Commit 2cc6f339 authored by inferno@chromium.org's avatar inferno@chromium.org
Browse files

Removed m_owner accessed in custom scrollbars.

https://bugs.webkit.org/show_bug.cgi?id=64737

Reviewed by David Hyatt.

Problem does not reproduce in DRT, even with Eventhandler tricks
and gc(). So, adding a manual test.

* manual-tests/custom-scrollbar-renderer-removed-crash.html: Added.
* page/FrameView.cpp:
(WebCore::FrameView::clearOwningRendererForCustomScrollbars):
* page/FrameView.h:
* rendering/RenderBox.cpp:
(WebCore::RenderBox::willBeDestroyed): when this renderbox is getting
destroyed, clear the custom scrollbar in this frameview having this renderbox
as its owning renderer.
* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::getScrollbarPseudoStyle): fix the null check.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94107 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 4601260f
2011-08-30 Abhishek Arya <inferno@chromium.org>
Removed m_owner accessed in custom scrollbars.
https://bugs.webkit.org/show_bug.cgi?id=64737
Reviewed by David Hyatt.
Problem does not reproduce in DRT, even with Eventhandler tricks
and gc(). So, adding a manual test.
* manual-tests/custom-scrollbar-renderer-removed-crash.html: Added.
* page/FrameView.cpp:
(WebCore::FrameView::clearOwningRendererForCustomScrollbars):
* page/FrameView.h:
* rendering/RenderBox.cpp:
(WebCore::RenderBox::willBeDestroyed): when this renderbox is getting
destroyed, clear the custom scrollbar in this frameview having this renderbox
as its owning renderer.
* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::getScrollbarPseudoStyle): fix the null check.
2011-08-30 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org>
 
Emit last progress notification before calling dispatchDidFinishLoad
<html>
<body>
Reload page and mouse click quickly in the black box.
<style>
::-webkit-scrollbar { width: 1000; }
</style>
<script>setTimeout("try { document.body.offsetTop; child = document.body; child.parentNode.removeChild(child); } catch(e) {}", 100);</script>
<svg>
</svg>
</body>
</html>
......@@ -2551,6 +2551,23 @@ bool FrameView::hasCustomScrollbars() const
return false;
}
void FrameView::clearOwningRendererForCustomScrollbars(RenderBox* box)
{
const HashSet<RefPtr<Widget> >* viewChildren = children();
HashSet<RefPtr<Widget> >::const_iterator end = viewChildren->end();
for (HashSet<RefPtr<Widget> >::const_iterator current = viewChildren->begin(); current != end; ++current) {
Widget* widget = current->get();
if (widget->isScrollbar()) {
Scrollbar* scrollbar = static_cast<Scrollbar*>(widget);
if (scrollbar->isCustomScrollbar()) {
RenderScrollbar* customScrollbar = toRenderScrollbar(scrollbar);
if (customScrollbar->owningRenderer() == box)
customScrollbar->clearOwningRenderer();
}
}
}
}
FrameView* FrameView::parentFrameView() const
{
if (Widget* parentView = parent()) {
......
......@@ -289,6 +289,8 @@ public:
RenderBox* embeddedContentBox() const;
void clearOwningRendererForCustomScrollbars(RenderBox*);
protected:
virtual bool scrollContentsFastPath(const IntSize& scrollDelta, const LayoutRect& rectToScroll, const LayoutRect& clipRect);
virtual void scrollContentsSlowPath(const LayoutRect& updateRect);
......
......@@ -202,6 +202,11 @@ void RenderBox::willBeDestroyed()
if (style() && (style()->logicalHeight().isPercent() || style()->logicalMinHeight().isPercent() || style()->logicalMaxHeight().isPercent()))
RenderBlock::removePercentHeightDescendant(this);
// If this renderer is owning renderer for the frameview's custom scrollbars,
// we need to clear it from the scrollbar. See webkit bug 64737.
if (style() && style()->hasPseudoStyle(SCROLLBAR) && frame() && frame()->view())
frame()->view()->clearOwningRendererForCustomScrollbars(this);
// If the following assertion fails, logicalHeight()/logicalMinHeight()/
// logicalMaxHeight() values are changed from a percent value to a non-percent
// value during laying out. It causes a use-after-free bug.
......
......@@ -149,7 +149,7 @@ ScrollbarPart RenderScrollbar::partForStyleResolve()
PassRefPtr<RenderStyle> RenderScrollbar::getScrollbarPseudoStyle(ScrollbarPart partType, PseudoId pseudoId)
{
if (!m_owner)
if (!owningRenderer())
return 0;
s_styleResolvePart = partType;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment