- Revision
- 151702
- Author
- [email protected]
- Date
- 2013-06-18 15:03:07 -0700 (Tue, 18 Jun 2013)
Log Message
widthMediaFeatureEval ends up with null FrameView during iframe unload.
https://bugs.webkit.org/show_bug.cgi?id=117754
Patch by Zalan Bujtas <[email protected]> on 2013-06-18
Reviewed by Geoffrey Garen.
Ensure that MediaQueryEvaluator checks against NULL FrameView.
While frames are being unloaded, the Frame object does not necessarily have valid
FrameView anymore. Layout on the main frame can end up querying media values on such child
frames, while detaching.
Source/WebCore:
Test: fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html
* css/MediaQueryEvaluator.cpp:
(WebCore::orientationMediaFeatureEval):
(WebCore::aspect_ratioMediaFeatureEval):
(WebCore::evalResolution):
(WebCore::heightMediaFeatureEval):
(WebCore::widthMediaFeatureEval):
(WebCore::MediaQueryEvaluator::eval):
LayoutTests:
* fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery-expected.txt: Added.
* fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html: Added.
* fast/frames/resources/child-iframe-forces-parent-layout-on-unload.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (151701 => 151702)
--- trunk/LayoutTests/ChangeLog 2013-06-18 22:01:37 UTC (rev 151701)
+++ trunk/LayoutTests/ChangeLog 2013-06-18 22:03:07 UTC (rev 151702)
@@ -1,3 +1,20 @@
+2013-06-18 Zalan Bujtas <[email protected]>
+
+ widthMediaFeatureEval ends up with null FrameView during iframe unload.
+ https://bugs.webkit.org/show_bug.cgi?id=117754
+
+ Reviewed by Geoffrey Garen.
+
+ Ensure that MediaQueryEvaluator checks against NULL FrameView.
+
+ While frames are being unloaded, the Frame object does not necessarily have valid
+ FrameView anymore. Layout on the main frame can end up querying media values on such child
+ frames, while detaching.
+
+ * fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery-expected.txt: Added.
+ * fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html: Added.
+ * fast/frames/resources/child-iframe-forces-parent-layout-on-unload.html: Added.
+
2013-06-18 Eric Carlson <[email protected]>
Not all subtitle tracks are SDH
Added: trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery-expected.txt (0 => 151702)
--- trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery-expected.txt 2013-06-18 22:03:07 UTC (rev 151702)
@@ -0,0 +1,4 @@
+frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
+frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
+Ensures that when layout is forced during an unload event, frames with media queries do not crash.
+
Added: trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html (0 => 151702)
--- trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html 2013-06-18 22:03:07 UTC (rev 151702)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ function runTest() {
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ if (location.hash == "")
+ setTimeout('location.hash="#foo"; location.reload();', 0);
+ else if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+</head>
+<body _onload_='runTest();'>
+<body>
+<div id='resizeThis'>Ensures that when layout is forced during an unload event, frames with media queries do not crash.</div>
+<iframe src=''></iframe>
+<iframe src=''>
+</iframe>
+</body>
+<html>
\ No newline at end of file
Added: trunk/LayoutTests/fast/frames/resources/child-iframe-forces-parent-layout-on-unload.html (0 => 151702)
--- trunk/LayoutTests/fast/frames/resources/child-iframe-forces-parent-layout-on-unload.html (rev 0)
+++ trunk/LayoutTests/fast/frames/resources/child-iframe-forces-parent-layout-on-unload.html 2013-06-18 22:03:07 UTC (rev 151702)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ function leave() {
+ var e = parent.document.getElementById("resizeThis");
+ e.setAttribute("style", "height: 50px");
+ e.offsetTop;
+ }
+</script>
+</head>
+<body _onunload_='leave();'></body>
+<html>
Modified: trunk/Source/WebCore/ChangeLog (151701 => 151702)
--- trunk/Source/WebCore/ChangeLog 2013-06-18 22:01:37 UTC (rev 151701)
+++ trunk/Source/WebCore/ChangeLog 2013-06-18 22:03:07 UTC (rev 151702)
@@ -1,3 +1,26 @@
+2013-06-18 Zalan Bujtas <[email protected]>
+
+ widthMediaFeatureEval ends up with null FrameView during iframe unload.
