Changeset 207063 in webkit

Timestamp:

Oct 11, 2016 1:08:39 AM (8 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r205701 - v3: WebContent crash due to RELEASE_ASSERT in WebCore: WebCore::StyleResolver::styleForElement
​https://bugs.webkit.org/show_bug.cgi?id=161689

Reviewed by Andreas Kling.

These crashes happen because synchronously triggered resource loads generate callbacks that may end up
deleting the resource loader.

Stop triggering resource loads from StyleResolver. Instead trigger them when applying style to render tree.

• css/StyleResolver.cpp:

(WebCore::StyleResolver::~StyleResolver):

Replace the RELEASE_ASSERT against deletion during resource loads by a general isDeleted assert.

(WebCore::StyleResolver::styleForElement):
(WebCore::StyleResolver::styleForKeyframe):
(WebCore::StyleResolver::pseudoStyleForElement):
(WebCore::StyleResolver::styleForPage):
(WebCore::StyleResolver::applyMatchedProperties):
(WebCore::StyleResolver::loadPendingResources): Deleted.

• css/StyleResolver.h:
• page/animation/KeyframeAnimation.cpp:

(WebCore::KeyframeAnimation::KeyframeAnimation):
(WebCore::KeyframeAnimation::resolveKeyframeStyles):

Ensure resource load for all animation frames.

• page/animation/KeyframeAnimation.h:
• rendering/RenderElement.cpp:

(WebCore::RenderElement::createFor):
(WebCore::RenderElement::initializeStyle):

Load resources when renderer initializes a style.

(WebCore::RenderElement::setStyle):
(WebCore::RenderElement::getUncachedPseudoStyle):

Load resources for pseudo styles.

• rendering/RenderImage.cpp:

(WebCore::RenderImage::RenderImage):
(WebCore::RenderImage::styleWillChange):

Shuffle image resource initialization out from constructor so initializeStyle gets called before.

• rendering/RenderImage.h:
• rendering/style/StyleCachedImage.cpp:

(WebCore::StyleCachedImage::StyleCachedImage):

Track pending status with a bit instead of implicitly by the existence of CachedResource.
This is useful for asserts.

(WebCore::StyleCachedImage::load):
(WebCore::StyleCachedImage::isPending):
(WebCore::StyleCachedImage::addClient):
(WebCore::StyleCachedImage::removeClient):
(WebCore::StyleCachedImage::image):

• rendering/style/StyleCachedImage.h:

Location:

releases/WebKitGTK/webkit-2.14/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• css/StyleResolver.cpp (modified) (9 diffs)
• css/StyleResolver.h (modified) (3 diffs)
• page/animation/ImplicitAnimation.cpp (modified) (2 diffs)
• page/animation/KeyframeAnimation.cpp (modified) (3 diffs)
• page/animation/KeyframeAnimation.h (modified) (1 diff)
• rendering/RenderElement.cpp (modified) (5 diffs)
• rendering/RenderImage.cpp (modified) (3 diffs)
• rendering/RenderImage.h (modified) (1 diff)
• rendering/style/StyleCachedImage.cpp (modified) (6 diffs)
• rendering/style/StyleCachedImage.h (modified) (1 diff)

releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-09  Antti Koivisto  <antti@apple.com>
+
+        v3: WebContent crash due to RELEASE_ASSERT in WebCore: WebCore::StyleResolver::styleForElement
+        https://bugs.webkit.org/show_bug.cgi?id=161689
+
+        Reviewed by Andreas Kling.
+
+        These crashes happen because synchronously triggered resource loads generate callbacks that may end up
+        deleting the resource loader.
+
+        Stop triggering resource loads from StyleResolver. Instead trigger them when applying style to render tree.
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::~StyleResolver):
+
+            Replace the RELEASE_ASSERT against deletion during resource loads by a general isDeleted assert.
+
+        (WebCore::StyleResolver::styleForElement):
+        (WebCore::StyleResolver::styleForKeyframe):
+        (WebCore::StyleResolver::pseudoStyleForElement):
+        (WebCore::StyleResolver::styleForPage):
+        (WebCore::StyleResolver::applyMatchedProperties):
+        (WebCore::StyleResolver::loadPendingResources): Deleted.
+        * css/StyleResolver.h:
+        * page/animation/KeyframeAnimation.cpp:
+        (WebCore::KeyframeAnimation::KeyframeAnimation):
+        (WebCore::KeyframeAnimation::resolveKeyframeStyles):
+
+            Ensure resource load for all animation frames.
+
+        * page/animation/KeyframeAnimation.h:
+        * rendering/RenderElement.cpp:
+        (WebCore::RenderElement::createFor):
+        (WebCore::RenderElement::initializeStyle):
+
+            Load resources when renderer initializes a style.
+
+        (WebCore::RenderElement::setStyle):
+        (WebCore::RenderElement::getUncachedPseudoStyle):
+
+            Load resources for pseudo styles.
+
+        * rendering/RenderImage.cpp:
+        (WebCore::RenderImage::RenderImage):
+        (WebCore::RenderImage::styleWillChange):
+
+            Shuffle image resource initialization out from constructor so initializeStyle gets called before.
+
+        * rendering/RenderImage.h:
+        * rendering/style/StyleCachedImage.cpp:
+        (WebCore::StyleCachedImage::StyleCachedImage):
+
+            Track pending status with a bit instead of implicitly by the existence of CachedResource.
+            This is useful for asserts.
+
+        (WebCore::StyleCachedImage::load):
+        (WebCore::StyleCachedImage::isPending):
+        (WebCore::StyleCachedImage::addClient):
+        (WebCore::StyleCachedImage::removeClient):
+        (WebCore::StyleCachedImage::image):
+        * rendering/style/StyleCachedImage.h:
+
 2016-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
 

releases/WebKitGTK/webkit-2.14/Source/WebCore/css/StyleResolver.cpp

@@ -310 +310 @@
 StyleResolver::~StyleResolver()
 {
-    RELEASE_ASSERT(!m_inLoadPendingImages);
+    RELEASE_ASSERT(!m_isDeleted);
+    m_isDeleted = true;
 
 #if ENABLE(CSS_DEVICE_ADAPTATION)
@@ -386 +387 @@
 ElementStyle StyleResolver::styleForElement(const Element& element, const RenderStyle* parentStyle, RuleMatchingBehavior matchingBehavior, const RenderRegion* regionForStyling, const SelectorFilter* selectorFilter)
 {
-    RELEASE_ASSERT(!m_inLoadPendingImages);
+    RELEASE_ASSERT(!m_isDeleted);
 
     m_state = State(element, parentStyle, m_overrideDocumentElementStyle, regionForStyling, selectorFilter);
@@ -447 +448 @@
 std::unique_ptr<RenderStyle> StyleResolver::styleForKeyframe(const RenderStyle* elementStyle, const StyleKeyframe* keyframe, KeyframeValue& keyframeValue)
 {
-    RELEASE_ASSERT(!m_inLoadPendingImages);
+    RELEASE_ASSERT(!m_isDeleted);
 
     MatchResult result;
@@ -487 +488 @@
     adjustRenderStyle(*state.style(), *state.parentStyle(), nullptr);
 
-    // Start loading resources referenced by this style.
-    loadPendingResources();
-    
     // Add all the animating properties to the keyframe.
     unsigned propertyCount = keyframe->properties().propertyCount();
@@ -643 +641 @@
         document().setHasStyleWithViewportUnits();
 
-    // Start loading resources referenced by this style.
-    loadPendingResources();
-
     // Now return the style.
     return state.takeStyle();
@@ -652 +647 @@
 std::unique_ptr<RenderStyle> StyleResolver::styleForPage(int pageIndex)
 {
-    RELEASE_ASSERT(!m_inLoadPendingImages);
+    RELEASE_ASSERT(!m_isDeleted);
 
     auto* documentElement = m_document.documentElement();
@@ -686 +681 @@
 
     cascade.applyDeferredProperties(*this, &result);
-
-    // Start loading resources referenced by this style.
-    loadPendingResources();
 
     // Now return the style.
@@ -1414 +1406 @@
     cascade.applyDeferredProperties(*this, &matchResult);
 
-    // Start loading resources referenced by this style.
-    loadPendingResources();
-    
     ASSERT(!state.fontDirty());
     
