Changeset 27585 in webkit


Ignore:
Timestamp:
Nov 7, 2007 5:54:14 PM (16 years ago)
Author:
mitz@apple.com
Message:

Reviewed by Darin Adler.

  • fix <rdar://problem/5523503> Safari crashes clicking scroll bar in FaceBook 'Trips'

Layers and listboxes are two kinds of ScrollBarClient that can be
removed while the scrollbar is tracking the mouse. The scrollbar is not
destroyed until later, and meanwhile it can try to call the client,
which results in a crash.

  • manual-tests/stale-scrollbar-client-crash.html: Added.
  • platform/ScrollBar.h: (WebCore::Scrollbar::setClient): Added.
  • rendering/RenderLayer.cpp: (WebCore::RenderLayer::destroyScrollbar): Call Scrollbar::setClient().
  • rendering/RenderListBox.cpp: (WebCore::RenderListBox::~RenderListBox): Ditto.
Location:
trunk/WebCore
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r27583 r27585  
     12007-11-07  Dan Bernstein  <mitz@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        - fix <rdar://problem/5523503> Safari crashes clicking scroll bar in FaceBook 'Trips'
     6
     7        Layers and listboxes are two kinds of ScrollBarClient that can be
     8        removed while the scrollbar is tracking the mouse. The scrollbar is not
     9        destroyed until later, and meanwhile it can try to call the client,
     10        which results in a crash.
     11
     12        * manual-tests/stale-scrollbar-client-crash.html: Added.
     13        * platform/ScrollBar.h:
     14        (WebCore::Scrollbar::setClient): Added.
     15        * rendering/RenderLayer.cpp:
     16        (WebCore::RenderLayer::destroyScrollbar): Call Scrollbar::setClient().
     17        * rendering/RenderListBox.cpp:
     18        (WebCore::RenderListBox::~RenderListBox): Ditto.
     19
    1202007-11-07  Adam Roben  <aroben@apple.com>
    221

  • trunk/WebCore/platform/ScrollBar.h

    r20761 r27585  
    6060    virtual ~Scrollbar() {}
    6161
     62    void setClient(ScrollbarClient* client) { m_client = client; }
     63
    6264    virtual bool isWidget() const = 0;
    6365

  • trunk/WebCore/rendering/RenderLayer.cpp

    r27277 r27585  
    10261026        if (scrollbar->isWidget())
    10271027            static_cast<PlatformScrollbar*>(scrollbar.get())->removeFromParent();
     1028        scrollbar->setClient(0);
    10281029
    10291030        // FIXME: Destroy the engine scrollbar.

  • trunk/WebCore/rendering/RenderListBox.cpp

    r26614 r27585  
    8080RenderListBox::~RenderListBox()
    8181{
    82     if (m_vBar && m_vBar->isWidget())
    83         if (FrameView* view = node()->document()->view())
    84             view->removeChild(static_cast<PlatformScrollbar*>(m_vBar.get()));
     82    if (m_vBar) {
     83        if (m_vBar->isWidget()) {
     84            if (FrameView* view = node()->document()->view())
     85                view->removeChild(static_cast<PlatformScrollbar*>(m_vBar.get()));
     86        }
     87        m_vBar->setClient(0);
     88    }
    8589}
    8690
Note: See TracChangeset for help on using the changeset viewer.