.: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewpor...
authorwangxianzhu@chromium.org <wangxianzhu@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Feb 2013 18:37:30 +0000 (18:37 +0000)
committerwangxianzhu@chromium.org <wangxianzhu@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Feb 2013 18:37:30 +0000 (18:37 +0000)
commitdf4bda2efdf37410341cc60d6b8cd395213c9804
treec9122d64273813ebfaf827af426cbe36c2cb4dd8
parentf29d4f47e066470ba7f4a3a9c9cf025ff9bd02a0
.: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects.
https://bugs.webkit.org/show_bug.cgi?id=108695

Add a manual test. Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

Reviewed by Abhishek Arya.

* ManualTests/scrolling-coordinator-viewport-constrained-crash.html: Added.

Source/WebCore: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects
https://bugs.webkit.org/show_bug.cgi?id=108695

See comments of RenderLayerModelObject::willBeDestroyed() below for details.

Reviewed by Abhishek Arya.

Test: ManulTests/scrolling-coordinator-viewport-constrained-crash.html
Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::willBeDestroyed): Moved removeViewportConstrainedObject() call into RenderLayerModelObject::willBeDestroyed() because only RenderLayerModelObjects can be added as viewportConstrainedObjects.
* rendering/RenderLayerModelObject.cpp:
(WebCore::RenderLayerModelObject::willBeDestroyed): Changed this->view() (then view->frameView()) to this->frame() (then frame->view()) because when willBeDestroyed() is called, the document has set its renderView to 0 thus this->view() will return 0, causing removeViewportConstrainedObject() not called and a deleted RenderLayerModelObject in FrameView's viewportConstrainedObjects.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@142760 268f45cc-cd09-0410-ab3c-d52691b4dbfc
ChangeLog
ManualTests/scrolling-coordinator-viewport-constrained-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBoxModelObject.cpp
Source/WebCore/rendering/RenderLayerModelObject.cpp