Diff
Modified: branches/safari-600.7-branch/LayoutTests/ChangeLog (183131 => 183132)
--- branches/safari-600.7-branch/LayoutTests/ChangeLog 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/LayoutTests/ChangeLog 2015-04-22 20:55:46 UTC (rev 183132)
@@ -1,3 +1,20 @@
+2015-04-22 Matthew Hanson <[email protected]>
+
+ Merge r181656. rdar://problem/20545362
+
+ 2015-03-17 Timothy Horton <[email protected]>
+
+ Reproducible null deref under ScriptedAnimationController::createDisplayRefreshMonitor
+ https://bugs.webkit.org/show_bug.cgi?id=142776
+ <rdar://problem/18921338>
+
+ Reviewed by Alexey Proskuryakov.
+
+ * fast/animation/request-animation-frame-unparented-iframe-crash-expected.txt: Added.
+ * fast/animation/request-animation-frame-unparented-iframe-crash.html: Added.
+ Add a test that ensures that calling requestAnimationFrame on a recently-unparented
+ frame doesn't crash.
+
2015-04-17 Lucas Forschler <[email protected]>
Rollout r182965
Modified: branches/safari-600.7-branch/Source/WebCore/ChangeLog (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/ChangeLog 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/ChangeLog 2015-04-22 20:55:46 UTC (rev 183132)
@@ -1,5 +1,68 @@
2015-04-22 Matthew Hanson <[email protected]>
+ Merge r181656. rdar://problem/20545362
+
+ 2015-03-17 Timothy Horton <[email protected]>
+
+ Reproducible null deref under ScriptedAnimationController::createDisplayRefreshMonitor
+ https://bugs.webkit.org/show_bug.cgi?id=142776
+ <rdar://problem/18921338>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: fast/animation/request-animation-frame-unparented-iframe-crash.html
+
+ In some cases (like the new test), we can end up trying to start
+ requestAnimationFrame on a Document that has no Page. Most paths null-checked
+ the Page and did the right thing, but one failed to do so. In addition,
+ the current fallback (when Page is null) can result in us constructing
+ the wrong kind of DisplayRefreshMonitor, which could lead to trouble
+ down the road when it's reused. Instead, just completely avoid making a
+ DisplayRefreshMonitor in the null-page case.
+
+ * dom/ScriptedAnimationController.cpp:
+ (WebCore::ScriptedAnimationController::createDisplayRefreshMonitor):
+ If the page is null, bail.
+
+ * dom/ScriptedAnimationController.h:
+ * platform/graphics/DisplayRefreshMonitor.cpp:
+ (WebCore::DisplayRefreshMonitor::create):
+ Use Optional<> to make it easy to distinguish between ChromeClient
+ being unreachable (because we don't have a Page for some reason) and
+ ChromeClient declaring that it doesn't want to override the type of
+ DisplayRefreshMonitor that is created.
+
+ If ChromeClient was unreachable for some reason, we'll get back an engaged
+ nullptr and return it (instead of creating a DisplayRefreshMonitor based
+ on the platform). This avoids creating the wrong type of DisplayRefreshMonitor
+ in the rare case where we can't reach the ChromeClient (e.g. a freshly unparented
+ IFrame).
+
+ If instead the client returns a disengaged Nullopt, we'll interpret that as
+ "construct the default type", which falls back on the platform #ifdefs to
+ decide what to make.
+
+ * platform/graphics/DisplayRefreshMonitorManager.cpp:
+ (WebCore::DisplayRefreshMonitorManager::ensureMonitorForClient):
+ (WebCore::DisplayRefreshMonitorManager::scheduleAnimation):
+ Silently handle the case where we failed to make a DisplayRefreshMonitor.
+
+ * platform/graphics/DisplayRefreshMonitor.h:
+ * platform/graphics/DisplayRefreshMonitorClient.h:
+ * platform/graphics/GraphicsLayerUpdater.cpp:
+ (WebCore::GraphicsLayerUpdater::createDisplayRefreshMonitor):
+ * platform/graphics/GraphicsLayerUpdater.h:
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::createDisplayRefreshMonitor):
+ * rendering/RenderLayerCompositor.h:
+ Adjust to the new signature of createDisplayRefreshMonitor, and return
+ an engaged (nullptr) Optional if we can't get to ChromeClient for any reason.
+
+ * page/ChromeClient.h:
+ Return Nullopt (indicating a lack of override) by default.
