[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

Sun Feb 20 23:00:38 UTC 2011

The following commit has been merged in the webkit-1.3 branch:
commit 660edfe54123727365e8bedeb1fe3ac14d6922e8
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Jan 15 01:20:45 2011 +0000

    Source/WebCore: WebCore part of <rdar://problem/8441312> Crash in -[NSView _invalidateGStatesForTree]
    
    Reviewed by Simon Fraser.
    
    * WebCore.exp.in: Export RenderWidget::suspendWidgetHierarchyUpdates() and
    RenderWidget::resumeWidgetHierarchyUpdates().
    * manual-tests/plug-in-mutates-NSView-hierarchy-during-resize.html: Added.
    * rendering/RenderWidget.cpp:
    (WebCore::RenderWidget::setWidgetGeometry): Removed the assertion that widget hierarchy updates
    are disabled. When this assertion was added, this condition was a subset of the “calling out to
    plug-in code is forbidden” condition, hence the assertion was valid. The WebKit part of this
    change now suspends widget hierarchy updates even at times where plug-in code is expected to be
    called, which invalidates the assertion.
    
    WebKit/mac: WebKit/mac part of <rdar://problem/8441312> Crash in -[NSView _invalidateGStatesForTree]
    
    Reviewed by Simon Fraser.
    
    * WebView/WebHTMLView.mm:
    (-[WebHTMLView _invalidateGStatesForTree]): Override this NSView method, and bracket the call
    to the superclass implementation with suspending WebCore Widget hierarchy updates. This ensures
    that the NSView tree doesn’t change from under AppKit as it traverses it.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75851 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 23c1853..5e1f3e9 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2011-01-14  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        WebCore part of <rdar://problem/8441312> Crash in -[NSView _invalidateGStatesForTree]
+
+        * WebCore.exp.in: Export RenderWidget::suspendWidgetHierarchyUpdates() and
+        RenderWidget::resumeWidgetHierarchyUpdates().
+        * manual-tests/plug-in-mutates-NSView-hierarchy-during-resize.html: Added.
+        * rendering/RenderWidget.cpp:
+        (WebCore::RenderWidget::setWidgetGeometry): Removed the assertion that widget hierarchy updates
+        are disabled. When this assertion was added, this condition was a subset of the “calling out to
+        plug-in code is forbidden” condition, hence the assertion was valid. The WebKit part of this
+        change now suspends widget hierarchy updates even at times where plug-in code is expected to be
+        called, which invalidates the assertion.
+
 2011-01-14  Tony Gentilcore  <tonyg at chromium.org>
 
         Unreviewed build fix.
diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in
index 97ef9b6..5ea40ca 100644
--- a/Source/WebCore/WebCore.exp.in
+++ b/Source/WebCore/WebCore.exp.in
@@ -270,6 +270,8 @@ __ZN7WebCore12PrintContextC1EPNS_5FrameE
 __ZN7WebCore12PrintContextD1Ev
 __ZN7WebCore12RenderObject16repaintRectangleERKNS_7IntRectEb
 __ZN7WebCore12RenderWidget19showSubstituteImageEN3WTF10PassRefPtrINS_5ImageEEE
+__ZN7WebCore12RenderWidget28resumeWidgetHierarchyUpdatesEv
+__ZN7WebCore12RenderWidget29suspendWidgetHierarchyUpdatesEv
 __ZN7WebCore12SchedulePairC1EP9NSRunLoopPK10__CFString
 __ZN7WebCore12SharedBuffer10wrapNSDataEP6NSData
 __ZN7WebCore12SharedBuffer12createNSDataEv
diff --git a/Source/WebCore/manual-tests/plug-in-mutates-NSView-hierarchy-during-resize.html b/Source/WebCore/manual-tests/plug-in-mutates-NSView-hierarchy-during-resize.html
new file mode 100644
index 0000000..e43e074
--- /dev/null
+++ b/Source/WebCore/manual-tests/plug-in-mutates-NSView-hierarchy-during-resize.html
@@ -0,0 +1,37 @@
+<style>
+    div { padding: 10px; margin: 8px; }
+    embed { width: 50px; height: 50px; }
+    iframe { width: 50px; height: 50px; }
+</style>
+<script>
+    var callCount = 0;
+
+    function hideFirst()
+    {
+        if (++callCount != 2)
+            return;
+
+        var target = document.getElementById("target");
+        if (!target)
+            return;
+
+        target.parentNode.removeChild(target);
+        document.body.offsetTop;
+    }
+</script>
+<p>
+    Test that plug-ins cannot cause the NSView hierarchy to change beneath <tt>-[NSView _invalidateGStatesForTree]</tt>.
+</p>
+<p>
+    To test, resize the browser window. Reload and repeat a few times. Each time you resize, the orange rectangle and
+    its contents should vanish, and the browser should not crash.
+</p>
+<div id="target" style="border: solid orange;">
+    <embed type="application/x-webkit-test-netscape"></embed>
+    <iframe src=""></iframe>
+    <iframe src=""></iframe>
+    <iframe src=""></iframe>
+</div>
+<div style="border: solid blue;">
+    <embed type="application/x-webkit-test-netscape" onsetwindow="hideFirst()"></embed>
+</div>
diff --git a/Source/WebCore/rendering/RenderWidget.cpp b/Source/WebCore/rendering/RenderWidget.cpp
index 152bb2f..74faf00 100644
--- a/Source/WebCore/rendering/RenderWidget.cpp
+++ b/Source/WebCore/rendering/RenderWidget.cpp
@@ -159,7 +159,6 @@ RenderWidget::~RenderWidget()
 
