Title: [129966] trunk/Source/WebCore
- Revision
- 129966
- Author
- [email protected]
- Date
- 2012-09-28 18:35:35 -0700 (Fri, 28 Sep 2012)
Log Message
Crash re-entering Document layout with frame flattening enabled
https://bugs.webkit.org/show_bug.cgi?id=97841
Reviewed by Brady Eidson.
When creating a CachedFrame, clearTimers on the Frame later; it has to
be done after documentWillSuspendForPageCache(), because the style
changes that HTMLPlugInImageElement::documentWillSuspendForPageCache()
do can schedule a layout on the FrameView, and we don't want this layout
timer to fire while the page is in the page cache.
Add an assertion in FrameView::layout() that the document is not in
the page cache. Without the above change, this would assert in
the plugins/frameset-with-plugin-frame.html test.
* history/CachedFrame.cpp:
(WebCore::CachedFrame::CachedFrame):
* page/FrameView.cpp:
(WebCore::FrameView::layout):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (129965 => 129966)
--- trunk/Source/WebCore/ChangeLog 2012-09-29 00:45:07 UTC (rev 129965)
+++ trunk/Source/WebCore/ChangeLog 2012-09-29 01:35:35 UTC (rev 129966)
@@ -1,3 +1,25 @@
+2012-09-28 Simon Fraser <[email protected]>
+
+ Crash re-entering Document layout with frame flattening enabled
+ https://bugs.webkit.org/show_bug.cgi?id=97841
+
+ Reviewed by Brady Eidson.
+
+ When creating a CachedFrame, clearTimers on the Frame later; it has to
+ be done after documentWillSuspendForPageCache(), because the style
+ changes that HTMLPlugInImageElement::documentWillSuspendForPageCache()
+ do can schedule a layout on the FrameView, and we don't want this layout
+ timer to fire while the page is in the page cache.
+
+ Add an assertion in FrameView::layout() that the document is not in
+ the page cache. Without the above change, this would assert in
+ the plugins/frameset-with-plugin-frame.html test.
+
+ * history/CachedFrame.cpp:
+ (WebCore::CachedFrame::CachedFrame):
+ * page/FrameView.cpp:
+ (WebCore::FrameView::layout):
+
2012-09-28 Dan Carney <[email protected]>
Remove V8DOMWindowShell::getEntered
Modified: trunk/Source/WebCore/history/CachedFrame.cpp (129965 => 129966)
--- trunk/Source/WebCore/history/CachedFrame.cpp 2012-09-29 00:45:07 UTC (rev 129965)
+++ trunk/Source/WebCore/history/CachedFrame.cpp 2012-09-29 01:35:35 UTC (rev 129966)
@@ -157,7 +157,6 @@
// Custom scrollbar renderers will get reattached when the document comes out of the page cache
m_view->detachCustomScrollbars();
- frame->clearTimers();
m_document->setInPageCache(true);
frame->loader()->stopLoading(UnloadEventPolicyUnloadAndPageHide);
@@ -183,6 +182,9 @@
frame->view()->clearBackingStores();
#endif
+ // documentWillSuspendForPageCache() can set up a layout timer on the FrameView, so clear timers after that.
+ frame->clearTimers();
+
// Deconstruct the FrameTree, to restore it later.
// We do this for two reasons:
// 1 - We reuse the main frame, so when it navigates to a new page load it needs to start with a blank FrameTree.
Modified: trunk/Source/WebCore/page/FrameView.cpp (129965 => 129966)
--- trunk/Source/WebCore/page/FrameView.cpp 2012-09-29 00:45:07 UTC (rev 129965)
+++ trunk/Source/WebCore/page/FrameView.cpp 2012-09-29 01:35:35 UTC (rev 129966)
@@ -1031,6 +1031,7 @@
ASSERT(m_frame->view() == this);
Document* document = m_frame->document();
+ ASSERT(!document->inPageCache());
bool subtree;
RenderObject* root;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
