WebCore:
authorddkilzer <ddkilzer@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jul 2006 04:52:03 +0000 (04:52 +0000)
committerddkilzer <ddkilzer@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jul 2006 04:52:03 +0000 (04:52 +0000)
        Reviewed by Adele.  Patch by Mitz.

        - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9862
          REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF
        - see also <rdar://problem/4622407>

        Test: fast/frames/repaint-display-none-crash.html

        * rendering/RenderView.cpp:
        (WebCore::RenderView::repaintViewRectangle): Added null checking of the owner element's
        renderer, which can be null if the iframe is set to display:none.

LayoutTests:

        Reviewed by Adele.  Patch by Mitz.

        - test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9862
          REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF
        - see also <rdar://problem/4622407>

        * fast/frames/repaint-display-none-crash-expected.txt: Added.
        * fast/frames/repaint-display-none-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@15402 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/repaint-display-none-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/repaint-display-none-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderView.cpp

index 1876213495197ce1bb40771ff3555f81df7cdeac..f24eee4025f9816ccb0dddd7faf0a84d99dfa496 100644 (file)
@@ -1,3 +1,14 @@
+2006-07-12  Mitz Pettel  <opendarwin.org@mitzpettel.com>
+
+        Reviewed by Adele.
+
+        - test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9862
+          REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF
+        - see also <rdar://problem/4622407>
+
+        * fast/frames/repaint-display-none-crash-expected.txt: Added.
+        * fast/frames/repaint-display-none-crash.html: Added.
+
 2006-07-12  Justin Garcia  <justin.garcia@apple.com>
 
         Reviewed by levi
 2006-07-12  Justin Garcia  <justin.garcia@apple.com>
 
         Reviewed by levi
diff --git a/LayoutTests/fast/frames/repaint-display-none-crash-expected.txt b/LayoutTests/fast/frames/repaint-display-none-crash-expected.txt
new file mode 100644 (file)
index 0000000..fdcafe1
--- /dev/null
@@ -0,0 +1,5 @@
+This is a test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9862 REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF.
+
+No crash means test PASS.
+
+
diff --git a/LayoutTests/fast/frames/repaint-display-none-crash.html b/LayoutTests/fast/frames/repaint-display-none-crash.html
new file mode 100644 (file)
index 0000000..78b8e22
--- /dev/null
@@ -0,0 +1,28 @@
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+
+    function test()
+    {
+        var t = document.getElementById('t');
+        document.body.offsetTop;
+        t.style.display='none';
+        t.src='about:blank';
+        t.document.body.offsetTop;
+        if (window.layoutTestController) {
+            layoutTestController.notifyDone();
+        }
+    }
+</script>
+<body onload="test()">
+    <p>
+        This is a test for <i><a href="http://bugzilla.opendarwin.org/show_bug.cgi?id=9862">http://bugzilla.opendarwin.org/show_bug.cgi?id=9862</a>
+        REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF</i>.
+    </p>
+    <p>
+        No crash means test PASS.
+    </p>
+    <iframe id="t"></iframe>
+</body>
index 77e5118b7d0854cbf86b3ec28855e76e2974cd3e..91bccc5ff58203e3c7c4aa476901e453e8142949 100644 (file)
@@ -1,3 +1,17 @@
+2006-07-12  Mitz Pettel  <opendarwin.org@mitzpettel.com>
+
+        Reviewed by Adele.
+
+        - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9862
+          REGRESSION: GMail: Crash in RenderView::repaintViewRectangle when spoofing as FF
+        - see also <rdar://problem/4622407>
+
+        Test: fast/frames/repaint-display-none-crash.html
+
+        * rendering/RenderView.cpp:
+        (WebCore::RenderView::repaintViewRectangle): Added null checking of the owner element's
+        renderer, which can be null if the iframe is set to display:none.
+
 2006-07-12  Justin Garcia  <justin.garcia@apple.com>
 
         Reviewed by levi
 2006-07-12  Justin Garcia  <justin.garcia@apple.com>
 
         Reviewed by levi
index e9f34e8ca0dba42bbc763f90ac1cf20d610033c2..9c14a28d2bef4bf66047bd62d41fe44491f9ff37 100644 (file)
@@ -213,12 +213,11 @@ void RenderView::repaintViewRectangle(const IntRect& ur, bool immediate)
         Element* elt = element()->document()->ownerElement();
         if (!elt)
             m_frameView->repaintRectangle(r, immediate);
         Element* elt = element()->document()->ownerElement();
         if (!elt)
             m_frameView->repaintRectangle(r, immediate);
-        else {
+        else if (RenderObject* obj = elt->renderer()) {
             // Subtract out the contentsX and contentsY offsets to get our coords within the viewing
             // rectangle.
             r.move(-m_frameView->contentsX(), -m_frameView->contentsY());
 
             // Subtract out the contentsX and contentsY offsets to get our coords within the viewing
             // rectangle.
             r.move(-m_frameView->contentsX(), -m_frameView->contentsY());
 
-            RenderObject* obj = elt->renderer();
             // FIXME: Hardcoded offsets here are not good.
             int yFrameOffset = m_frameView->hasBorder() ? 2 : 0;
             int xFrameOffset = m_frameView->hasBorder() ? 1 : 0;
             // FIXME: Hardcoded offsets here are not good.
             int yFrameOffset = m_frameView->hasBorder() ? 2 : 0;
             int xFrameOffset = m_frameView->hasBorder() ? 1 : 0;