<rdar://problem/9271848> Crash when the document element is removed
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Apr 2011 22:29:28 +0000 (22:29 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Apr 2011 22:29:28 +0000 (22:29 +0000)
Reviewed by Beth Dakin.

Source/WebCore:

Test: fast/events/overflow-viewport-renderer-deleted.html

* page/FrameView.cpp:
(WebCore::FrameView::calculateScrollbarModesForLayout): Reset m_viewportRenderer, in case this
function takes a code path that doesn’t call applyOverflowToViewport().
(WebCore::FrameView::layout): Whitespace change.

LayoutTests:

* fast/events/overflow-viewport-renderer-deleted-expected.txt: Added.
* fast/events/overflow-viewport-renderer-deleted.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@84300 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/events/overflow-viewport-renderer-deleted-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/overflow-viewport-renderer-deleted.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/FrameView.cpp

index d86dec67378c9c46cde2b28efd82f180c4137c7e..ef4977e5624067de3beb5a57ff78ba5b298ed060 100644 (file)
@@ -1,3 +1,12 @@
+2011-04-19  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        <rdar://problem/9271848> Crash when the document element is removed
+
+        * fast/events/overflow-viewport-renderer-deleted-expected.txt: Added.
+        * fast/events/overflow-viewport-renderer-deleted.html: Added.
+
 2011-04-19  James Robinson  <jamesr@chromium.org>
 
         Fix lint errors in test_expectations.txt
diff --git a/LayoutTests/fast/events/overflow-viewport-renderer-deleted-expected.txt b/LayoutTests/fast/events/overflow-viewport-renderer-deleted-expected.txt
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/LayoutTests/fast/events/overflow-viewport-renderer-deleted.html b/LayoutTests/fast/events/overflow-viewport-renderer-deleted.html
new file mode 100644 (file)
index 0000000..1a92c83
--- /dev/null
@@ -0,0 +1,26 @@
+<script> 
+    function gc()
+    {
+        if (window.GCController)
+            return GCController.collect();
+
+        for (var i = 0; i < 10000; i++) {
+            var s = new String("");
+        }
+    }
+
+    onload = function()
+    {
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+
+        document.getElementById('container').addEventListener('overflowchanged', function() { }, false);
+        document.body.offsetTop;
+        document.removeChild(document.firstChild);
+        gc();
+    }
+</script> 
+<body> 
+    Test passes if it does not crash.
+    <div id="container" style="height: 200%;"></div> 
+</body>
index 2541d00e9ab0b4cec4ed33de5235962d53e75832..fc190b3de725fbaefea40fa326e0cff27e73d561 100644 (file)
@@ -1,3 +1,16 @@
+2011-04-19  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        <rdar://problem/9271848> Crash when the document element is removed
+
+        Test: fast/events/overflow-viewport-renderer-deleted.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::calculateScrollbarModesForLayout): Reset m_viewportRenderer, in case this
+        function takes a code path that doesn’t call applyOverflowToViewport().
+        (WebCore::FrameView::layout): Whitespace change.
+
 2011-04-19  Beth Dakin  <bdakin@apple.com>
 
         Reviewed by Maciej Stachowiak.
index c28d0d00ecf727c924fd185f431a650ceee0dcab..1bfc6faa96795d8d409ae2427e57c28b8baa1e26 100644 (file)
@@ -521,6 +521,8 @@ void FrameView::applyOverflowToViewport(RenderObject* o, ScrollbarMode& hMode, S
 
 void FrameView::calculateScrollbarModesForLayout(ScrollbarMode& hMode, ScrollbarMode& vMode)
 {
+    m_viewportRenderer = 0;
+
     const HTMLFrameOwnerElement* owner = m_frame->ownerElement();
     if (owner && (owner->scrollingMode() == ScrollbarAlwaysOff)) {
         hMode = ScrollbarAlwaysOff;
@@ -880,7 +882,7 @@ void FrameView::layout(bool allowSubtree)
             printf("Elapsed time before first layout: %d\n", document->elapsedTime());
 #endif        
     }
-    
+
     ScrollbarMode hMode;
     ScrollbarMode vMode;    
     calculateScrollbarModesForLayout(hMode, vMode);