 bool RenderWidget::setWidgetGeometry(const IntRect& frame)
 {
-    ASSERT(!widgetHierarchyUpdateSuspendCount);
     if (!node())
         return false;
 
diff --git a/WebKit/mac/ChangeLog b/WebKit/mac/ChangeLog
index 5d5c0e3..7fb3d52 100644
--- a/WebKit/mac/ChangeLog
+++ b/WebKit/mac/ChangeLog
@@ -1,3 +1,14 @@
+2011-01-14  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        WebKit/mac part of <rdar://problem/8441312> Crash in -[NSView _invalidateGStatesForTree]
+
+        * WebView/WebHTMLView.mm:
+        (-[WebHTMLView _invalidateGStatesForTree]): Override this NSView method, and bracket the call
+        to the superclass implementation with suspending WebCore Widget hierarchy updates. This ensures
+        that the NSView tree doesn’t change from under AppKit as it traverses it.
+
 2011-01-14  Beth Dakin  <bdakin at apple.com>
 
         Reviewed by Mark Rowe.
diff --git a/WebKit/mac/WebView/WebHTMLView.mm b/WebKit/mac/WebView/WebHTMLView.mm
index 30472d2..bf91af9 100644
--- a/WebKit/mac/WebView/WebHTMLView.mm
+++ b/WebKit/mac/WebView/WebHTMLView.mm
@@ -104,6 +104,7 @@
 #import <WebCore/Page.h>
 #import <WebCore/PlatformKeyboardEvent.h>
 #import <WebCore/Range.h>
+#import <WebCore/RenderWidget.h>
 #import <WebCore/RuntimeApplicationChecks.h>
 #import <WebCore/SelectionController.h>
 #import <WebCore/SharedBuffer.h>
@@ -273,6 +274,7 @@ extern NSString *NSTextInputReplacementRangeAttributeName;
 - (NSRect)_dirtyRect;
 - (void)_setDrawsOwnDescendants:(BOOL)drawsOwnDescendants;
 - (BOOL)_drawnByAncestor;
+- (void)_invalidateGStatesForTree;
 - (void)_propagateDirtyRectsToOpaqueAncestors;
 - (void)_windowChangedKeyState;
 #if USE(ACCELERATED_COMPOSITING) && defined(BUILDING_ON_LEOPARD)
@@ -501,7 +503,7 @@ struct WebHTMLViewInterpretKeyEventsParameters {
     
     id savedSubviews;
     BOOL subviewsSetAside;
-    
+
 #if USE(ACCELERATED_COMPOSITING)
     NSView *layerHostingView;
     BOOL drawingIntoLayer;
@@ -3528,6 +3530,17 @@ static void setMenuTargets(NSMenu* menu)
     return visibleRect;
 }
 
+- (void)_invalidateGStatesForTree
+{
+    // AppKit is in the process of traversing the NSView tree, and is going to send -renewGState to
+    // descendants, including plug-in views. This can result in calls out to plug-in code and back into
+    // WebCore via JavaScript, which could normally mutate the NSView tree while it is being traversed.
+    // Defer those mutations while descendants are being traveresed.
+    RenderWidget::suspendWidgetHierarchyUpdates();
+    [super _invalidateGStatesForTree];
+    RenderWidget::resumeWidgetHierarchyUpdates();
+}
+
 - (BOOL)isFlipped 
 {
     return YES;

-- 
WebKit Debian packaging

