Document::updateLayout() could destroy current frame.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 Dec 2017 03:51:25 +0000 (03:51 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 Dec 2017 03:51:25 +0000 (03:51 +0000)
commit127128ab95c9770dd77ef93bd75b44741c29020d
tree0ff886dcf92514594fdc2b3e6b50225e06aad079
parent206af335cc1b6e7b3705b66e320ed12cf7369d07
Document::updateLayout() could destroy current frame.
https://bugs.webkit.org/show_bug.cgi?id=180525
<rdar://problem/35906836>

Reviewed by Simon Fraser.

Source/WebCore:

Early return when Document::updateLayout() triggers Frame destruction.

Test: fast/frames/crash-when-iframe-is-remove-in-eventhandler.html

* dom/TreeScope.cpp:
(WebCore::absolutePointIfNotClipped):

LayoutTests:

* fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt: Added.
* fast/frames/crash-when-iframe-is-remove-in-eventhandler.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/crash-when-iframe-is-remove-in-eventhandler.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/TreeScope.cpp