Changeset 232591 in webkit
- Timestamp:
- Jun 7, 2018 11:38:40 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r232589 r232591 1 2018-06-07 Ryosuke Niwa <rniwa@webkit.org> 2 3 Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn() 4 https://bugs.webkit.org/show_bug.cgi?id=186383 5 <rdar://problem/40849498> 6 7 Reviewed by Jon Lee. 8 9 Added a regression test. 10 11 * plugins/snapshotting/determine-primary-snapshotted-plugin-crash-expected.txt: Added. 12 * plugins/snapshotting/determine-primary-snapshotted-plugin-crash.html: Added. 13 1 14 2018-06-07 Thibault Saunier <tsaunier@igalia.com> 2 15 -
trunk/Source/WebKit/ChangeLog
r232590 r232591 1 2018-06-07 Ryosuke Niwa <rniwa@webkit.org> 2 3 Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn() 4 https://bugs.webkit.org/show_bug.cgi?id=186383 5 <rdar://problem/40849498> 6 7 Reviewed by Jon Lee. 8 9 The release assert was hit because the descendent elemenet iterator, which instantiates ScriptDisallowedScope, 10 was alive as determinePrimarySnapshottedPlugIn invoked Document::updateLayout. Avoid this by copying 11 the list of plugin image elements into a vector first. 12 13 * WebProcess/WebPage/WebPage.cpp: 14 (WebKit::WebPage::determinePrimarySnapshottedPlugIn): Fixed the release assert, and deployed Ref and RefPtr 15 to make this code safe. 16 1 17 2018-06-07 Don Olmstead <don.olmstead@sony.com> 2 18 -
trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp
r232544 r232591 5372 5372 layoutIfNeeded(); 5373 5373 5374 auto& mainFrame = corePage()->mainFrame(); 5375 if (!mainFrame.view()) 5376 return; 5377 if (!mainFrame.view()->renderView()) 5378 return; 5379 RenderView& mainRenderView = *mainFrame.view()->renderView(); 5374 RefPtr<FrameView> mainFrameView = corePage()->mainFrame().view(); 5375 if (!mainFrameView) 5376 return; 5380 5377 5381 5378 IntRect searchRect = IntRect(IntPoint(), corePage()->mainFrame().view()->contentsSize()); … … 5384 5381 HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::AllowChildFrameContent | HitTestRequest::IgnoreClipping | HitTestRequest::DisallowUserAgentShadowContent); 5385 5382 5386 HTMLPlugInImageElement* candidatePlugIn = nullptr;5383 RefPtr<HTMLPlugInImageElement> candidatePlugIn; 5387 5384 unsigned candidatePlugInArea = 0; 5388 5385 5389 for ( Frame* frame = &mainFrame; frame; frame = frame->tree().traverseNextRendered()) {5386 for (RefPtr<Frame> frame = &corePage()->mainFrame(); frame; frame = frame->tree().traverseNextRendered()) { 5390 5387 if (!frame->loader().subframeLoader().containsPlugins()) 5391 5388 continue; 5392 5389 if (!frame->document() || !frame->view()) 5393 5390 continue; 5391 5392 Vector<Ref<HTMLPlugInImageElement>> nonPlayingPlugInImageElements; 5394 5393 for (auto& plugInImageElement : descendantsOfType<HTMLPlugInImageElement>(*frame->document())) { 5395 5394 if (plugInImageElement.displayState() == HTMLPlugInElement::Playing) 5396 5395 continue; 5397 5398 auto pluginRenderer = plugInImageElement.renderer(); 5396 nonPlayingPlugInImageElements.append(plugInImageElement); 5397 } 5398 5399 for (auto& plugInImageElement : nonPlayingPlugInImageElements) { 5400 auto pluginRenderer = plugInImageElement->renderer(); 5399 5401 if (!pluginRenderer || !pluginRenderer->isBox()) 5400 5402 continue; 5401 5403 auto& pluginRenderBox = downcast<RenderBox>(*pluginRenderer); 5402 if (!plugInIntersectsSearchRect(plugInImageElement ))5404 if (!plugInIntersectsSearchRect(plugInImageElement.get())) 5403 5405 continue; 5404 5406 5405 IntRect plugInRectRelativeToView = plugInImageElement .clientRect();5406 ScrollPosition scrollPosition = mainFrame .view()->documentScrollPositionRelativeToViewOrigin();5407 IntRect plugInRectRelativeToView = plugInImageElement->clientRect(); 5408 ScrollPosition scrollPosition = mainFrameView->documentScrollPositionRelativeToViewOrigin(); 5407 5409 IntRect plugInRectRelativeToTopDocument(plugInRectRelativeToView.location() + scrollPosition, plugInRectRelativeToView.size()); 5408 5410 HitTestResult hitTestResult(plugInRectRelativeToTopDocument.center()); 5409 mainRenderView.hitTest(request, hitTestResult); 5410 5411 Element* element = hitTestResult.targetElement(); 5411 5412 if (!mainFrameView->renderView()) 5413 return; 5414 mainFrameView->renderView()->hitTest(request, hitTestResult); 5415 5416 RefPtr<Element> element = hitTestResult.targetElement(); 5412 5417 if (!element) 5413 5418 continue; … … 5421 5426 inflatedPluginRect.inflateY(yOffset); 5422 5427 5423 if (element != &plugInImageElement) {5428 if (element != plugInImageElement.ptr()) { 5424 5429 if (!(is<HTMLImageElement>(*element) 5425 5430 && inflatedPluginRect.contains(elementRectRelativeToTopDocument) … … 5428 5433 continue; 5429 5434 LOG(Plugins, "Primary Plug-In Detection: Plug-in is hidden by an image that is roughly aligned with it, autoplaying regardless of whether or not it's actually the primary plug-in."); 5430 plugInImageElement .restartSnapshottedPlugIn();5435 plugInImageElement->restartSnapshottedPlugIn(); 5431 5436 } 5432 5437 5433 5438 if (plugInIsPrimarySize(plugInImageElement, candidatePlugInArea)) 5434 candidatePlugIn = &plugInImageElement;5439 candidatePlugIn = WTFMove(plugInImageElement); 5435 5440 } 5436 5441 }
Note: See TracChangeset
for help on using the changeset viewer.