Changeset 232591 in webkit


Ignore:
Timestamp:
Jun 7, 2018 11:38:40 AM (6 years ago)
Author:
rniwa@webkit.org
Message:

Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn()
https://bugs.webkit.org/show_bug.cgi?id=186383
<rdar://problem/40849498>

Reviewed by Jon Lee.

Source/WebKit:

The release assert was hit because the descendent elemenet iterator, which instantiates ScriptDisallowedScope,
was alive as determinePrimarySnapshottedPlugIn invoked Document::updateLayout. Avoid this by copying
the list of plugin image elements into a vector first.

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::determinePrimarySnapshottedPlugIn): Fixed the release assert, and deployed Ref and RefPtr
to make this code safe.

LayoutTests:

Added a regression test.

  • plugins/snapshotting/determine-primary-snapshotted-plugin-crash-expected.txt: Added.
  • plugins/snapshotting/determine-primary-snapshotted-plugin-crash.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r232589 r232591  
     12018-06-07  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn()
     4        https://bugs.webkit.org/show_bug.cgi?id=186383
     5        <rdar://problem/40849498>
     6
     7        Reviewed by Jon Lee.
     8
     9        Added a regression test.
     10
     11        * plugins/snapshotting/determine-primary-snapshotted-plugin-crash-expected.txt: Added.
     12        * plugins/snapshotting/determine-primary-snapshotted-plugin-crash.html: Added.
     13
    1142018-06-07  Thibault Saunier  <tsaunier@igalia.com>
    215

  • trunk/Source/WebKit/ChangeLog

    r232590 r232591  
     12018-06-07  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn()
     4        https://bugs.webkit.org/show_bug.cgi?id=186383
     5        <rdar://problem/40849498>
     6
     7        Reviewed by Jon Lee.
     8
     9        The release assert was hit because the descendent elemenet iterator, which instantiates ScriptDisallowedScope,
     10        was alive as determinePrimarySnapshottedPlugIn invoked Document::updateLayout. Avoid this by copying
     11        the list of plugin image elements into a vector first.
     12
     13        * WebProcess/WebPage/WebPage.cpp:
     14        (WebKit::WebPage::determinePrimarySnapshottedPlugIn): Fixed the release assert, and deployed Ref and RefPtr
     15        to make this code safe.
     16
    1172018-06-07  Don Olmstead  <don.olmstead@sony.com>
    218

  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

    r232544 r232591  
    53725372    layoutIfNeeded();
    53735373
    5374     auto& mainFrame = corePage()->mainFrame();
    5375     if (!mainFrame.view())
    5376         return;
    5377     if (!mainFrame.view()->renderView())
    5378         return;
    5379     RenderView& mainRenderView = *mainFrame.view()->renderView();
     5374    RefPtr<FrameView> mainFrameView = corePage()->mainFrame().view();
     5375    if (!mainFrameView)
     5376        return;
    53805377
    53815378    IntRect searchRect = IntRect(IntPoint(), corePage()->mainFrame().view()->contentsSize());
     
    53845381    HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::AllowChildFrameContent | HitTestRequest::IgnoreClipping | HitTestRequest::DisallowUserAgentShadowContent);
    53855382
    5386     HTMLPlugInImageElement* candidatePlugIn = nullptr;
     5383    RefPtr<HTMLPlugInImageElement> candidatePlugIn;
    53875384    unsigned candidatePlugInArea = 0;
    53885385
    5389     for (Frame* frame = &mainFrame; frame; frame = frame->tree().traverseNextRendered()) {
     5386    for (RefPtr<Frame> frame = &corePage()->mainFrame(); frame; frame = frame->tree().traverseNextRendered()) {
    53905387        if (!frame->loader().subframeLoader().containsPlugins())
    53915388            continue;
    53925389        if (!frame->document() || !frame->view())
    53935390            continue;
     5391
     5392        Vector<Ref<HTMLPlugInImageElement>> nonPlayingPlugInImageElements;
    53945393        for (auto& plugInImageElement : descendantsOfType<HTMLPlugInImageElement>(*frame->document())) {
    53955394            if (plugInImageElement.displayState() == HTMLPlugInElement::Playing)
    53965395                continue;
    5397 
    5398             auto pluginRenderer = plugInImageElement.renderer();
     5396            nonPlayingPlugInImageElements.append(plugInImageElement);
     5397        }
     5398
     5399        for (auto& plugInImageElement : nonPlayingPlugInImageElements) {
     5400            auto pluginRenderer = plugInImageElement->renderer();
    53995401            if (!pluginRenderer || !pluginRenderer->isBox())
    54005402                continue;
    54015403            auto& pluginRenderBox = downcast<RenderBox>(*pluginRenderer);
    5402             if (!plugInIntersectsSearchRect(plugInImageElement))
     5404            if (!plugInIntersectsSearchRect(plugInImageElement.get()))
    54035405                continue;
    54045406
    5405             IntRect plugInRectRelativeToView = plugInImageElement.clientRect();
    5406             ScrollPosition scrollPosition = mainFrame.view()->documentScrollPositionRelativeToViewOrigin();
     5407            IntRect plugInRectRelativeToView = plugInImageElement->clientRect();
     5408            ScrollPosition scrollPosition = mainFrameView->documentScrollPositionRelativeToViewOrigin();
    54075409            IntRect plugInRectRelativeToTopDocument(plugInRectRelativeToView.location() + scrollPosition, plugInRectRelativeToView.size());
    54085410            HitTestResult hitTestResult(plugInRectRelativeToTopDocument.center());
    5409             mainRenderView.hitTest(request, hitTestResult);
    5410 
    5411             Element* element = hitTestResult.targetElement();
     5411
     5412            if (!mainFrameView->renderView())
     5413                return;
     5414            mainFrameView->renderView()->hitTest(request, hitTestResult);
     5415
     5416            RefPtr<Element> element = hitTestResult.targetElement();
    54125417            if (!element)
    54135418                continue;
     
    54215426            inflatedPluginRect.inflateY(yOffset);
    54225427
    5423             if (element != &plugInImageElement) {
     5428            if (element != plugInImageElement.ptr()) {
    54245429                if (!(is<HTMLImageElement>(*element)
    54255430                    && inflatedPluginRect.contains(elementRectRelativeToTopDocument)
     
    54285433                    continue;
    54295434                LOG(Plugins, "Primary Plug-In Detection: Plug-in is hidden by an image that is roughly aligned with it, autoplaying regardless of whether or not it's actually the primary plug-in.");
    5430                 plugInImageElement.restartSnapshottedPlugIn();
     5435                plugInImageElement->restartSnapshottedPlugIn();
    54315436            }
    54325437
    54335438            if (plugInIsPrimarySize(plugInImageElement, candidatePlugInArea))
    5434                 candidatePlugIn = &plugInImageElement;
     5439                candidatePlugIn = WTFMove(plugInImageElement);
    54355440        }
    54365441    }
Note: See TracChangeset for help on using the changeset viewer.