+
+2015-04-22 Matthew Hanson <[email protected]>
+
Merge r180520. rdar://problem/20545427
2015-02-22 Dean Jackson <[email protected]>
Modified: branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -226,9 +226,11 @@
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
-PassRefPtr<DisplayRefreshMonitor> ScriptedAnimationController::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
+Optional<RefPtr<DisplayRefreshMonitor>> ScriptedAnimationController::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
{
- return m_document->page()->chrome().client().createDisplayRefreshMonitor(displayID);
+ if (!m_document->page())
+ return Optional<RefPtr<DisplayRefreshMonitor>>(nullptr);
+ return Optional<RefPtr<DisplayRefreshMonitor>>(m_document->page()->chrome().client().createDisplayRefreshMonitor(displayID));
}
#endif
Modified: branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/dom/ScriptedAnimationController.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -91,7 +91,7 @@
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
// Override for DisplayRefreshMonitorClient
virtual void displayRefreshFired(double timestamp) override;
- virtual PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const override;
+ virtual Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const override;
bool m_isUsingTimer;
bool m_isThrottled;
Modified: branches/safari-600.7-branch/Source/WebCore/page/ChromeClient.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/page/ChromeClient.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/page/ChromeClient.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -39,6 +39,7 @@
#include "WebCoreKeyboardUIMode.h"
#include <runtime/ConsoleTypes.h>
#include <wtf/Forward.h>
+#include <wtf/Optional.h>
#include <wtf/PassOwnPtr.h>
#include <wtf/Vector.h>
@@ -295,7 +296,7 @@
virtual GraphicsLayerFactory* graphicsLayerFactory() const { return nullptr; }
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
- virtual PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const { return nullptr; }
+ virtual Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const { return Nullopt; }
#endif
// Pass 0 as the GraphicsLayer to detatch the root layer.
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -35,13 +35,15 @@
namespace WebCore {
-PassRefPtr<DisplayRefreshMonitor> DisplayRefreshMonitor::create(DisplayRefreshMonitorClient* client)
+RefPtr<DisplayRefreshMonitor> DisplayRefreshMonitor::create(DisplayRefreshMonitorClient* client)
{
PlatformDisplayID displayID = client->displayID();
- if (RefPtr<DisplayRefreshMonitor> monitor = client->createDisplayRefreshMonitor(displayID))
- return monitor.release();
+ if (Optional<RefPtr<DisplayRefreshMonitor>> monitor = client->createDisplayRefreshMonitor(displayID))
+ return monitor.value();
+ // If ChromeClient returned Nullopt, we'll go ahead and make one of the default type.
+
#if PLATFORM(MAC)
return DisplayRefreshMonitorMac::create(displayID);
#endif
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitor.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -41,7 +41,7 @@
class DisplayRefreshMonitor : public RefCounted<DisplayRefreshMonitor> {
public:
- static PassRefPtr<DisplayRefreshMonitor> create(DisplayRefreshMonitorClient*);
+ static RefPtr<DisplayRefreshMonitor> create(DisplayRefreshMonitorClient*);
virtual ~DisplayRefreshMonitor();
// Return true if callback request was scheduled, false if it couldn't be
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorClient.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorClient.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorClient.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -29,6 +29,7 @@
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
#include "PlatformScreen.h"
+#include <wtf/Optional.h>
namespace WebCore {
@@ -43,7 +44,10 @@
// Always called on the main thread.
virtual void displayRefreshFired(double timestamp) = 0;
- virtual PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const = 0;
+ // Returning nullopt indicates that WebCore should create whatever DisplayRefreshMonitor it deems
+ // most appropriate for the current platform. Returning nullptr indicates that we should not try to
+ // create a DisplayRefreshMonitor at all (and should instead fall back to using a timer).
+ virtual Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const = 0;
PlatformDisplayID displayID() const { return m_displayID; }
bool hasDisplayID() const { return m_displayIDIsSet; }
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -44,7 +44,7 @@
return manager.get();
}
-DisplayRefreshMonitor* DisplayRefreshMonitorManager::ensureMonitorForClient(DisplayRefreshMonitorClient* client)
+DisplayRefreshMonitor* DisplayRefreshMonitorManager::createMonitorForClient(DisplayRefreshMonitorClient* client)
{
PlatformDisplayID clientDisplayID = client->displayID();
for (const RefPtr<DisplayRefreshMonitor>& monitor : m_monitors) {
@@ -55,6 +55,8 @@
}
RefPtr<DisplayRefreshMonitor> monitor = DisplayRefreshMonitor::create(client);
+ if (!monitor)
+ return nullptr;
monitor->addClient(client);
DisplayRefreshMonitor* result = monitor.get();
m_monitors.append(monitor.release());
@@ -66,7 +68,7 @@
if (!client->hasDisplayID())
return;
- ensureMonitorForClient(client);
+ createMonitorForClient(client);
}
void DisplayRefreshMonitorManager::unregisterClient(DisplayRefreshMonitorClient* client)
@@ -92,7 +94,9 @@
if (!client->hasDisplayID())
return false;
- DisplayRefreshMonitor* monitor = ensureMonitorForClient(client);
