[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
simon.fraser at apple.com
simon.fraser at apple.com
Wed Dec 22 15:21:32 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 3e7f5aa39713f36ffe73c24aa9df51f1b165a51b
Author: simon.fraser at apple.com <simon.fraser at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Nov 1 23:41:51 2010 +0000
2010-11-01 Simon Fraser <simon.fraser at apple.com>
Reviewed by Dan Bernstein.
Assertion failure in FrameView::layout when clicking on a YouTube video on youtube.com front page
https://bugs.webkit.org/show_bug.cgi?id=44287
When removing subframes, it's possible for layout() to get called on a FrameView
for a Frame that has been removed from the frame tree. This can happen if the parent
document happens to do a layout() while RenderView still has a reference to the widget
for the removed frame; updateWidgetPosition() will try to force a layout() on the
subframe.
Fix by checking that the FrameView's Frame still has a reference to the page before
calling layout() on the subframe.
Test: fast/frames/layout-after-destruction.html
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::updateWidgetPosition):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71074 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 696bc8f..54c5e84 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-11-01 Simon Fraser <simon.fraser at apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ Assertion failure in FrameView::layout when clicking on a YouTube video on youtube.com front page
+ https://bugs.webkit.org/show_bug.cgi?id=44287
+
+ Testcase that reloads a frameset, with a subframe that forces layout from
+ an onunload handler.
+
+ * fast/frames/layout-after-destruction-expected.txt: Added.
+ * fast/frames/layout-after-destruction.html: Added.
+ * fast/frames/resources/layout-after-destruction-subframe.html: Added.
+
2010-11-01 Mihai Parparita <mihaip at chromium.org>
Update the pixel expectations for fast/dom, fast/dynamic, fast/encoding, fast/events, and fast/gradients for the Mac port.
diff --git a/LayoutTests/fast/frames/layout-after-destruction-expected.txt b/LayoutTests/fast/frames/layout-after-destruction-expected.txt
new file mode 100644
index 0000000..8810955
--- /dev/null
+++ b/LayoutTests/fast/frames/layout-after-destruction-expected.txt
@@ -0,0 +1,6 @@
+frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
+frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
+This test should not assert on reload in a debug build.
+
+Element in top frame
+
diff --git a/LayoutTests/fast/frames/layout-after-destruction.html b/LayoutTests/fast/frames/layout-after-destruction.html
new file mode 100644
index 0000000..ce1c83f
--- /dev/null
+++ b/LayoutTests/fast/frames/layout-after-destruction.html
@@ -0,0 +1,27 @@
+<script>
+function runTest()
+{
+ if (!window.sessionStorage)
+ return;
+
+ if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+ }
+
+ if (sessionStorage.testCompleted) {
+ delete sessionStorage.testCompleted;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ } else {
+ sessionStorage.testCompleted = true;
+ document.location.reload(true);
+ }
+}
+
+window.addEventListener('load', runTest, false);
+</script>
+<p>This test should not assert on reload in a debug build.</p>
+<div id="element">Element in top frame</div>
+<iframe src="resources/layout-after-destruction-subframe.html"></iframe>
+<iframe ></iframe>
diff --git a/LayoutTests/fast/frames/resources/layout-after-destruction-subframe.html b/LayoutTests/fast/frames/resources/layout-after-destruction-subframe.html
new file mode 100644
index 0000000..0ae5df1
--- /dev/null
+++ b/LayoutTests/fast/frames/resources/layout-after-destruction-subframe.html
@@ -0,0 +1,10 @@
+<script>
+function unloadHandler()
+{
+ var element = parent.document.getElementById("element");
+ element.setAttribute("style", "height: 100px");
+ element.offsetTop;
+}
+</script>
+<body onunload="unloadHandler()">
+This is frame D.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ee81caf..95ed711 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2010-11-01 Simon Fraser <simon.fraser at apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ Assertion failure in FrameView::layout when clicking on a YouTube video on youtube.com front page
+ https://bugs.webkit.org/show_bug.cgi?id=44287
+
+ When removing subframes, it's possible for layout() to get called on a FrameView
+ for a Frame that has been removed from the frame tree. This can happen if the parent
+ document happens to do a layout() while RenderView still has a reference to the widget
+ for the removed frame; updateWidgetPosition() will try to force a layout() on the
+ subframe.
+
+ Fix by checking that the FrameView's Frame still has a reference to the page before
+ calling layout() on the subframe.
+
+ Test: fast/frames/layout-after-destruction.html
+
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::updateWidgetPosition):
+
2010-11-01 Sheriff Bot <webkit.review.bot at gmail.com>
Unreviewed, rolling out r71065.
diff --git a/WebCore/rendering/RenderWidget.cpp b/WebCore/rendering/RenderWidget.cpp
index 6ec5b70..1a49199 100644
--- a/WebCore/rendering/RenderWidget.cpp
+++ b/WebCore/rendering/RenderWidget.cpp
@@ -349,7 +349,8 @@ void RenderWidget::updateWidgetPosition()
// content size is wrong) we have to do a layout to set the right widget size
if (m_widget && m_widget->isFrameView()) {
FrameView* frameView = static_cast<FrameView*>(m_widget.get());
- if (boundsChanged || frameView->needsLayout())
+ // Check the frame's page to make sure that the frame isn't in the process of being destroyed.
+ if ((boundsChanged || frameView->needsLayout()) && frameView->frame()->page())
frameView->layout();
}
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list