Changeset 186486 in webkit

Timestamp:

Jul 7, 2015, 6:53:42 PM (10 years ago)

Author:

Alan Bujtas

Message:

Crash when parent iframe is set to display none and the child frame is mutated the same time.
​https://bugs.webkit.org/show_bug.cgi?id=146699
rdar://problem/16207881

Reviewed by Andreas Kling.

When the parent iframe is set to display: none, we destroy the associated renderer (RenderIFrame).
However if the child frame is mutated the same time, during layout we try to access this RenderIFrame
to check whether it needs frame flattening.
This patch checks whether the parent render widget is still valid.

Source/WebCore:

Test: fast/frames/crash-display-none-iframe-during-onbeforeload.html

• page/FrameView.cpp:

(WebCore::FrameView::isInChildFrameWithFrameFlattening): rearrange early returns.

LayoutTests:

• fast/frames/crash-display-none-iframe-during-onbeforeload-expected.txt: Added.
• fast/frames/crash-display-none-iframe-during-onbeforeload.html: Added.
• fast/frames/resources/displaynone-this-during-object-beforeload.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/crash-display-none-iframe-during-onbeforeload-expected.txt (added)
• LayoutTests/fast/frames/crash-display-none-iframe-during-onbeforeload.html (added)
• LayoutTests/fast/frames/resources/displaynone-this-during-object-beforeload.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/FrameView.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-07-07  Zalan Bujtas  <zalan@apple.com>
+
+        Crash when parent iframe is set to display none and the child frame is mutated the same time.
+        https://bugs.webkit.org/show_bug.cgi?id=146699
+        rdar://problem/16207881
+
+        Reviewed by Andreas Kling.
+
+        When the parent iframe is set to display: none, we destroy the associated renderer (RenderIFrame).
+        However if the child frame is mutated the same time, during layout we try to access this RenderIFrame
+        to check whether it needs frame flattening.
+        This patch checks whether the parent render widget is still valid.
+
+        * fast/frames/crash-display-none-iframe-during-onbeforeload-expected.txt: Added.
+        * fast/frames/crash-display-none-iframe-during-onbeforeload.html: Added.
+        * fast/frames/resources/displaynone-this-during-object-beforeload.html: Added.
+
 2015-07-07  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-07-07  Zalan Bujtas  <zalan@apple.com>
+
+        Crash when parent iframe is set to display none and the child frame is mutated the same time.
+        https://bugs.webkit.org/show_bug.cgi?id=146699
+        rdar://problem/16207881
+
+        Reviewed by Andreas Kling.
+
+        When the parent iframe is set to display: none, we destroy the associated renderer (RenderIFrame).
+        However if the child frame is mutated the same time, during layout we try to access this RenderIFrame
+        to check whether it needs frame flattening.
+        This patch checks whether the parent render widget is still valid.
+
+        Test: fast/frames/crash-display-none-iframe-during-onbeforeload.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::isInChildFrameWithFrameFlattening): rearrange early returns.
+
 2015-07-06  Matt Rajca  <mrajca@apple.com>
 

trunk/Source/WebCore/page/FrameView.cpp

@@ -3725 +3725 @@
 bool FrameView::isInChildFrameWithFrameFlattening() const
 {
-    if (!parent() || !frame().ownerElement())
+    if (!frameFlatteningEnabled())
+        return false;
+
+    if (!parent())
+        return false;
+
+    HTMLFrameOwnerElement* ownerElement = frame().ownerElement();
+    if (!ownerElement)
+        return false;
+
+    if (!ownerElement->renderWidget())
         return false;
 
     // Frame flattening applies when the owner element is either in a frameset or
     // an iframe with flattening parameters.
-    if (is<HTMLIFrameElement>(*frame().ownerElement())) {
-        RenderIFrame& iframeRenderer = downcast<RenderIFrame>(*frame().ownerElement()->renderWidget());
-        if (iframeRenderer.flattenFrame())
-            return true;
-    }
-
-    if (!frameFlatteningEnabled())
-        return false;
-
-    if (is<HTMLFrameElement>(*frame().ownerElement()))
+    if (is<HTMLIFrameElement>(*ownerElement))
+        return downcast<RenderIFrame>(*ownerElement->renderWidget()).flattenFrame();
+
+    if (is<HTMLFrameElement>(*ownerElement))
         return true;