Skip to site navigation (Press enter)

[webkit-changes] [135740] trunk

inferno Mon, 26 Nov 2012 10:56:44 -0800

Title: [135740] trunk

Revision: 135740
Author: infe...@chromium.org
Date: 2012-11-26 10:58:27 -0800 (Mon, 26 Nov 2012)

Log Message

Crash in Frame::dispatchVisibilityStateChangeEvent.
https://bugs.webkit.org/show_bug.cgi?id=102053


Reviewed by Adam Barth.

Source/WebCore:

Child frame can go away inside webkitvisibilitychange
event handler. Store it in a ref counted vector.

Test: fast/frames/page-visibility-crash.html

* page/Frame.cpp:
(WebCore::Frame::dispatchVisibilityStateChangeEvent):

LayoutTests:

* fast/frames/page-visibility-crash-expected.txt: Added.
* fast/frames/page-visibility-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/Frame.cpp

Added Paths

trunk/LayoutTests/fast/frames/page-visibility-crash-expected.txt
trunk/LayoutTests/fast/frames/page-visibility-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (135739 => 135740)


--- trunk/LayoutTests/ChangeLog	2012-11-26 18:56:22 UTC (rev 135739)
+++ trunk/LayoutTests/ChangeLog	2012-11-26 18:58:27 UTC (rev 135740)
@@ -1,3 +1,13 @@
+2012-11-26  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in Frame::dispatchVisibilityStateChangeEvent.
+        https://bugs.webkit.org/show_bug.cgi?id=102053
+
+        Reviewed by Adam Barth.
+
+        * fast/frames/page-visibility-crash-expected.txt: Added.
+        * fast/frames/page-visibility-crash.html: Added.
+
 2012-11-26  Thiago Marcos P. Santos  <thiago.san...@intel.com>
 
         Import more CSS Device Adaptation layout tests

Added: trunk/LayoutTests/fast/frames/page-visibility-crash-expected.txt (0 => 135740)


--- trunk/LayoutTests/fast/frames/page-visibility-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/page-visibility-crash-expected.txt	2012-11-26 18:58:27 UTC (rev 135740)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash

Added: trunk/LayoutTests/fast/frames/page-visibility-crash.html (0 => 135740)


--- trunk/LayoutTests/fast/frames/page-visibility-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/page-visibility-crash.html	2012-11-26 18:58:27 UTC (rev 135740)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    window.testRunner.dumpAsText();
+    window.testRunner.waitUntilDone();
+}
+
+function finish() {
+    if (window.testRunner)
+        testRunner.resetPageVisibility();
+
+    document.open();
+    document.write("PASS. WebKit didn't crash");
+    document.close();
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function crash()
+{     
+    document.body.removeChild(document.getElementById("f"));
+    setTimeout("finish()", 0);
+}
+
+frame = document.createElement("iframe");
+frame.id = "f";
+document.body.appendChild(frame);
+scriptElement = frame.contentDocument.createElement("script");
+frame.contentDocument.body.appendChild(scriptElement);
+scriptElement.innerText = "function handleVisibilityChange() \
+                           { \
+                               parent.crash(); \
+                           } \
+                           document.addEventListener('webkitvisibilitychange', handleVisibilityChange, false);";
+
+if (window.testRunner)
+    testRunner.setPageVisibility("hidden");
+    
+// Many platforms don't support the page visibility api. For those, just bail out.
+setTimeout("finish()", 10);
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/frames/page-visibility-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (135739 => 135740)


--- trunk/Source/WebCore/ChangeLog	2012-11-26 18:56:22 UTC (rev 135739)
+++ trunk/Source/WebCore/ChangeLog	2012-11-26 18:58:27 UTC (rev 135740)
@@ -1,3 +1,18 @@
+2012-11-26  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in Frame::dispatchVisibilityStateChangeEvent.
+        https://bugs.webkit.org/show_bug.cgi?id=102053
+
+        Reviewed by Adam Barth.
+
+        Child frame can go away inside webkitvisibilitychange
+        event handler. Store it in a ref counted vector.
+
+        Test: fast/frames/page-visibility-crash.html
+
+        * page/Frame.cpp:
+        (WebCore::Frame::dispatchVisibilityStateChangeEvent):
+
 2012-11-26  Hurnjoo Lee  <hurnjoo....@samsung.com>
 
         [Cairo] fillRectWithColor with Color::transparent doesn't perform anything

Modified: trunk/Source/WebCore/page/Frame.cpp (135739 => 135740)


--- trunk/Source/WebCore/page/Frame.cpp	2012-11-26 18:56:22 UTC (rev 135739)
+++ trunk/Source/WebCore/page/Frame.cpp	2012-11-26 18:58:27 UTC (rev 135740)
@@ -657,8 +657,13 @@
 {
     if (m_doc)
         m_doc->dispatchVisibilityStateChangeEvent();
+
+    Vector<RefPtr<Frame> > childFrames;
     for (Frame* child = tree()->firstChild(); child; child = child->tree()->nextSibling())
-        child->dispatchVisibilityStateChangeEvent();
+        childFrames.append(child);
+
+    for (size_t i = 0; i < childFrames.size(); ++i)
+        childFrames[i]->dispatchVisibilityStateChangeEvent();
 }
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes