[Webkit-unassigned] [Bug 181132] New: Crash beneath ScriptedAnimationController::serviceScriptedAnimations after a requestAnimationFrame callback removes the requesting iframe
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 22 11:16:16 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=181132
Bug ID: 181132
Summary: Crash beneath
ScriptedAnimationController::serviceScriptedAnimations
after a requestAnimationFrame callback removes the
requesting iframe
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mitz at webkit.org
<rdar://problem/35143540>
When multiple requestAnimationFrame callbacks are set to fire on a subframe, and one of the callbacks which isn’t the last removes the iframe from the document, a crash happens when ScriptedAnimationController::serviceScriptedAnimations calls InspectorInstrumentation::willFireAnimationFrame, dereferencing its now-null m_document member.
Here’s a minimal example:
<iframe id=target></iframe>
<script>
const target = document.getElementById("target");
const contentWindow = target.contentWindow;
contentWindow.requestAnimationFrame(() => { target.remove() });
contentWindow.requestAnimationFrame(() => { });
</script>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171222/a5a04c00/attachment.html>
More information about the webkit-unassigned
mailing list