2011-06-27 Joe Wild <joseph.wild@nokia.com>
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 23:26:18 +0000 (23:26 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 23:26:18 +0000 (23:26 +0000)
        Reviewed by Simon Fraser.

        Crash on www.crave.cnet.com in FrameView::windowClipRect()
        https://bugs.webkit.org/show_bug.cgi?id=56393

        Tests that a plugin of a swf file in a hidden iframe will not
        crash. This test required more than 1 content file and a
        timeout or else it would not repeat the error condition.

        This test will only crash on platforms (like Symbian) that
        don't allow nonvirtual functions to have a null this pointer.

        * plugins/hidden-iframe-with-swf-plugin-expected.txt: Added.
        * plugins/hidden-iframe-with-swf-plugin.html: Added.
        * plugins/resources/iframe-content-with-swf-plugin.html: Added.
2011-06-27  Joe Wild  <joseph.wild@nokia.com>

        Reviewed by Simon Fraser.

        Crash on www.crave.cnet.com in FrameView::windowClipRect()
        https://bugs.webkit.org/show_bug.cgi?id=56393

        Check for a null renderer to fix a crash. This situation can
        arise when external content/plugins is referenced from html
        elements with style="display:none".

        Test: plugins/hidden-iframe-with-swf-plugin.html

        * page/FrameView.cpp:
        (WebCore::FrameView::windowClipRect):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@89876 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/plugins/hidden-iframe-with-swf-plugin-expected.txt [new file with mode: 0644]
LayoutTests/plugins/hidden-iframe-with-swf-plugin.html [new file with mode: 0644]
LayoutTests/plugins/resources/iframe-content-with-swf-plugin.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/FrameView.cpp

index e42cec437a71e61b5c100a1f80b4a9b7eca8498c..bda51b5017140a2ee14ca55698d75a0328b9a0cc 100644 (file)
@@ -1,3 +1,21 @@
+2011-06-27  Joe Wild  <joseph.wild@nokia.com>
+
+        Reviewed by Simon Fraser.
+
+        Crash on www.crave.cnet.com in FrameView::windowClipRect()
+        https://bugs.webkit.org/show_bug.cgi?id=56393
+
+        Tests that a plugin of a swf file in a hidden iframe will not
+        crash. This test required more than 1 content file and a
+        timeout or else it would not repeat the error condition.
+
+        This test will only crash on platforms (like Symbian) that
+        don't allow nonvirtual functions to have a null this pointer.
+
+        * plugins/hidden-iframe-with-swf-plugin-expected.txt: Added.
+        * plugins/hidden-iframe-with-swf-plugin.html: Added.
+        * plugins/resources/iframe-content-with-swf-plugin.html: Added.
+
 2011-06-27  Adam Barth  <abarth@webkit.org>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/plugins/hidden-iframe-with-swf-plugin-expected.txt b/LayoutTests/plugins/hidden-iframe-with-swf-plugin-expected.txt
new file mode 100644 (file)
index 0000000..3b3bee2
--- /dev/null
@@ -0,0 +1,8 @@
+This page tests
+https://bugs.webkit.org/show_bug.cgi?id=56393
+Bug 56393 - Crash on www.crave.cnet.com in FrameView::windowClipRect()
+It contains an iframe element with display:none that loads an HTML page with an object element of a .swf file. Object must be in a separate page (data: scheme won't show problem).
+If this test does not assert or crash and the line below reads "PASSED", it passes.
+
+PASSED
+
diff --git a/LayoutTests/plugins/hidden-iframe-with-swf-plugin.html b/LayoutTests/plugins/hidden-iframe-with-swf-plugin.html
new file mode 100644 (file)
index 0000000..fd23a4b
--- /dev/null
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+// This was the only way that I was able to wait long enough
+// for the test to crash while still running under DumpRenderTree(DRT).
+window.setTimeout( "bodyLoaded();", 300);
+
+function log(msg)
+{
+    var span = document.createElement("span");
+    document.getElementById("console").appendChild(span);
+    span.innerHTML = msg + '<br />';
+}
+
+function bodyLoaded() {
+    log("PASSED");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+
+<body>
+<div style="display:none">
+  <iframe name="testiframe" id="testiframe"
+          src="resources/iframe-content-with-swf-plugin.html">
+  </iframe>
+</div>
+<p id="description">
+This page tests<br/>
+https://bugs.webkit.org/show_bug.cgi?id=56393<br/>
+Bug 56393 - Crash on www.crave.cnet.com in FrameView::windowClipRect()<br/>
+It contains an iframe element with display:none that loads an HTML page
+with an object element of a .swf file. Object must be in a separate page
+(data: scheme won't show problem).<br/>
+If this test does not assert or crash and the line below reads "PASSED", it passes.
+</p>
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/plugins/resources/iframe-content-with-swf-plugin.html b/LayoutTests/plugins/resources/iframe-content-with-swf-plugin.html
new file mode 100644 (file)
index 0000000..140a7c5
--- /dev/null
@@ -0,0 +1,8 @@
+<html>
+<body>
+   <object>
+       <param name="movie" value="simple_blank.swf">
+       <embed src="simple_blank.swf"></embed>
+    </object>
+</body>
+</html>
index 06ce7308f5faf7b0712d146622ba2db05ddabc4f..b4308c04c2f69f976decd53171fdb5fb397c6765 100644 (file)
@@ -1,3 +1,19 @@
+2011-06-27  Joe Wild  <joseph.wild@nokia.com>
+
+        Reviewed by Simon Fraser.
+
+        Crash on www.crave.cnet.com in FrameView::windowClipRect()
+        https://bugs.webkit.org/show_bug.cgi?id=56393
+
+        Check for a null renderer to fix a crash. This situation can
+        arise when external content/plugins is referenced from html
+        elements with style="display:none".
+
+        Test: plugins/hidden-iframe-with-swf-plugin.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::windowClipRect):
+
 2011-06-27  Raymes Khoury  <raymes@chromium.org>
 
         Reviewed by Tony Chang.
index 93affc1f97e18865d8e44a0459930d09d00ec971..5bd5a963bf4917feeabcf49db8a3b443ea4ad6e9 100644 (file)
@@ -2127,8 +2127,9 @@ IntRect FrameView::windowClipRect(bool clipToContents) const
 
     // Take our owner element and get the clip rect from the enclosing layer.
     Element* elt = m_frame->ownerElement();
-    RenderLayer* layer = elt->renderer()->enclosingLayer();
-    // FIXME: layer should never be null, but sometimes seems to be anyway.
+    // The renderer can sometimes be null when style="display:none" interacts
+    // with external content and plugins.
+    RenderLayer* layer = elt->renderer() ? elt->renderer()->enclosingLayer() : 0;
     if (!layer)
         return clipRect;
     FrameView* parentView = elt->document()->view();