+ https://bugs.webkit.org/show_bug.cgi?id=117754
+
+ Reviewed by Geoffrey Garen.
+
+ Ensure that MediaQueryEvaluator checks against NULL FrameView.
+
+ While frames are being unloaded, the Frame object does not necessarily have valid
+ FrameView anymore. Layout on the main frame can end up querying media values on such child
+ frames, while detaching.
+
+ Test: fast/frames/crash-when-child-iframe-forces-layout-during-unload-and-sibling-frame-has-mediaquery.html
+
+ * css/MediaQueryEvaluator.cpp:
+ (WebCore::orientationMediaFeatureEval):
+ (WebCore::aspect_ratioMediaFeatureEval):
+ (WebCore::evalResolution):
+ (WebCore::heightMediaFeatureEval):
+ (WebCore::widthMediaFeatureEval):
+ (WebCore::MediaQueryEvaluator::eval):
+
2013-06-18 Ruth Fong <[email protected]>
Expose a getMediaType method in WebKit
Modified: trunk/Source/WebCore/css/MediaQueryEvaluator.cpp (151701 => 151702)
--- trunk/Source/WebCore/css/MediaQueryEvaluator.cpp 2013-06-18 22:01:37 UTC (rev 151701)
+++ trunk/Source/WebCore/css/MediaQueryEvaluator.cpp 2013-06-18 22:03:07 UTC (rev 151702)
@@ -243,6 +243,9 @@
static bool orientationMediaFeatureEval(CSSValue* value, RenderStyle*, Frame* frame, MediaFeaturePrefix)
{
FrameView* view = frame->view();
+ if (!view)
+ return false;
+
int width = view->layoutWidth();
int height = view->layoutHeight();
if (value && value->isPrimitiveValue()) {
@@ -258,10 +261,12 @@
static bool aspect_ratioMediaFeatureEval(CSSValue* value, RenderStyle*, Frame* frame, MediaFeaturePrefix op)
{
- if (value) {
- FrameView* view = frame->view();
+ FrameView* view = frame->view();
+ if (!view)
+ return true;
+
+ if (value)
return compareAspectRatioValue(value, view->layoutWidth(), view->layoutHeight(), op);
- }
// ({,min-,max-}aspect-ratio)
// assume if we have a device, its aspect ratio is non-zero
@@ -283,13 +288,16 @@
static bool evalResolution(CSSValue* value, Frame* frame, MediaFeaturePrefix op)
{
// FIXME: Possible handle other media types than 'screen' and 'print'.
+ FrameView* view = frame->view();
+ if (!view)
+ return false;
+
float deviceScaleFactor = 0;
-
// This checks the actual media type applied to the document, and we know
// this method only got called if this media type matches the one defined
// in the query. Thus, if if the document's media type is "print", the
// media type of the query will either be "print" or "all".
- String mediaType = frame->view()->mediaType();
+ String mediaType = view->mediaType();
if (equalIgnoringCase(mediaType, "screen"))
deviceScaleFactor = frame->page()->deviceScaleFactor();
else if (equalIgnoringCase(mediaType, "print")) {
@@ -389,6 +397,8 @@
static bool heightMediaFeatureEval(CSSValue* value, RenderStyle* style, Frame* frame, MediaFeaturePrefix op)
{
FrameView* view = frame->view();
+ if (!view)
+ return false;
if (value) {
int height = view->layoutHeight();
@@ -405,6 +415,8 @@
static bool widthMediaFeatureEval(CSSValue* value, RenderStyle* style, Frame* frame, MediaFeaturePrefix op)
{
FrameView* view = frame->view();
+ if (!view)
+ return false;
if (value) {
int width = view->layoutWidth();
@@ -691,7 +703,7 @@
bool MediaQueryEvaluator::eval(const MediaQueryExp* expr) const
{
- if (!m_frame || !m_style)
+ if (!m_frame || !m_frame->view() || !m_style)
return m_expResult;
if (!expr->isValid())