@@ -2044 +2033 @@
 }
 
-void StyleResolver::loadPendingResources()
-{
-    ASSERT(style());
-    if (!style())
-        return;
-
-    RELEASE_ASSERT(!m_inLoadPendingImages);
-    TemporaryChange<bool> changeInLoadPendingImages(m_inLoadPendingImages, true);
-
-    Style::loadPendingResources(*style(), document(), m_state.element());
-}
-
 inline StyleResolver::MatchedProperties::MatchedProperties()
     : possiblyPaddedMember(nullptr)

releases/WebKitGTK/webkit-2.14/Source/WebCore/css/StyleResolver.h

@@ -221 +221 @@
 
     bool createFilterOperations(const CSSValue& inValue, FilterOperations& outOperations);
-    void loadPendingSVGDocuments();
-
-    void loadPendingResources();
 
     struct RuleRange {
@@ -483 +480 @@
     void applySVGProperty(CSSPropertyID, CSSValue*);
 
-    void loadPendingImages();
-
     static unsigned computeMatchedPropertiesHash(const MatchedProperties*, unsigned size);
     struct MatchedPropertiesCacheItem {
@@ -526 +521 @@
     State m_state;
 
-    // Try to catch a crash. https://bugs.webkit.org/show_bug.cgi?id=141561.
-    bool m_inLoadPendingImages { false };
+    // See if we still have crashes where StyleResolver gets deleted early.
+    bool m_isDeleted { false };
 
     friend bool operator==(const MatchedProperties&, const MatchedProperties&);

releases/WebKitGTK/webkit-2.14/Source/WebCore/page/animation/ImplicitAnimation.cpp

@@ -37 +37 @@
 #include "KeyframeAnimation.h"
 #include "RenderBox.h"
+#include "StylePendingResources.h"
 
 namespace WebCore {
@@ -213 +214 @@
     m_toStyle = RenderStyle::clonePtr(*to);
 
+    if (m_object && m_object->element())
+        Style::loadPendingResources(*m_toStyle, m_object->element()->document(), m_object->element());
+
     // Restart the transition
     if (m_fromStyle && m_toStyle)

releases/WebKitGTK/webkit-2.14/Source/WebCore/page/animation/KeyframeAnimation.cpp

@@ -38 +38 @@
 #include "RenderBox.h"
 #include "RenderStyle.h"
+#include "StylePendingResources.h"
 #include "StyleResolver.h"
 
@@ -47 +48 @@
     , m_unanimatedStyle(RenderStyle::clonePtr(*unanimatedStyle))
 {
-    // Get the keyframe RenderStyles
-    if (m_object && m_object->element())
-        m_object->element()->styleResolver().keyframeStylesForAnimation(*m_object->element(), unanimatedStyle, m_keyframes);
+    resolveKeyframeStyles();
 
     // Update the m_transformFunctionListValid flag based on whether the function lists in the keyframes match.
@@ -351 +350 @@
 }
 
+void KeyframeAnimation::resolveKeyframeStyles()
+{
+    if (!m_object || !m_object->element())
+        return;
+    auto& element = *m_object->element();
+
+    element.styleResolver().keyframeStylesForAnimation(*m_object->element(), m_unanimatedStyle.get(), m_keyframes);
+
+    // Ensure resource loads for all the frames.
+    for (auto& keyframe : m_keyframes.keyframes()) {
+        if (auto* style = const_cast<RenderStyle*>(keyframe.style()))
+            Style::loadPendingResources(*style, element.document(), &element);
+    }
+}
+
 void KeyframeAnimation::validateTransformFunctionList()
 {

releases/WebKitGTK/webkit-2.14/Source/WebCore/page/animation/KeyframeAnimation.h

@@ -82 +82 @@
     bool computeExtentOfAnimationForMatchingTransformLists(const FloatRect& rendererBox, LayoutRect&) const;
 
+    void resolveKeyframeStyles();
     void validateTransformFunctionList();
     void checkForMatchingFilterFunctionLists();

releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderElement.cpp

@@ -67 +67 @@
 #include "Settings.h"
 #include "ShadowRoot.h"
+#include "StylePendingResources.h"
 #include "StyleResolver.h"
 #include <wtf/MathExtras.h>
@@ -151 +152 @@
     const ContentData* contentData = style.contentData();
     if (contentData && !contentData->next() && is<ImageContentData>(*contentData) && !element.isPseudoElement()) {
+        Style::loadPendingResources(style, element.document(), &element);
         auto& styleImage = downcast<ImageContentData>(*contentData).image();
         auto image = createRenderer<RenderImage>(element, WTFMove(style), const_cast<StyleImage*>(&styleImage));
@@ -364 +366 @@
 void RenderElement::initializeStyle()
 {
+    Style::loadPendingResources(m_style, document(), element());
+
     styleWillChange(StyleDifferenceNewStyle, style());
 
