Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(59)

Issues Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 1172603004: Fix crash when an onorientationchange event detaches an iframe. (Closed)

Created:
4 years, 10 months ago by Nate Chapin
Modified:
4 years, 10 months ago
Reviewers:
esprehn, dcheng
CC:
blink-reviews, mlamouri (slow - plz ping)
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

Fix crash when an onorientationchange event detaches an iframe. Collect all of the frames that need onorientationchange before firing any of the events. If a frame gets detached, frame->localDOMWindow()->frame() will be null, and the recursive invocation will crash. BUG=492432, 466485 TEST=WebFrameTest.OrientationFrameDetach Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=196895

Patch Set 1 #

Patch Set 2 : #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+26 lines, -11 lines) Patch
M Source/core/frame/LocalDOMWindow.cpp View 1 1 chunk +9 lines, -11 lines 2 comments Download
M Source/web/tests/WebFrameTest.cpp View 1 chunk +9 lines, -0 lines 0 comments Download
A Source/web/tests/data/orientation-frame-detach.html View 1 chunk +8 lines, -0 lines 0 comments Download

Messages

Total messages: 10 (3 generated)
Nate Chapin
4 years, 10 months ago (2015-06-10 16:32:08 UTC) #2
dcheng
https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/LocalDOMWindow.cpp File Source/core/frame/LocalDOMWindow.cpp (right): https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/LocalDOMWindow.cpp#newcode533 Source/core/frame/LocalDOMWindow.cpp:533: toLocalFrame(frames[i].get())->localDOMWindow()->dispatchEvent(Event::create(EventTypeNames::orientationchange)); Out of curiosity, what happens when we try ...
4 years, 10 months ago (2015-06-10 17:46:13 UTC) #3
Nate Chapin
On 2015/06/10 17:46:13, dcheng wrote: > https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/LocalDOMWindow.cpp > File Source/core/frame/LocalDOMWindow.cpp (right): > > https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/LocalDOMWindow.cpp#newcode533 > ...
4 years, 10 months ago (2015-06-10 18:13:46 UTC) #4
dcheng
lgtm It's going to be interesting once mlamouri@ starts plumbing resize notifications through WebFrameWidget... but ...
4 years, 10 months ago (2015-06-10 20:04:16 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1172603004/20001
4 years, 10 months ago (2015-06-10 20:06:16 UTC) #7
commit-bot: I haz the power
Committed patchset #2 (id:20001) as https://src.chromium.org/viewvc/blink?view=rev&revision=196895
4 years, 10 months ago (2015-06-10 20:09:10 UTC) #8
esprehn
4 years, 10 months ago (2015-06-11 01:57:12 UTC) #10
Message was sent while issue was closed. 
https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/Local...
File Source/core/frame/LocalDOMWindow.cpp (right):

https://codereview.chromium.org/1172603004/diff/20001/Source/core/frame/Local...
Source/core/frame/LocalDOMWindow.cpp:533:
toLocalFrame(frames[i].get())->localDOMWindow()->dispatchEvent(Event::create(EventTypeNames::orientationchange));
On 2015/06/10 at 17:46:12, dcheng wrote:
> Out of curiosity, what happens when we try to dispatch an event on a detached
window?

That works fine, for example in script I can do:

var iframe = document.createElement("iframe");
iframe.onload = function() {
  var contentWindow = iframe.contentWindow;
  iframe.remove(); // detached here.
  contentWindow.dispatchEvent(new Event("test"));
};
document.body.appendChild(iframe);

Powered by Google App Engine
This is Rietveld 408576698