Title: [158165] branches/safari-537.73-branch
- Revision
- 158165
- Author
- [email protected]
- Date
- 2013-10-28 20:10:48 -0700 (Mon, 28 Oct 2013)
Log Message
Merged r157298. <rdar://problem/15292359>
Modified Paths
Added Paths
Diff
Modified: branches/safari-537.73-branch/LayoutTests/ChangeLog (158164 => 158165)
--- branches/safari-537.73-branch/LayoutTests/ChangeLog 2013-10-29 03:05:08 UTC (rev 158164)
+++ branches/safari-537.73-branch/LayoutTests/ChangeLog 2013-10-29 03:10:48 UTC (rev 158165)
@@ -1,5 +1,23 @@
2013-10-28 Lucas Forschler <[email protected]>
+ Merge r157298
+
+ 2013-10-10 Dean Jackson <[email protected]>
+
+ Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
+ http://webkit.org/b/121033
+
+ Reviewed by Darin Adler.
+
+ Test that assertion fires if you try to remove potential client while in a
+ animation dispatch.
+
+ * TestExpectations: Mark test as crashing.
+ * fast/animation/request-animation-frame-remove-client-expected.txt: Added.
+ * fast/animation/request-animation-frame-remove-client.html: Added.
+
+2013-10-28 Lucas Forschler <[email protected]>
+
Merge r155554
2013-09-11 Myles C. Maxfield <[email protected]>
Modified: branches/safari-537.73-branch/LayoutTests/TestExpectations (158164 => 158165)
--- branches/safari-537.73-branch/LayoutTests/TestExpectations 2013-10-29 03:05:08 UTC (rev 158164)
+++ branches/safari-537.73-branch/LayoutTests/TestExpectations 2013-10-29 03:10:48 UTC (rev 158165)
@@ -16,4 +16,6 @@
# media/W3C/video/networkState/networkState_during_progress.html is flaky
webkit.org/b/76280 media/W3C/video/networkState/networkState_during_progress.html [ Pass Failure ]
-webkit.org/b/118301 fast/dom/timer-throttling-hidden-page.html [ Skip ]
\ No newline at end of file
+webkit.org/b/118301 fast/dom/timer-throttling-hidden-page.html [ Skip ]
+
+webkit.org/b/121033 fast/animation/request-animation-frame-remove-client.html [ Pass Crash ]
\ No newline at end of file
Copied: branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt (from rev 157298, trunk/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt) (0 => 158165)
--- branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client-expected.txt 2013-10-29 03:10:48 UTC (rev 158165)
@@ -0,0 +1,3 @@
+This test crashes.
+
+
Copied: branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client.html (from rev 157298, trunk/LayoutTests/fast/animation/request-animation-frame-remove-client.html) (0 => 158165)
--- branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client.html (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/animation/request-animation-frame-remove-client.html 2013-10-29 03:10:48 UTC (rev 158165)
@@ -0,0 +1,30 @@
+<p>This test crashes.</p>
+<iframe></iframe>
+<iframe></iframe>
+<iframe></iframe>
+<iframe></iframe>
+
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+var frame = document.querySelector("iframe");
+
+window._onload_ = function() {
+ // Convert NodeList to Array so that we can use forEach.
+ var windows = Array.prototype.slice.call(window.frames);
+ var numOutstandingCalls = windows.length - 1; // Remember we remove one client.
+ windows.forEach(function (win) {
+ win.requestAnimationFrame(function () {});
+ win.requestAnimationFrame(function () {
+ if (frame.parentNode)
+ frame.parentNode.removeChild(frame);
+ numOutstandingCalls--;
+ if (!numOutstandingCalls && window.testRunner)
+ testRunner.notifyDone();
+ });
+ });
+}
+</script>
Modified: branches/safari-537.73-branch/Source/WebCore/ChangeLog (158164 => 158165)
--- branches/safari-537.73-branch/Source/WebCore/ChangeLog 2013-10-29 03:05:08 UTC (rev 158164)
+++ branches/safari-537.73-branch/Source/WebCore/ChangeLog 2013-10-29 03:10:48 UTC (rev 158165)
@@ -1,5 +1,24 @@
2013-10-28 Lucas Forschler <[email protected]>
+ Merge r157298
+
+ 2013-10-10 Dean Jackson <[email protected]>
+
+ Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
+ http://webkit.org/b/121033
+
+ Reviewed by Darin Adler.
+
+ Add an ASSERT to detect if an animation client will be removed
+ during the callback dispatch.
+
+ Test: fast/animation/request-animation-frame-remove-client.html
+
+ * platform/graphics/DisplayRefreshMonitor.cpp:
+ (WebCore::DisplayRefreshMonitor::displayDidRefresh):
+
+2013-10-28 Lucas Forschler <[email protected]>
+
Merge r155554
2013-09-11 Myles C. Maxfield <[email protected]>
Modified: branches/safari-537.73-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp (158164 => 158165)
--- branches/safari-537.73-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2013-10-29 03:05:08 UTC (rev 158164)
+++ branches/safari-537.73-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2013-10-29 03:10:48 UTC (rev 158165)
@@ -109,8 +109,11 @@
Vector<DisplayRefreshMonitorClient*> clients;
copyToVector(m_clients, clients);
- for (size_t i = 0; i < clients.size(); ++i)
- clients[i]->fireDisplayRefreshIfNeeded(monotonicAnimationStartTime);
+ for (size_t i = 0; i < clients.size(); ++i) {
+ DisplayRefreshMonitorClient* client = clients[i];
+ ASSERT(m_clients.contains(client));
+ client->fireDisplayRefreshIfNeeded(monotonicAnimationStartTime);
+ }
{
MutexLocker lock(m_mutex);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
