Bug 181132

Summary: Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
Product: WebKit Reporter: mitz
Component: WebCore Misc.Assignee: mitz
Status: RESOLVED FIXED    
Severity: Normal CC: CatronRay1980, cdumez, dbates, esprehn+autocc, ews-watchlist, kangil.han, simon.fraser, thorton
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Take a reference to the document before e firing callbacks simon.fraser: review+

mitz
Reported 2017-12-22 11:16:16 PST
<rdar://problem/35143540> When multiple requestAnimationFrame callbacks are set to fire on a subframe, and one of the callbacks which isn’t the last removes the iframe from the document, a crash happens when ScriptedAnimationController::serviceScriptedAnimations calls InspectorInstrumentation::willFireAnimationFrame, dereferencing its now-null m_document member. Here’s a minimal example: <iframe id=target></iframe> <script> const target = document.getElementById("target"); const contentWindow = target.contentWindow; contentWindow.requestAnimationFrame(() => { target.remove() }); contentWindow.requestAnimationFrame(() => { }); </script>
Attachments
Take a reference to the document before e firing callbacks (4.51 KB, patch)
2017-12-22 12:01 PST, mitz 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2017-12-22 12:01:23 PST
Created attachment 330136 [details] Take a reference to the document before e firing callbacks
Simon Fraser (smfr)
Comment 2 2017-12-22 12:42:14 PST
Comment on attachment 330136 [details] Take a reference to the document before e firing callbacks Very nice.
mitz
Comment 3 2017-12-22 13:41:24 PST
Thanks, Simon! Fixed in <https://trac.webkit.org/r226276>.
Note You need to log in before you can comment on or make changes to this bug.