[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

Gustavo Noronha Silva gns at gnome.org
Thu Apr 8 02:24:16 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit fe49afd7842aaae7ba14c5c022d94aebe8a490c6
Author: cmarrin at apple.com <cmarrin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Mar 20 00:28:12 2010 +0000

            Fixed a crash with AnimationController getting deleted out from under itself.
    
            It's possible for the Frame that owns an AnimationController to get deleted
            in the EndTransitionEvent (or other animation events) to get deleted in the
            event handler. Normally this case is protected against by preventing the Frame
            from getting deleted until the end of the runloop. But native uses of the
            WebView can subvert this protection. So I added a protector to the
            animation event dispatcher to protect it in those cases.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56286 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 47193b2..410a0fb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-03-19  Chris Marrin  <cmarrin at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Fixed a crash with AnimationController getting deleted out from under itself.
+        
+        This test actually doesn't crash without the fix because the JS interpreter
+        protects against the Frame getting deleted prematurely. But this test is still
+        useful to make sure that protection is working. The crash actually occurs
+        when the equivalent thing is done in native code interfacing to a WebView.
+
+        * transitions/resources/transition-end-event-destroy-iframe-inner.html: Added.
+        * transitions/transition-end-event-destroy-iframe.html: Added.
+
 2010-03-16  Chris Fleizach  <cfleizach at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/transitions/resources/transition-end-event-destroy-iframe-inner.html b/LayoutTests/transitions/resources/transition-end-event-destroy-iframe-inner.html
new file mode 100644
index 0000000..2930d94
--- /dev/null
+++ b/LayoutTests/transitions/resources/transition-end-event-destroy-iframe-inner.html
@@ -0,0 +1,42 @@
+<html>
+<head>
+  <title>Destroy and Hide Element in Transition End Event</title>
+  <style type="text/css" media="screen">
+    .box {
+      height: 100px;
+      width: 100px;
+      margin: 10px;
+      background-color: blue;
+      -webkit-transition-property: -webkit-transform;
+      -webkit-transition-duration: 0.1s;
+    }
+  </style>
+  <script type="text/javascript" charset="utf-8">
+    var numDone = 0;
+    function transitionEnded()
+    {
+        parent.testFinished();
+    }
+
+    function startTest()
+    {
+        var box1 = document.getElementById('box1');
+        box1.addEventListener('webkitTransitionEnd', function() {
+            transitionEnded();
+        }, false);
+        box1.style.webkitTransform = 'translate(100px, 0)';
+    }
+    
+    window.addEventListener('load', startTest, false);
+  </script>
+</head>
+<body>
+
+<p>Tests element removal of iframe in webkitTransitionEnd event handler. Should not crash.</p>
+
+<div id="container">
+  <div id="box1" class="box"></div>
+</div>
+<div id="results"></div>
+</body>
+</html>
diff --git a/LayoutTests/transitions/transition-end-event-destroy-iframe.html b/LayoutTests/transitions/transition-end-event-destroy-iframe.html
new file mode 100644
index 0000000..763bbfd
--- /dev/null
+++ b/LayoutTests/transitions/transition-end-event-destroy-iframe.html
@@ -0,0 +1,37 @@
+<html>
+<head>
+  <title>Destroy and Hide Element in Transition End Event</title>
+  <style type="text/css" media="screen">
+    div {
+        border 2px solid blue;
+    }
+  </style>
+  <script type="text/javascript" charset="utf-8">
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+    
+    function testFinished() {
+        p = document.getElementById("parent");
+        f = document.getElementById("frame");
+        p.removeChild(f);
+        if (window.GCController)
+            GCController.collect();
+        document.getElementById('results').innerHTML = 'Did not crash, so PASSED';
+        
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    };
+  </script>
+</head>
+<body>
+
+<p>Tests element removal and hiding in webkitTransitionEnd event handler. Should not crash.</p>
+
+<div id="parent">
+    <iframe id="frame" src="resources/transition-end-event-destroy-iframe-inner.html" width="400px" height="400px"></iframe>
+</div>
+<div id="results"></div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c7fbfee..b747414 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-03-19  Chris Marrin  <cmarrin at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Fixed a crash with AnimationController getting deleted out from under itself.
+        
+        It's possible for the Frame that owns an AnimationController to get deleted
+        in the EndTransitionEvent (or other animation events) to get deleted in the
+        event handler. Normally this case is protected against by preventing the Frame
+        from getting deleted until the end of the runloop. But native uses of the 
+        WebView can subvert this protection. So I added a protector to the 
+        animation event dispatcher to protect it in those cases.
+
+        Test: transitions/transition-end-event-destroy-iframe.html
+
+        * page/animation/AnimationController.cpp:
+        (WebCore::AnimationControllerPrivate::updateStyleIfNeededDispatcherFired):
+
 2010-03-17  Brady Eidson  <beidson at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/page/animation/AnimationController.cpp b/WebCore/page/animation/AnimationController.cpp
index 422c154..cb609a5 100644
--- a/WebCore/page/animation/AnimationController.cpp
+++ b/WebCore/page/animation/AnimationController.cpp
@@ -134,6 +134,9 @@ void AnimationControllerPrivate::updateAnimationTimer(bool callSetChanged/* = fa
 
 void AnimationControllerPrivate::updateStyleIfNeededDispatcherFired(Timer<AnimationControllerPrivate>*)
 {
+    // Protect the frame from getting destroyed in the event handler
+    RefPtr<Frame> protector = m_frame;
+
     // fire all the events
     Vector<EventToDispatch>::const_iterator eventsToDispatchEnd = m_eventsToDispatch.end();
     for (Vector<EventToDispatch>::const_iterator it = m_eventsToDispatch.begin(); it != eventsToDispatchEnd; ++it) {

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list