WebKit GIT trees - WebKit-https.git/commit

Release assert in Document::updateLayout() in WebPage::determinePrimarySnapshottedPlugIn()
https://bugs.webkit.org/show_bug.cgi?id=186383
<rdar://problem/40849498>

Reviewed by Jon Lee.

Source/WebKit:

The release assert was hit because the descendent elemenet iterator, which instantiates ScriptDisallowedScope,
was alive as determinePrimarySnapshottedPlugIn invoked Document::updateLayout. Avoid this by copying
the list of plugin image elements into a vector first.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::determinePrimarySnapshottedPlugIn): Fixed the release assert, and deployed Ref and RefPtr
to make this code safe.

LayoutTests:

Added a regression test.

* plugins/snapshotting/determine-primary-snapshotted-plugin-crash-expected.txt: Added.
* plugins/snapshotting/determine-primary-snapshotted-plugin-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232591 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 7 Jun 2018 18:38:40 +0000 (18:38 +0000)
committer	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 7 Jun 2018 18:38:40 +0000 (18:38 +0000)
commit	0cb762ea37cb48b372e841c924e9701461e14371
tree	00cc36bb2ca18c3eb666982a701bf24d50b550e1	tree \| snapshot
parent	1e1d75bad4141da2db36009d6f57335de63cd6c2	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/plugins/snapshotting/determine-primary-snapshotted-plugin-crash-expected.txt	[new file with mode: 0644]	blob
LayoutTests/plugins/snapshotting/determine-primary-snapshotted-plugin-crash.html	[new file with mode: 0644]	blob
Source/WebKit/ChangeLog		diff \| blob \| history
Source/WebKit/WebProcess/WebPage/WebPage.cpp		diff \| blob \| history