Skip to content
Permalink
Browse files
[CSS Regions] Crash when dispatching regionlayoutupdate
https://bugs.webkit.org/show_bug.cgi?id=102944

Patch by Andrei Bucur <abucur@adobe.com> on 2012-11-27
Reviewed by Andreas Kling.

Source/WebCore:

The event dispatch function was incorrectly assuming the RenderNamedFlowThread is valid. Because the event is asynchronous it's
possible for the flow to be in the "NULL" state (the renderer is 0) while the regionlayoutupdate event is dispatched.

Test: fast/regions/webkit-named-flow-event-crash.html

* dom/WebKitNamedFlow.cpp:
(WebCore::WebKitNamedFlow::dispatchRegionLayoutUpdateEvent): Remove the ASSERT and don't dispatch the event if the flow is
    in the "NULL" state.

LayoutTests:

The test modifies the layout, forces a regionlayoutupdate event to be scheduled and then removes the content and the regions.
The event is dispatched on a named flow in the "NULL" state. Without this patch a crash occurs.

* fast/regions/webkit-named-flow-event-crash-expected.txt: Added.
* fast/regions/webkit-named-flow-event-crash.html: Added.

Canonical link: https://commits.webkit.org/121500@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@135853 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
abucur authored and webkit-commit-queue committed Nov 27, 2012
1 parent 6e3c7e3 commit 7970086e807a0549135fa49e6738efc5d9b31193
Showing 5 changed files with 105 additions and 2 deletions.
@@ -1,3 +1,16 @@
2012-11-27 Andrei Bucur <abucur@adobe.com>

[CSS Regions] Crash when dispatching regionlayoutupdate
https://bugs.webkit.org/show_bug.cgi?id=102944

Reviewed by Andreas Kling.

The test modifies the layout, forces a regionlayoutupdate event to be scheduled and then removes the content and the regions.
The event is dispatched on a named flow in the "NULL" state. Without this patch a crash occurs.

* fast/regions/webkit-named-flow-event-crash-expected.txt: Added.
* fast/regions/webkit-named-flow-event-crash.html: Added.

2012-11-27 Allan Sandfeld Jensen <allan.jensen@digia.com>

Reduce XHR timeout tests execution time
@@ -0,0 +1,9 @@
Test for https://bugs.webkit.org/show_bug.cgi?id=102944 [CSS Regions] Crash when dispatching regionlayoutupdate. The test passes if there is no crash or assert.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


PASS successfullyParsed is true

TEST COMPLETE

@@ -0,0 +1,62 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<script src="../../fast/js/resources/js-test-pre.js"></script>
<style>
body, html {
width: 500px;
height: 500px;
}
#content {
width: 100%;
height: 100%;
-webkit-flow-into: flow;
}
#region {
width: 100%;
height: 100%;
-webkit-flow-from: flow;
}
</style>
</head>
<body>
<div id="content">
Hello crash!
</div>
<div id="region">
</div>
<script>
description("Test for https://bugs.webkit.org/show_bug.cgi?id=102944 [CSS Regions] Crash when dispatching regionlayoutupdate. The test passes if there is no crash or assert.");
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}

function dummyHandler (evt) {
evt.target.removeEventListener("webkitregionlayoutupdate", dummyHandler);
}

setTimeout(function() {
var namedFlows = document.webkitGetNamedFlows();
namedFlows["flow"].addEventListener("webkitregionlayoutupdate", dummyHandler);
var content = document.getElementById("content");
var region = document.getElementById("region");
content.style.height = "600px";

// Schedule a regionlayoutupdate event.
document.body.offsetTop;

// Transition the flow to the "NULL" state.
document.body.removeChild(content);
document.body.removeChild(region);

setTimeout(function() {
if (window.testRunner)
testRunner.notifyDone();
},0)
}, 0);
</script>
<script src="../../fast/js/resources/js-test-post.js"></script>
</body>
</html>
@@ -1,3 +1,19 @@
2012-11-27 Andrei Bucur <abucur@adobe.com>

[CSS Regions] Crash when dispatching regionlayoutupdate
https://bugs.webkit.org/show_bug.cgi?id=102944

Reviewed by Andreas Kling.

The event dispatch function was incorrectly assuming the RenderNamedFlowThread is valid. Because the event is asynchronous it's
possible for the flow to be in the "NULL" state (the renderer is 0) while the regionlayoutupdate event is dispatched.

Test: fast/regions/webkit-named-flow-event-crash.html

* dom/WebKitNamedFlow.cpp:
(WebCore::WebKitNamedFlow::dispatchRegionLayoutUpdateEvent): Remove the ASSERT and don't dispatch the event if the flow is
in the "NULL" state.

2012-11-27 Mihnea Ovidenie <mihnea@adobe.com>

[CSS Regions] Absolutely positioned regions do not expand to fill their container
@@ -196,9 +196,12 @@ EventTargetData* WebKitNamedFlow::ensureEventTargetData()
void WebKitNamedFlow::dispatchRegionLayoutUpdateEvent()
{
ASSERT(!NoEventDispatchAssertion::isEventDispatchForbidden());
ASSERT(m_parentFlowThread);

RefPtr<Event> event = UIEvent::create(eventNames().webkitregionlayoutupdateEvent, false, false, m_parentFlowThread->document()->defaultView(), 0);
// If the flow is in the "NULL" state the event should not be dispatched any more.
if (flowState() == FlowStateNull)
return;

RefPtr<Event> event = UIEvent::create(eventNames().webkitregionlayoutupdateEvent, false, false, m_flowManager->document()->defaultView(), 0);

dispatchEvent(event);
}

0 comments on commit 7970086

Please sign in to comment.