WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
181132
Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
https://bugs.webkit.org/show_bug.cgi?id=181132
Summary
Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a ...
mitz
Reported
2017-12-22 11:16:16 PST
<
rdar://problem/35143540
> When multiple requestAnimationFrame callbacks are set to fire on a subframe, and one of the callbacks which isn’t the last removes the iframe from the document, a crash happens when ScriptedAnimationController::serviceScriptedAnimations calls InspectorInstrumentation::willFireAnimationFrame, dereferencing its now-null m_document member. Here’s a minimal example: <iframe id=target></iframe> <script> const target = document.getElementById("target"); const contentWindow = target.contentWindow; contentWindow.requestAnimationFrame(() => { target.remove() }); contentWindow.requestAnimationFrame(() => { }); </script>
Attachments
Take a reference to the document before e firing callbacks
(4.51 KB, patch)
2017-12-22 12:01 PST
,
mitz
simon.fraser
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
mitz
Comment 1
2017-12-22 12:01:23 PST
Created
attachment 330136
[details]
Take a reference to the document before e firing callbacks
Simon Fraser (smfr)
Comment 2
2017-12-22 12:42:14 PST
Comment on
attachment 330136
[details]
Take a reference to the document before e firing callbacks Very nice.
mitz
Comment 3
2017-12-22 13:41:24 PST
Thanks, Simon! Fixed in <
https://trac.webkit.org/r226276
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug