haikuwebkit/ManualTests/scrolling-coordinator-viewp...

<!DOCTYPE html>
<html>
<head>
  <script>
  function test()
  {
    if (window.testRunner) {
      testRunner.dumpAsText();
      testRunner.waitUntilDone();
    }
    window.location.href = "javascript:'>'";
  }
  </script>
</head>
<body onload="test()">
  <!-- Tests https://bugs.webkit.org/show_bug.cgi?id=108695. Should not crash. -->
  <div style="position: fixed"></div>
  <div style="position: -webkit-sticky"></div>
</body>
</html>
.: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects. https://bugs.webkit.org/show_bug.cgi?id=108695 Add a manual test. Unable to write a normal layout test because 1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone(); 2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame. Reviewed by Abhishek Arya. * ManualTests/scrolling-coordinator-viewport-constrained-crash.html: Added. Source/WebCore: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects https://bugs.webkit.org/show_bug.cgi?id=108695 See comments of RenderLayerModelObject::willBeDestroyed() below for details. Reviewed by Abhishek Arya. Test: ManulTests/scrolling-coordinator-viewport-constrained-crash.html Unable to write a normal layout test because 1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone(); 2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame. * rendering/RenderBoxModelObject.cpp: (WebCore::RenderBoxModelObject::willBeDestroyed): Moved removeViewportConstrainedObject() call into RenderLayerModelObject::willBeDestroyed() because only RenderLayerModelObjects can be added as viewportConstrainedObjects. * rendering/RenderLayerModelObject.cpp: (WebCore::RenderLayerModelObject::willBeDestroyed): Changed this->view() (then view->frameView()) to this->frame() (then frame->view()) because when willBeDestroyed() is called, the document has set its renderView to 0 thus this->view() will return 0, causing removeViewportConstrainedObject() not called and a deleted RenderLayerModelObject in FrameView's viewportConstrainedObjects. Canonical link: https://commits.webkit.org/127980@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@142760 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-02-13 18:37:30 +00:00			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<script>`
			`function test()`
			`{`
			`if (window.testRunner) {`
			`testRunner.dumpAsText();`
			`testRunner.waitUntilDone();`
			`}`
			`window.location.href = "javascript:'>'";`
			`}`
			`</script>`
			`</head>`
			`<body onload="test()">`
			`<!-- Tests https://bugs.webkit.org/show_bug.cgi?id=108695. Should not crash. -->`
			`<div style="position: fixed"></div>`
			`<div style="position: -webkit-sticky"></div>`
			`</body>`
			`</html>`