Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 70f0eae33d9394e02711e2ac512891d3fe56eaf8
https://github.com/WebKit/WebKit/commit/70f0eae33d9394e02711e2ac512891d3fe56eaf8
Author: Alan Baradlay <za...@apple.com>
Date: 2024-07-09 (Tue, 09 Jul 2024)
Changed paths:
A LayoutTests/fast/dynamic/replacement-destroys-page-crash-expected.txt
A LayoutTests/fast/dynamic/replacement-destroys-page-crash.html
M Source/WebCore/page/LocalFrameView.cpp
Log Message:
-----------
WebCore::LocalFrameView::removeViewportConstrainedObject crash while
destroying Page
https://bugs.webkit.org/show_bug.cgi?id=276342
<rdar://131320346>
Reviewed by Wenson Hsieh.
1. ReplacementFragment creates a short-lived Page object on the stack to
sanitize content (see createPageForSanitizingWebContent)
2. When this Page goes out of scope, as part of the destruction process we run
certain cleanup steps (see various willBeDestroyed functions).
Normally these cleanup steps are initiated by navigating away from documents
(i.e. loading new pages)
For regular Pages by the time we get to Page's d'tor (if ever), we already
finished running these steps.
* LocalFrameView::removeViewportConstrainedObject: page->chrome().client()
points to empty chrome client in this case (temp Page is constructed using
pageConfigurationWithEmptyClients())
* LayoutTests/fast/dynamic/replacement-destroys-page-crash-expected.txt: Added.
* LayoutTests/fast/dynamic/replacement-destroys-page-crash.html: Added.
Canonical link: https://commits.webkit.org/280779@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
