Diff
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-19 21:18:04 UTC (rev 288236)
@@ -1,3 +1,13 @@
+2021-10-09 Rob Buis <[email protected]>
+
+ Remove scrollbars explicitly when destroying render tree
+ https://bugs.webkit.org/show_bug.cgi?id=229274
+
+ Reviewed by Simon Fraser.
+
+ * editing/inserting/insert-html-crash-02-expected.txt: Added.
+ * editing/inserting/insert-html-crash-02.html: Added.
+
2021-10-05 Chris Dumez <[email protected]>
ASSERT(m_callback->hasCallback()) under IntersectionObserver::notify()
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt (0 => 288236)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02-expected.txt 2022-01-19 21:18:04 UTC (rev 288236)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02.html (0 => 288236)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/editing/inserting/insert-html-crash-02.html 2022-01-19 21:18:04 UTC (rev 288236)
@@ -0,0 +1,22 @@
+<style>
+ iframe, iframe::-webkit-scrollbar {
+ block-size: 0;
+ }
+</style>
+<script>
+ _onload_ = () => {
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ document.designMode = 'on';
+ let iframe0 = document.createElement('iframe');
+ document.body.appendChild(iframe0);
+ document.body.appendChild(document.createElement('iframe'));
+ getSelection().extend(document.body);
+ iframe0.contentDocument._onvisibilitychange_ = () => {
+ document.execCommand('InsertHTML', false, 'foo');
+ };
+ setTimeout(function() { document.write("PASS. WebKit didn't crash."); testRunner.notifyDone(); }, 1000);
+ };
+</script>
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-19 21:18:04 UTC (rev 288236)
@@ -1,3 +1,25 @@
+2021-10-09 Rob Buis <[email protected]>
+
+ Remove scrollbars explicitly when destroying render tree
+ https://bugs.webkit.org/show_bug.cgi?id=229274
+
+ Reviewed by Simon Fraser.
+
+ Scrollbars in FrameViews that are hosted by RenderWidget need the RenderView
+ to exist because of RenderScrollbarPart. So when we are destroying the render tree
+ the RenderView will be destroyed too, so before that happens remove the scrollbars
+ and its RenderScrollbarParts.
+
+ Test: editing/inserting/insert-html-crash-02.html
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::willBeDestroyed):
+ * page/FrameView.h:
+ * platform/Widget.h:
+ (WebCore::Widget::willBeDestroyed):
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::willBeDestroyed):
+
2021-10-05 Chris Dumez <[email protected]>
ASSERT(m_callback->hasCallback()) under IntersectionObserver::notify()
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.cpp (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.cpp 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.cpp 2022-01-19 21:18:04 UTC (rev 288236)
@@ -352,6 +352,12 @@
m_scrollCorner = nullptr;
}
+void FrameView::willBeDestroyed()
+{
+ setHasHorizontalScrollbar(false);
+ setHasVerticalScrollbar(false);
+}
+
void FrameView::recalculateScrollbarOverlayStyle()
{
auto style = [this] {
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.h (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.h 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/page/FrameView.h 2022-01-19 21:18:04 UTC (rev 288236)
@@ -682,6 +682,8 @@
String debugDescription() const final;
+ void willBeDestroyed() final;
+
// ScrollView
void updateScrollbarSteps() override;
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/platform/Widget.h (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/platform/Widget.h 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/platform/Widget.h 2022-01-19 21:18:04 UTC (rev 288236)
@@ -175,6 +175,8 @@
// the frame rects be the same no matter what transforms are applied.
virtual bool transformsAffectFrameRect() { return true; }
+ virtual void willBeDestroyed() { }
+
#if PLATFORM(COCOA)
NSView* getOuterView() const;
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderWidget.cpp (288235 => 288236)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderWidget.cpp 2022-01-19 21:17:54 UTC (rev 288235)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderWidget.cpp 2022-01-19 21:18:04 UTC (rev 288236)
@@ -103,6 +103,9 @@
cache->remove(this);
}
+ if (renderTreeBeingDestroyed() && document().backForwardCacheState() == Document::NotInBackForwardCache && m_widget)
+ m_widget->willBeDestroyed();
+
setWidget(nullptr);
RenderReplaced::willBeDestroyed();