@@ -402 +406 @@
 
     diff = adjustStyleDifference(diff, contextSensitiveProperties);
+
+    Style::loadPendingResources(style, document(), element());
 
     styleWillChange(diff, style);
@@ -1572 +1578 @@
     auto& styleResolver = element()->styleResolver();
 
+    std::unique_ptr<RenderStyle> style;
     if (pseudoStyleRequest.pseudoId == FIRST_LINE_INHERITED) {
-        auto result = styleResolver.styleForElement(*element(), parentStyle).renderStyle;
-        result->setStyleType(FIRST_LINE_INHERITED);
-        return result;
-    }
-
-    return styleResolver.pseudoStyleForElement(*element(), pseudoStyleRequest, *parentStyle);
+        style = styleResolver.styleForElement(*element(), parentStyle).renderStyle;
+        style->setStyleType(FIRST_LINE_INHERITED);
+    } else
+        style = styleResolver.pseudoStyleForElement(*element(), pseudoStyleRequest, *parentStyle);
+
+    if (style)
+        Style::loadPendingResources(*style, document(), element());
+
+    return style;
 }
 

releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderImage.cpp

@@ -132 +132 @@
 {
     updateAltText();
-    imageResource().initialize(this);
     if (is<HTMLImageElement>(element))
         m_hasShadowControls = downcast<HTMLImageElement>(element).hasShadowControls();
@@ -141 +140 @@
     , m_imageResource(styleImage ? std::make_unique<RenderImageResourceStyleImage>(*styleImage) : std::make_unique<RenderImageResource>())
 {
-    imageResource().initialize(this);
 }
 
@@ -200 +198 @@
     setIntrinsicSize(imageSize);
     return ImageSizeChangeForAltText;
+}
+
+void RenderImage::styleWillChange(StyleDifference diff, const RenderStyle& newStyle)
+{
+    if (!hasInitializedStyle())
+        imageResource().initialize(this);
+    RenderReplaced::styleWillChange(diff, newStyle);
 }
 

releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderImage.h

@@ -78 +78 @@
     bool foregroundIsKnownToBeOpaqueInRect(const LayoutRect& localRect, unsigned maxDepthToTest) const override;
 
+    void styleWillChange(StyleDifference, const RenderStyle& newStyle) override;
     void styleDidChange(StyleDifference, const RenderStyle*) override;
 

releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/style/StyleCachedImage.cpp

@@ -41 +41 @@
 
     // CSSImageValue doesn't get invalidated so we can grab the CachedImage immediately if it exists.
-    if (is<CSSImageValue>(m_cssValue))
+    if (is<CSSImageValue>(m_cssValue)) {
         m_cachedImage = downcast<CSSImageValue>(m_cssValue.get()).cachedImage();
+        if (m_cachedImage)
+            m_isPending = false;
+    }
 }
 
@@ -67 +70 @@
 void StyleCachedImage::load(CachedResourceLoader& loader, const ResourceLoaderOptions& options)
 {
-    ASSERT(isPending());
+    ASSERT(m_isPending);
+    m_isPending = false;
 
     if (is<CSSImageValue>(m_cssValue)) {
@@ -107 +111 @@
 bool StyleCachedImage::isPending() const
 {
-    return !m_cachedImage;
+    return m_isPending;
 }
 
@@ -170 +174 @@
 void StyleCachedImage::addClient(RenderElement* renderer)
 {
+    ASSERT(!m_isPending);
     if (!m_cachedImage)
         return;
@@ -177 +182 @@
 void StyleCachedImage::removeClient(RenderElement* renderer)
 {
+    ASSERT(!m_isPending);
     if (!m_cachedImage)
         return;
@@ -184 +190 @@
 RefPtr<Image> StyleCachedImage::image(RenderElement* renderer, const FloatSize&) const
 {
+    ASSERT(!m_isPending);
     if (!m_cachedImage)
         return nullptr;

releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/style/StyleCachedImage.h

@@ -70 +70 @@
 
     Ref<CSSValue> m_cssValue;
+    bool m_isPending { true };
     mutable float m_scaleFactor { 1 };
     mutable CachedResourceHandle<CachedImage> m_cachedImage;