Changeset 196717 in webkit

Timestamp:

Feb 17, 2016, 1:27:02 PM (9 years ago)

Author:

Simon Fraser

Message:

PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache
​https://bugs.webkit.org/show_bug.cgi?id=148182

Reviewed by Brent Fulgham.
Source/WebCore:

When handling Command-arrow key while showing a scrollable PDF, the timing of PDFPlugin
teardown and navigation could result in PDFPlugin::destroy() getting the wrong FrameView,
so the old FrameView was left with a stale pointer in its scrollableAreaSet.

Fix this by adding an explicit willDetatchRenderer() which is called on the plugin
before the Frame gets a new FrameView.

Also narrow the scope of the RefPtr<Widget> in HTMLPlugInElement::defaultEventHandler()
so that the Widget is not kept alive over a possible navigation.

I was unable to make an automated test, because reproducing the bug requires handling
a Command-arrow key event in a way that the last ref to a Widget is held over the event
handling, and this wasn't possible in an iframe.

• html/HTMLPlugInElement.cpp:

(WebCore::HTMLPlugInElement::defaultEventHandler):

• html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::willDetachRenderers):

• plugins/PluginViewBase.h:

(WebCore::PluginViewBase::willDetatchRenderer):

• style/StyleTreeResolver.cpp:

(WebCore::Style::detachRenderTree): Drive-by nullptr.

Source/WebKit2:

When handling Command-arrow key while showing a scrollable PDF, the timing of PDFPlugin
teardown and navigation could result in PDFPlugin::destroy() getting the wrong FrameView,
so the old FrameView was left with a stale pointer in its scrollableAreaSet.

Fix this by adding an explicit willDetatchRenderer() which is called on the plugin
before the Frame gets a new FrameView.

Also narrow the scope of the RefPtr<Widget> in HTMLPlugInElement::defaultEventHandler()
so that the Widget is not kept alive over a possible navigation.

I was unable to make an automated test, because reproducing the bug requires handling
a Command-arrow key event in a way that the last ref to a Widget is held over the event
handling, and this wasn't possible in an iframe.

• WebProcess/Plugins/PDF/DeprecatedPDFPlugin.h:
• WebProcess/Plugins/PDF/DeprecatedPDFPlugin.mm:

(WebKit::PDFPlugin::willDetatchRenderer):

• WebProcess/Plugins/Plugin.h:

(WebKit::Plugin::willDetatchRenderer):

• WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::willDetatchRenderer):

• WebProcess/Plugins/PluginView.h:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/html/HTMLPlugInElement.cpp (modified) (1 diff)
• WebCore/html/HTMLPlugInImageElement.cpp (modified) (1 diff)
• WebCore/plugins/PluginViewBase.h (modified) (1 diff)
• WebCore/style/StyleTreeResolver.cpp (modified) (1 diff)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/Plugins/PDF/DeprecatedPDFPlugin.h (modified) (1 diff)
• WebKit2/WebProcess/Plugins/PDF/DeprecatedPDFPlugin.mm (modified) (1 diff)
• WebKit2/WebProcess/Plugins/Plugin.h (modified) (1 diff)
• WebKit2/WebProcess/Plugins/PluginView.cpp (modified) (1 diff)
• WebKit2/WebProcess/Plugins/PluginView.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-17  Simon Fraser  <simon.fraser@apple.com>
+
+        PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache
+        https://bugs.webkit.org/show_bug.cgi?id=148182
+
+        Reviewed by Brent Fulgham.
+
+        When handling Command-arrow key while showing a scrollable PDF, the timing of PDFPlugin
+        teardown and navigation could result in PDFPlugin::destroy() getting the wrong FrameView,
+        so the old FrameView was left with a stale pointer in its scrollableAreaSet.
+
+        Fix this by adding an explicit willDetatchRenderer() which is called on the plugin
+        before the Frame gets a new FrameView.
+
+        Also narrow the scope of the RefPtr<Widget> in HTMLPlugInElement::defaultEventHandler()
+        so that the Widget is not kept alive over a possible navigation.
+
+        I was unable to make an automated test, because reproducing the bug requires handling
+        a Command-arrow key event in a way that the last ref to a Widget is held over the event
+        handling, and this wasn't possible in an iframe.
+
+        * html/HTMLPlugInElement.cpp:
+        (WebCore::HTMLPlugInElement::defaultEventHandler):
+        * html/HTMLPlugInImageElement.cpp:
+        (WebCore::HTMLPlugInImageElement::willDetachRenderers):
+        * plugins/PluginViewBase.h:
+        (WebCore::PluginViewBase::willDetatchRenderer):
+        * style/StyleTreeResolver.cpp:
+        (WebCore::Style::detachRenderTree): Drive-by nullptr.
+
 2016-02-17  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebCore/html/HTMLPlugInElement.cpp

@@ -226 +226 @@
     }
 
-    RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
-    if (!widget)
-        return;
-    widget->handleEvent(event);
-    if (event->defaultHandled())
-        return;
+    // Don't keep the widget alive over the defaultEventHandler call, since that can do things like navigate.
+    {
+        RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
+        if (!widget)
+            return;
+        widget->handleEvent(event);
+        if (event->defaultHandled())
+            return;
+    }
     HTMLFrameOwnerElement::defaultEventHandler(event);
 }

trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

@@ -273 +273 @@
     }
 
+    Widget* widget = pluginWidget(PluginLoadingPolicy::DoNotLoad);
+    if (is<PluginViewBase>(widget))
+        downcast<PluginViewBase>(*widget).willDetatchRenderer();
+
     HTMLPlugInElement::willDetachRenderers();
 }

trunk/Source/WebCore/plugins/PluginViewBase.h

@@ -82 +82 @@
 
     virtual RefPtr<JSC::Bindings::Instance> bindingInstance() { return nullptr; }
+    
+    virtual void willDetatchRenderer() { }
 
 protected:

trunk/Source/WebCore/style/StyleTreeResolver.cpp

@@ -614 +614 @@
     if (current.renderer())
         current.renderer()->destroyAndCleanupAnonymousWrappers();
-    current.setRenderer(0);
+    current.setRenderer(nullptr);
 
     if (current.hasCustomStyleResolveCallbacks())

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2016-02-17  Simon Fraser  <simon.fraser@apple.com>
+
+        PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache
+        https://bugs.webkit.org/show_bug.cgi?id=148182
+
+        Reviewed by Brent Fulgham.
+        
+        When handling Command-arrow key while showing a scrollable PDF, the timing of PDFPlugin
+        teardown and navigation could result in PDFPlugin::destroy() getting the wrong FrameView,
+        so the old FrameView was left with a stale pointer in its scrollableAreaSet.
+
+        Fix this by adding an explicit willDetatchRenderer() which is called on the plugin
+        before the Frame gets a new FrameView.
+
+        Also narrow the scope of the RefPtr<Widget> in HTMLPlugInElement::defaultEventHandler()
+        so that the Widget is not kept alive over a possible navigation.
+
+        I was unable to make an automated test, because reproducing the bug requires handling
+        a Command-arrow key event in a way that the last ref to a Widget is held over the event
+        handling, and this wasn't possible in an iframe.
+
+        * WebProcess/Plugins/PDF/DeprecatedPDFPlugin.h:
+        * WebProcess/Plugins/PDF/DeprecatedPDFPlugin.mm:
+        (WebKit::PDFPlugin::willDetatchRenderer):
+        * WebProcess/Plugins/Plugin.h:
+        (WebKit::Plugin::willDetatchRenderer):
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::willDetatchRenderer):
+        * WebProcess/Plugins/PluginView.h:
+
 2016-02-17  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/PDF/DeprecatedPDFPlugin.h

@@ -164 +164 @@
     virtual bool handleScroll(WebCore::ScrollDirection, WebCore::ScrollGranularity) override;
     virtual RefPtr<WebCore::SharedBuffer> liveResourceData() const override;
+    virtual void willDetatchRenderer() override;
 
     virtual bool isBeingAsynchronouslyInitialized() const override { return false; }

trunk/Source/WebKit2/WebProcess/Plugins/PDF/DeprecatedPDFPlugin.mm

@@ -1092 +1092 @@
 }
 
+void PDFPlugin::willDetatchRenderer()
+{
+    if (webFrame()) {
+        if (FrameView* frameView = webFrame()->coreFrame()->view())
+            frameView->removeScrollableArea(this);
+    }
+}
+
 void PDFPlugin::destroy()
 {

trunk/Source/WebKit2/WebProcess/Plugins/Plugin.h

@@ -302 +302 @@
     virtual bool requiresUnifiedScaleFactor() const { return false; }
 
+    virtual void willDetatchRenderer() { }
+
 protected:
     Plugin(PluginType);

trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp

@@ -1006 +1006 @@
 }
 
+void PluginView::willDetatchRenderer()
+{
+    if (!m_isInitialized || !m_plugin)
+        return;
+
+    m_plugin->willDetatchRenderer();
+}
+
 PassRefPtr<SharedBuffer> PluginView::liveResourceData() const
 {

trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h

@@ -168 +168 @@
     virtual bool shouldAllowNavigationFromDrags() const override;
     virtual bool shouldNotAddLayer() const override;
+    virtual void willDetatchRenderer() override;
 
     // WebCore::Widget