Crash re-entering Document layout with frame flattening enabled
https://bugs.webkit.org/show_bug.cgi?id=97841
Reviewed by Kenneth Rohde Christiansen.
Source/WebCore:
Walking up to parent FrameViews when doing a frame-flattening
layout should walk via the Frame tree, not the Widget hierarchy.
Walking via the Frame tree ensures that we don't walk up to the
root Frame when laying out a subframe that is in the page cache.
That's bad, because the root Frame is reused for the new
page, and laying it out from a frame in the page cache causes
re-entrant layout.
Test: plugins/frameset-with-plugin-frame.html
* page/FrameView.cpp:
(WebCore::FrameView::parentFrameView):
LayoutTests:
Test that navigates from one frameset to another frameset, where
one of the subframes contains a plugin.
* plugins/frameset-with-plugin-frame-expected.txt: Added.
* plugins/frameset-with-plugin-frame.html: Added.
* plugins/resources/frame-with-plugin-subframe.html: Added.
* plugins/resources/target-frameset-frame.html: Added.
* plugins/resources/target-frameset.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129944 268f45cc-cd09-0410-ab3c-d52691b4dbfc
8 files changed
