size: 0;
+ }
+</style>
+<script>
+ _onload_ = () => {
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ document.designMode = 'on';
+ let iframe0 = document.createElement('iframe');
+ document.body.appendChild(iframe0);
+ document.body.appendChild(document.createElement('iframe'));
+ getSelection().extend(document.body);
+ iframe0.contentDocument._onvisibilitychange_ = () => {
+ document.execCommand('InsertHTML', false, 'foo');
+ };
+ setTimeout(function() { document.write("PASS. WebKit didn't crash."); testRunner.notifyDone(); }, 1000);
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (283867 => 283868)
--- trunk/Source/WebCore/ChangeLog 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/Source/WebCore/ChangeLog 2021-10-09 20:38:20 UTC (rev 283868)
@@ -1,3 +1,25 @@
+2021-10-09 Rob Buis <[email protected]>
+
+ Remove scrollbars explicitly when destroying render tree
+ https://bugs.webkit.org/show_bug.cgi?id=229274
+
+ Reviewed by Simon Fraser.
+
+ Scrollbars in FrameViews that are hosted by RenderWidget need the RenderView
+ to exist because of RenderScrollbarPart. So when we are destroying the render tree
+ the RenderView will be destroyed too, so before that happens remove the scrollbars
+ and its RenderScrollbarParts.
+
+ Test: editing/inserting/insert-html-crash-02.html
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::willBeDestroyed):
+ * page/FrameView.h:
+ * platform/Widget.h:
+ (WebCore::Widget::willBeDestroyed):
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::willBeDestroyed):
+
2021-10-08 Devin Rousso <[email protected]>
[GPU Process] support rendering Apple Pay logos
Modified: trunk/Source/WebCore/page/FrameView.cpp (283867 => 283868)
--- trunk/Source/WebCore/page/FrameView.cpp 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/Source/WebCore/page/FrameView.cpp 2021-10-09 20:38:20 UTC (rev 283868)
@@ -353,6 +353,12 @@
m_scrollCorner = nullptr;
}
+void FrameView::willBeDestroyed()
+{
+ setHasHorizontalScrollbar(false);
+ setHasVerticalScrollbar(false);
+}
+
void FrameView::recalculateScrollbarOverlayStyle()
{
auto style = [this] {
Modified: trunk/Source/WebCore/page/FrameView.h (283867 => 283868)
--- trunk/Source/WebCore/page/FrameView.h 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/Source/WebCore/page/FrameView.h 2021-10-09 20:38:20 UTC (rev 283868)
@@ -687,6 +687,8 @@
String debugDescription() const final;
+ void willBeDestroyed() final;
+
// ScrollView
void updateScrollbarSteps() override;
Modified: trunk/Source/WebCore/platform/Widget.h (283867 => 283868)
--- trunk/Source/WebCore/platform/Widget.h 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/Source/WebCore/platform/Widget.h 2021-10-09 20:38:20 UTC (rev 283868)
@@ -175,6 +175,8 @@
// the frame rects be the same no matter what transforms are applied.
virtual bool transformsAffectFrameRect() { return true; }
+ virtual void willBeDestroyed() { }
+
#if PLATFORM(COCOA)
virtual id accessibilityHitTest(const IntPoint&) const { return nil; }
virtual id accessibilityObject() const { return nil; }
Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (283867 => 283868)
--- trunk/Source/WebCore/rendering/RenderWidget.cpp 2021-10-09 13:13:52 UTC (rev 283867)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp 2021-10-09 20:38:20 UTC (rev 283868)
@@ -103,6 +103,9 @@
cache->remove(this);
}
+ if (renderTreeBeingDestroyed() && document().backForwardCacheState() == Document::NotInBackForwardCache && m_widget)
+ m_widget->willBeDestroyed();
+
setWidget(nullptr);
RenderReplaced::willBeDestroyed();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