+ DisplayRefreshMonitor* monitor = createMonitorForClient(client);
+ if (!monitor)
+ return false;
client->setIsScheduled(true);
return monitor->requestRefreshCallback();
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -54,7 +54,7 @@
DisplayRefreshMonitorManager() { }
virtual ~DisplayRefreshMonitorManager();
- DisplayRefreshMonitor* ensureMonitorForClient(DisplayRefreshMonitorClient*);
+ DisplayRefreshMonitor* createMonitorForClient(DisplayRefreshMonitorClient*);
Vector<RefPtr<DisplayRefreshMonitor>> m_monitors;
};
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -79,9 +79,11 @@
}
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
-PassRefPtr<DisplayRefreshMonitor> GraphicsLayerUpdater::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
+Optional<RefPtr<DisplayRefreshMonitor>> GraphicsLayerUpdater::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
{
- return m_client ? m_client->createDisplayRefreshMonitor(displayID) : nullptr;
+ if (!m_client)
+ return Optional<RefPtr<DisplayRefreshMonitor>>(nullptr);
+ return m_client->createDisplayRefreshMonitor(displayID);
}
#endif
Modified: branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/platform/graphics/GraphicsLayerUpdater.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -38,7 +38,7 @@
virtual ~GraphicsLayerUpdaterClient() { }
virtual void flushLayersSoon(GraphicsLayerUpdater*) = 0;
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
- virtual PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const = 0;
+ virtual Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const = 0;
#endif
};
@@ -55,7 +55,7 @@
void screenDidChange(PlatformDisplayID);
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
- virtual PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const override;
+ virtual Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const override;
#endif
private:
Modified: branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -4034,14 +4034,14 @@
}
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
-PassRefPtr<DisplayRefreshMonitor> RenderLayerCompositor::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
+Optional<RefPtr<DisplayRefreshMonitor>> RenderLayerCompositor::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
{
Frame& frame = m_renderView.frameView().frame();
Page* page = frame.page();
if (!page)
- return nullptr;
+ return Optional<RefPtr<DisplayRefreshMonitor>>(nullptr);
- return page->chrome().client().createDisplayRefreshMonitor(displayID);
+ return Optional<RefPtr<DisplayRefreshMonitor>>(page->chrome().client().createDisplayRefreshMonitor(displayID));
}
#endif
Modified: branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebCore/rendering/RenderLayerCompositor.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -390,7 +390,7 @@
ScrollingCoordinator* scrollingCoordinator() const;
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
- PassRefPtr<DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const;
+ Optional<RefPtr<DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const;
#endif
bool requiresCompositingForAnimation(RenderLayerModelObject&) const;
Modified: branches/safari-600.7-branch/Source/WebKit2/ChangeLog (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebKit2/ChangeLog 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebKit2/ChangeLog 2015-04-22 20:55:46 UTC (rev 183132)
@@ -1,5 +1,22 @@
2015-04-22 Matthew Hanson <[email protected]>
+ Merge r181656. rdar://problem/20545362
+
+ 2015-03-17 Timothy Horton <[email protected]>
+
+ Reproducible null deref under ScriptedAnimationController::createDisplayRefreshMonitor
+ https://bugs.webkit.org/show_bug.cgi?id=142776
+ <rdar://problem/18921338>
+
+ Reviewed by Alexey Proskuryakov.
+
+ * WebProcess/WebCoreSupport/WebChromeClient.cpp:
+ (WebKit::WebChromeClient::createDisplayRefreshMonitor):
+ * WebProcess/WebCoreSupport/WebChromeClient.h:
+ Adjust to the new signature.
+
+2015-04-22 Matthew Hanson <[email protected]>
+
Merge r174288. rdar://problem/20368461
2014-10-03 Jer Noble <[email protected]>
Modified: branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp 2015-04-22 20:55:46 UTC (rev 183132)
@@ -812,9 +812,9 @@
}
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
-PassRefPtr<WebCore::DisplayRefreshMonitor> WebChromeClient::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
+Optional<RefPtr<WebCore::DisplayRefreshMonitor>> WebChromeClient::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
{
- return m_page->drawingArea()->createDisplayRefreshMonitor(displayID);
+ return Optional<RefPtr<WebCore::DisplayRefreshMonitor>>(m_page->drawingArea()->createDisplayRefreshMonitor(displayID));
}
#endif
Modified: branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.h (183131 => 183132)
--- branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.h 2015-04-22 20:55:36 UTC (rev 183131)
+++ branches/safari-600.7-branch/Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.h 2015-04-22 20:55:46 UTC (rev 183132)
@@ -217,7 +217,7 @@
virtual bool adjustLayerFlushThrottling(WebCore::LayerFlushThrottleState::Flags) override;
#if USE(REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR)
- virtual PassRefPtr<WebCore::DisplayRefreshMonitor> createDisplayRefreshMonitor(PlatformDisplayID) const override;
+ virtual Optional<RefPtr<WebCore::DisplayRefreshMonitor>> createDisplayRefreshMonitor(PlatformDisplayID) const override;
#endif
virtual CompositingTriggerFlags allowedCompositingTriggers() const
