Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
authorXianzhu Wang <wangxianzhu@chromium.org>
Wed, 6 Feb 2013 17:29:24 +0000 (18:29 +0100)
committerThe Qt Project <gerrit-noreply@qt-project.org>
Thu, 7 Feb 2013 18:21:31 +0000 (19:21 +0100)
commit9c8d87d26c8b572af44b95c13838b8b838c4dfa9
tree83601ee274cdd06fc7c321d72a25bcff0930bfa8
parente08d860b281521970867f9f8d0b1c5541cbc5717
Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion

https://bugs.webkit.org/show_bug.cgi?id=99515

Reviewed by Simon Fraser.

The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).

No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.

* page/FrameView.cpp:
(WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138850 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I545d8815badad8d72781751e877f933ca8d31365
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Source/WebCore/ChangeLog
Source/WebCore/page/FrameView.cpp