Title: [157298] trunk
- Revision
- 157298
- Author
- [email protected]
- Date
- 2013-10-11 02:43:56 -0700 (Fri, 11 Oct 2013)
Log Message
Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
http://webkit.org/b/121033
Reviewed by Darin Adler.
Source/WebCore:
Add an ASSERT to detect if an animation client will be removed
during the callback dispatch.
Test: fast/animation/request-animation-frame-remove-client.html
* platform/graphics/DisplayRefreshMonitor.cpp:
(WebCore::DisplayRefreshMonitor::displayDidRefresh):
LayoutTests:
Test that assertion fires if you try to remove potential client while in a
animation dispatch.
* TestExpectations: Mark test as crashing.
* fast/animation/request-animation-frame-remove-client-expected.txt: Added.
* fast/animation/request-animation-frame-remove-client.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (157297 => 157298)
--- trunk/LayoutTests/ChangeLog 2013-10-11 09:39:28 UTC (rev 157297)
+++ trunk/LayoutTests/ChangeLog 2013-10-11 09:43:56 UTC (rev 157298)
@@ -1,3 +1,17 @@
+2013-10-10 Dean Jackson <[email protected]>
+
+ Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
+ http://webkit.org/b/121033
+
+ Reviewed by Darin Adler.
+
+ Test that assertion fires if you try to remove potential client while in a
+ animation dispatch.
+
+ * TestExpectations: Mark test as crashing.
+ * fast/animation/request-animation-frame-remove-client-expected.txt: Added.
+ * fast/animation/request-animation-frame-remove-client.html: Added.
+
2013-10-11 Zalan Bujtas <[email protected]>
REGRESSION (r155607): _javascript_ site does not load visually on panerabread.com
Modified: trunk/LayoutTests/TestExpectations (157297 => 157298)
--- trunk/LayoutTests/TestExpectations 2013-10-11 09:39:28 UTC (rev 157297)
+++ trunk/LayoutTests/TestExpectations 2013-10-11 09:43:56 UTC (rev 157298)
@@ -64,3 +64,5 @@
# The spec is not clear if the MediaStream ended event should be fired if stop is called on each MediaStream's track
# Skipping it for now, then put it again when the spec decides it
fast/mediastream/MediaStream-onended.html [ Skip ]
+
+webkit.org/b/121033 fast/animation/request-animation-frame-remove-client.html [ Pass Crash ]
Added: trunk/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt (0 => 157298)
--- trunk/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt 2013-10-11 09:43:56 UTC (rev 157298)
@@ -0,0 +1,3 @@
+This test crashes.
+
+
Property changes on: trunk/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt
___________________________________________________________________
Added: svn:mime-type
Added: svn:keywords
Added: svn:eol-style
Added: trunk/LayoutTests/fast/animation/request-animation-frame-remove-client.html (0 => 157298)
--- trunk/LayoutTests/fast/animation/request-animation-frame-remove-client.html (rev 0)
+++ trunk/LayoutTests/fast/animation/request-animation-frame-remove-client.html 2013-10-11 09:43:56 UTC (rev 157298)
@@ -0,0 +1,30 @@
+<p>This test crashes.</p>
+<iframe></iframe>
+<iframe></iframe>
+<iframe></iframe>
+<iframe></iframe>
+
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+var frame = document.querySelector("iframe");
+
+window._onload_ = function() {
+ // Convert NodeList to Array so that we can use forEach.
+ var windows = Array.prototype.slice.call(window.frames);
+ var numOutstandingCalls = windows.length - 1; // Remember we remove one client.
+ windows.forEach(function (win) {
+ win.requestAnimationFrame(function () {});
+ win.requestAnimationFrame(function () {
+ if (frame.parentNode)
+ frame.parentNode.removeChild(frame);
+ numOutstandingCalls--;
+ if (!numOutstandingCalls && window.testRunner)
+ testRunner.notifyDone();
+ });
+ });
+}
+</script>
Property changes on: trunk/LayoutTests/fast/animation/request-animation-frame-remove-client.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:keywords
Added: svn:eol-style
Modified: trunk/Source/WebCore/ChangeLog (157297 => 157298)
--- trunk/Source/WebCore/ChangeLog 2013-10-11 09:39:28 UTC (rev 157297)
+++ trunk/Source/WebCore/ChangeLog 2013-10-11 09:43:56 UTC (rev 157298)
@@ -1,3 +1,18 @@
+2013-10-10 Dean Jackson <[email protected]>
+
+ Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
+ http://webkit.org/b/121033
+
+ Reviewed by Darin Adler.
+
+ Add an ASSERT to detect if an animation client will be removed
+ during the callback dispatch.
+
+ Test: fast/animation/request-animation-frame-remove-client.html
+
+ * platform/graphics/DisplayRefreshMonitor.cpp:
+ (WebCore::DisplayRefreshMonitor::displayDidRefresh):
+
2013-10-11 Andreas Kling <[email protected]>
Make RenderLayer not arena-allocated.
Modified: trunk/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp (157297 => 157298)
--- trunk/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2013-10-11 09:39:28 UTC (rev 157297)
+++ trunk/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2013-10-11 09:43:56 UTC (rev 157298)
@@ -105,8 +105,11 @@
Vector<DisplayRefreshMonitorClient*> clients;
copyToVector(m_clients, clients);
- for (size_t i = 0; i < clients.size(); ++i)
- clients[i]->fireDisplayRefreshIfNeeded(monotonicAnimationStartTime);
+ for (size_t i = 0; i < clients.size(); ++i) {
+ DisplayRefreshMonitorClient* client = clients[i];
+ ASSERT(m_clients.contains(client));
+ client->fireDisplayRefreshIfNeeded(monotonicAnimationStartTime);
+ }
{
MutexLocker lock(m_mutex);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
