Changeset 172112 in webkit

Timestamp:

Aug 5, 2014, 5:54:04 PM (12 years ago)

Author:

Simon Fraser

Message:

[iOS WK2] Crash going back on a specific tumblr blog (under ScrollingStateTree::removeNodeAndAllDescendants)
​https://bugs.webkit.org/show_bug.cgi?id=135629
<rdar://problem/17802174>

Reviewed by Tim Horton.

Source/WebCore:

In r170198 I added an "orphan scrolling nodes" code path that sets aside subtrees
of scrolling nodes into an m_orphanedSubframeNodes map, which keeps them alive until
they get reparented or destroyed. The nodes in that subtree remain in m_stateNodeMap,
which holds raw pointers to them.

However, ScrollingStateTree::commit() can clear m_orphanedSubframeNodes, which is
sometimes non-empty at this point. When that happened, we would destroy nodes which
were still referenced by m_stateNodeMap, with the result that a later query for the
same nodeID would hand back a pointer to a deleted object.

Fix by calling recursiveNodeWillBeRemoved() on nodes in the m_orphanedSubframeNodes
before clearing it, which removes them and all their descendants from the state node map.

Test: platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html

• page/scrolling/ScrollingStateTree.cpp:

(WebCore::ScrollingStateTree::clear):
(WebCore::ScrollingStateTree::commit):

LayoutTests:

Testcase with nesting of frames inside fixed inside frames, where a subframe disconnects
part of the scrolling tree.

• platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree-expected.txt: Added.
• platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html: Added.
• platform/mac-wk2/tiled-drawing/scrolling/frames/resources/leaf-frame.html: Added.
• platform/mac-wk2/tiled-drawing/scrolling/frames/resources/subframe-inside-fixed.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree-expected.txt (added)
• LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html (added)
• LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/frames/resources/leaf-frame.html (added)
• LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/frames/resources/subframe-inside-fixed.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/scrolling/ScrollingStateTree.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-08-05  Simon Fraser  <simon.fraser@apple.com>
+
+        [iOS WK2] Crash going back on a specific tumblr blog (under ScrollingStateTree::removeNodeAndAllDescendants)
+        https://bugs.webkit.org/show_bug.cgi?id=135629
+        <rdar://problem/17802174>
+
+        Reviewed by Tim Horton.
+        
+        Testcase with nesting of frames inside fixed inside frames, where a subframe disconnects
+        part of the scrolling tree.
+
+        * platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree-expected.txt: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/frames/resources/leaf-frame.html: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/frames/resources/subframe-inside-fixed.html: Added.
+
 2014-08-05  Andreas Kling  <akling@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-08-05  Simon Fraser  <simon.fraser@apple.com>
+
+        [iOS WK2] Crash going back on a specific tumblr blog (under ScrollingStateTree::removeNodeAndAllDescendants)
+        https://bugs.webkit.org/show_bug.cgi?id=135629
+        <rdar://problem/17802174>
+
+        Reviewed by Tim Horton.
+        
+        In r170198 I added an "orphan scrolling nodes" code path that sets aside subtrees
+        of scrolling nodes into an m_orphanedSubframeNodes map, which keeps them alive until
+        they get reparented or destroyed. The nodes in that subtree remain in m_stateNodeMap,
+        which holds raw pointers to them.
+        
+        However, ScrollingStateTree::commit() can clear m_orphanedSubframeNodes, which is
+        sometimes non-empty at this point. When that happened, we would destroy nodes which
+        were still referenced by m_stateNodeMap, with the result that a later query for the
+        same nodeID would hand back a pointer to a deleted object.
+        
+        Fix by calling recursiveNodeWillBeRemoved() on nodes in the m_orphanedSubframeNodes
+        before clearing it, which removes them and all their descendants from the state node map.
+
+        Test: platform/mac-wk2/tiled-drawing/scrolling/frames/orphaned-subtree.html
+
+        * page/scrolling/ScrollingStateTree.cpp:
+        (WebCore::ScrollingStateTree::clear):
+        (WebCore::ScrollingStateTree::commit):
+
 2014-08-05  Peyton Randolph  <prandolph@apple.com>
 

trunk/Source/WebCore/page/scrolling/ScrollingStateTree.cpp

@@ -153 +153 @@
         removeNodeAndAllDescendants(rootStateNode());
 
-    ASSERT(m_stateNodeMap.isEmpty());
     m_stateNodeMap.clear();
     m_orphanedSubframeNodes.clear();
@@ -160 +159 @@
 PassOwnPtr<ScrollingStateTree> ScrollingStateTree::commit(LayerRepresentation::Type preferredLayerRepresentation)
 {
-    m_orphanedSubframeNodes.clear();
+    if (!m_orphanedSubframeNodes.isEmpty()) {
+        // If we still have orphaned subtrees, remove them from m_stateNodeMap since they will be deleted 
+        // when clearing m_orphanedSubframeNodes.
+        for (auto& orphanNode : m_orphanedSubframeNodes.values())
+            recursiveNodeWillBeRemoved(orphanNode.get(), SubframeNodeRemoval::Delete);
+        m_orphanedSubframeNodes.clear();
+    }
 
     // This function clones and resets the current state tree, but leaves the tree structure intact.