Synchronous media query callbacks on nested frames could produced a d…

…etached FrameView. https://bugs.webkit.org/show_bug.cgi?id=173330 Reviewed by Simon Fraser. Source/WebCore: This patch fixes the crash when the nested frame's media query callback triggers navigation on the mainframe. webkit.org/b/173329 is to track whether we should allow synchronous callback firing from FrameView::layout(). Covered by show-modal-dialog-during-execCommand.html. * page/FrameView.cpp: (WebCore::FrameView::layout): LayoutTests: * TestExpectations: ASSERT(frame()->view() == this) still fires due to the unexpected navigation, but we clearly manage to recover from it. Unskip it (debug) when webkit.org/b/173329 is resolved. Canonical link: https://commits.webkit.org/190204@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218228 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 14, 2017 · e54a8b90c7705a3d6a6a01a2efdee12f9b9ee170 · e54a8b9
1 parent 57825e4
commit e54a8b90c7705a3d6a6a01a2efdee12f9b9ee170
Showing with 32 additions and 2 deletions.

+10 −0 LayoutTests/ChangeLog

+1 −1 LayoutTests/TestExpectations

+15 −0 Source/WebCore/ChangeLog

+6 −1 Source/WebCore/page/FrameView.cpp
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2017-06-13  Zalan Bujtas  <zalan@apple.com>
+
+        Synchronous media query callbacks on nested frames could produced a detached FrameView.
+        https://bugs.webkit.org/show_bug.cgi?id=173330
+
+        Reviewed by Simon Fraser.
+
+        * TestExpectations: ASSERT(frame()->view() == this) still fires due to the unexpected navigation, but we clearly
+        manage to recover from it. Unskip it (debug) when webkit.org/b/173329 is resolved.
+
 2017-06-13  Chris Fleizach  <cfleizach@apple.com>
 
         AX[macOS]: Expose Inline property as an accessibility attribute

diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
@@ -38,7 +38,7 @@ fast/css/variables/constants/ios [ Skip ]
 http/tests/preload/viewport [ Skip ]
 
 # window.showModalDialog is only tested in DumpRenderTree on Mac.
-editing/execCommand/show-modal-dialog-during-execCommand.html [ Skip ]
+[ Debug ] editing/execCommand/show-modal-dialog-during-execCommand.html [ Skip ]
 
 fast/shadow-dom/touch-event-on-text-assigned-to-slot.html [ Skip ]
 

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2017-06-13  Zalan Bujtas  <zalan@apple.com>
+
+        Synchronous media query callbacks on nested frames could produced a detached FrameView.
+        https://bugs.webkit.org/show_bug.cgi?id=173330
+
+        Reviewed by Simon Fraser.
+
+        This patch fixes the crash when the nested frame's media query callback triggers navigation on the mainframe.
+        webkit.org/b/173329 is to track whether we should allow synchronous callback firing from FrameView::layout(). 
+
+        Covered by show-modal-dialog-during-execCommand.html.
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::layout):
+
 2017-06-13  Chris Fleizach  <cfleizach@apple.com>
 
         AX[macOS]: Expose Inline property as an accessibility attribute

diff --git a/Source/WebCore/page/FrameView.cpp b/Source/WebCore/page/FrameView.cpp
@@ -1517,8 +1517,13 @@ void FrameView::layout(bool allowSubtree)
 
     bool neededFullRepaint = m_needsFullRepaint;
 
-    if (!subtree && !downcast<RenderView>(*root).printing())
+    if (!subtree && !downcast<RenderView>(*root).printing()) {
         adjustViewSize();
+        // FIXME: Firing media query callbacks synchronously on nested frames could produced a detached FrameView here by
+        // navigating away from the current document (see webkit.org/b/173329).
+        if (hasOneRef())
+            return;
+    }
 
     m_layoutPhase = InPostLayout;