Crash in the hit testing code via HTMLPlugInElement::isReplacementObscured()
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 23:49:56 +0000 (23:49 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 23:49:56 +0000 (23:49 +0000)
commit9ab06b95ffc2582ff5d7c0573ee01a79ad9fcaf0
treed07b901f032fba8ecd379248773a64c48499444f
parentca6198b624f5a5e4979e13c43b10cacb308776ab
Crash in the hit testing code via HTMLPlugInElement::isReplacementObscured()
https://bugs.webkit.org/show_bug.cgi?id=194691

Reviewed by Simon Fraser.

Source/WebCore:

The crash was caused by HTMLPlugInElement::isReplacementObscured updating the document
without updating the layout of ancestor documents (i.e. documents in which frame owner
elements appear) even though it hit-tests against the top-level document's RenderView.

Fixed the bug by updating the layout of the top-level document as needed.

Test: plugins/unsupported-plugin-with-replacement-in-iframe-crash.html

* html/HTMLPlugInElement.cpp:
(WebCore::HTMLPlugInElement::isReplacementObscured):

LayoutTests:

Added a regression test. It hits the newly added debug assertion without the fix.

* platform/mac-wk1/TestExpectations: Skip the test since DumpRenderTree doesn't support
testRunner.setPluginSupportedMode.
* plugins/unsupported-plugin-with-replacement-in-iframe-crash-expected.txt: Added.
* plugins/unsupported-plugin-with-replacement-in-iframe-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241626 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/platform/mac-wk1/TestExpectations
LayoutTests/plugins/unsupported-plugin-with-replacement-in-iframe-crash-expected.txt [new file with mode: 0644]
LayoutTests/plugins/unsupported-plugin-with-replacement-in-iframe-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLPlugInElement.cpp