Skip to site navigation (Press enter)

[webkit-changes] [142760] trunk

wangxianzhu Wed, 13 Feb 2013 10:35:30 -0800

Title: [142760] trunk

Revision: 142760
Author: [email protected]
Date: 2013-02-13 10:37:30 -0800 (Wed, 13 Feb 2013)

Log Message

.: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects.
https://bugs.webkit.org/show_bug.cgi?id=108695


Add a manual test. Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

Reviewed by Abhishek Arya.

* ManualTests/scrolling-coordinator-viewport-constrained-crash.html: Added.

Source/WebCore: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects
https://bugs.webkit.org/show_bug.cgi?id=108695

See comments of RenderLayerModelObject::willBeDestroyed() below for details.

Reviewed by Abhishek Arya.

Test: ManulTests/scrolling-coordinator-viewport-constrained-crash.html
Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::willBeDestroyed): Moved removeViewportConstrainedObject() call into RenderLayerModelObject::willBeDestroyed() because only RenderLayerModelObjects can be added as viewportConstrainedObjects.
* rendering/RenderLayerModelObject.cpp:
(WebCore::RenderLayerModelObject::willBeDestroyed): Changed this->view() (then view->frameView()) to this->frame() (then frame->view()) because when willBeDestroyed() is called, the document has set its renderView to 0 thus this->view() will return 0, causing removeViewportConstrainedObject() not called and a deleted RenderLayerModelObject in FrameView's viewportConstrainedObjects.

Modified Paths

trunk/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp
trunk/Source/WebCore/rendering/RenderLayerModelObject.cpp

Added Paths

trunk/ManualTests/scrolling-coordinator-viewport-constrained-crash.html

Diff

Modified: trunk/ChangeLog (142759 => 142760)


--- trunk/ChangeLog	2013-02-13 17:49:47 UTC (rev 142759)
+++ trunk/ChangeLog	2013-02-13 18:37:30 UTC (rev 142760)
@@ -1,3 +1,16 @@
+2013-02-13  Xianzhu Wang  <[email protected]>
+
+        Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects.
+        https://bugs.webkit.org/show_bug.cgi?id=108695
+
+        Add a manual test. Unable to write a normal layout test because
+        1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
+        2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.
+
+        Reviewed by Abhishek Arya.
+
+        * ManualTests/scrolling-coordinator-viewport-constrained-crash.html: Added.
+
 2013-02-13  Martin Robinson  <[email protected]>
 
         [GTK] Remove support for compiling with GStreamer 0.10

Added: trunk/ManualTests/scrolling-coordinator-viewport-constrained-crash.html (0 => 142760)


--- trunk/ManualTests/scrolling-coordinator-viewport-constrained-crash.html	                        (rev 0)
+++ trunk/ManualTests/scrolling-coordinator-viewport-constrained-crash.html	2013-02-13 18:37:30 UTC (rev 142760)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script>
+  function test()
+  {
+    if (window.testRunner) {
+      testRunner.dumpAsText();
+      testRunner.waitUntilDone();
+    }
+    window.location.href = ""
+  }
+  </script>
+</head>
+<body _onload_="test()">
+  <!-- Tests https://bugs.webkit.org/show_bug.cgi?id=108695. Should not crash. -->
+  <div style="position: fixed"></div>
+  <div style="position: -webkit-sticky"></div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (142759 => 142760)


--- trunk/Source/WebCore/ChangeLog	2013-02-13 17:49:47 UTC (rev 142759)
+++ trunk/Source/WebCore/ChangeLog	2013-02-13 18:37:30 UTC (rev 142760)
@@ -1,3 +1,22 @@
+2013-02-13  Xianzhu Wang  <[email protected]>
+
+        Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects
+        https://bugs.webkit.org/show_bug.cgi?id=108695
+
+        See comments of RenderLayerModelObject::willBeDestroyed() below for details.
+
+        Reviewed by Abhishek Arya.
+
+        Test: ManulTests/scrolling-coordinator-viewport-constrained-crash.html
+        Unable to write a normal layout test because
+        1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
+        2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.
+
+        * rendering/RenderBoxModelObject.cpp:
+        (WebCore::RenderBoxModelObject::willBeDestroyed): Moved removeViewportConstrainedObject() call into RenderLayerModelObject::willBeDestroyed() because only RenderLayerModelObjects can be added as viewportConstrainedObjects.
+        * rendering/RenderLayerModelObject.cpp:
+        (WebCore::RenderLayerModelObject::willBeDestroyed): Changed this->view() (then view->frameView()) to this->frame() (then frame->view()) because when willBeDestroyed() is called, the document has set its renderView to 0 thus this->view() will return 0, causing removeViewportConstrainedObject() not called and a deleted RenderLayerModelObject in FrameView's viewportConstrainedObjects.
+
 2013-02-13  Florin Malita  <[email protected]>
 
         [SVG] OOB access in SVGListProperty::replaceItemValues()

Modified: trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp (142759 => 142760)


--- trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-02-13 17:49:47 UTC (rev 142759)
+++ trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-02-13 18:37:30 UTC (rev 142760)
@@ -331,15 +331,6 @@
     // A continuation of this RenderObject should be destroyed at subclasses.
     ASSERT(!continuation());
 
-    if (isPositioned()) {
-        if (RenderView* view = this->view()) {
-            if (FrameView* frameView = view->frameView()) {
-                if (style()->hasViewportConstrainedPosition())
-                    frameView->removeViewportConstrainedObject(this);
-            }
-        }
-    }
-
     // If this is a first-letter object with a remaining text fragment then the
     // entry needs to be cleared from the map.
     if (firstLetterRemainingText())

Modified: trunk/Source/WebCore/rendering/RenderLayerModelObject.cpp (142759 => 142760)


--- trunk/Source/WebCore/rendering/RenderLayerModelObject.cpp	2013-02-13 17:49:47 UTC (rev 142759)
+++ trunk/Source/WebCore/rendering/RenderLayerModelObject.cpp	2013-02-13 18:37:30 UTC (rev 142760)
@@ -76,6 +76,16 @@
 
 void RenderLayerModelObject::willBeDestroyed()
 {
+    if (isPositioned()) {
+        // Don't use this->view() because the document's renderView has been set to 0 during destruction.
+        if (Frame* frame = this->frame()) {
+            if (FrameView* frameView = frame->view()) {
+                if (style()->hasViewportConstrainedPosition())
+                    frameView->removeViewportConstrainedObject(this);
+            }
+        }
+    }
+
     // RenderObject::willBeDestroyed calls back to destroyLayer() for layer destruction
     RenderObject::willBeDestroyed();
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes