Changeset 226276 in webkit

Timestamp:

Dec 22, 2017, 1:41:02 PM (7 years ago)

Author:

mitz@apple.com

Message:

Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
​https://bugs.webkit.org/show_bug.cgi?id=181132
<rdar://problem/35143540>

Reviewed by Simon Fraser.

Source/WebCore:

Test: fast/animation/request-animation-frame-remove-iframe-in-callback.html

• dom/ScriptedAnimationController.cpp:

(WebCore::ScriptedAnimationController::serviceScriptedAnimations): Hold a reference to the

document and pass that along to InspectorInstrumentation::willFireAnimationFrame rather
than dereferencing the m_document member, which may have gotten cleared by an earlier
callback.

LayoutTests:

• fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt: Added.
• fast/animation/request-animation-frame-remove-iframe-in-callback.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt (added)
• LayoutTests/fast/animation/request-animation-frame-remove-iframe-in-callback.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/ScriptedAnimationController.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-12-22  Dan Bernstein  <mitz@apple.com>
+
+        Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
+        https://bugs.webkit.org/show_bug.cgi?id=181132
+        <rdar://problem/35143540>
+
+        Reviewed by Simon Fraser.
+
+        * fast/animation/request-animation-frame-remove-iframe-in-callback-expected.txt: Added.
+        * fast/animation/request-animation-frame-remove-iframe-in-callback.html: Added.
+
 2017-12-22  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-12-22  Dan Bernstein  <mitz@apple.com>
+
+        Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
+        https://bugs.webkit.org/show_bug.cgi?id=181132
+        <rdar://problem/35143540>
+
+        Reviewed by Simon Fraser.
+
+        Test: fast/animation/request-animation-frame-remove-iframe-in-callback.html
+
+        * dom/ScriptedAnimationController.cpp:
+        (WebCore::ScriptedAnimationController::serviceScriptedAnimations): Hold a reference to the
+          document and pass that along to InspectorInstrumentation::willFireAnimationFrame rather
+          than dereferencing the m_document member, which may have gotten cleared by an earlier
+          callback.
+
 2017-12-22  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/dom/ScriptedAnimationController.cpp

@@ -210 +210 @@
     // reference to us, so take a defensive reference.
     Ref<ScriptedAnimationController> protectedThis(*this);
+    Ref<Document> protectedDocument(*m_document);
 
     for (auto& callback : callbacks) {
         if (!callback->m_firedOrCancelled) {
             callback->m_firedOrCancelled = true;
-            InspectorInstrumentationCookie cookie = InspectorInstrumentation::willFireAnimationFrame(*m_document, callback->m_id);
+            InspectorInstrumentationCookie cookie = InspectorInstrumentation::willFireAnimationFrame(protectedDocument, callback->m_id);
             if (callback->m_useLegacyTimeBase)
                 callback->handleEvent(legacyHighResNowMs);