Changeset 223131 in webkit

Timestamp:

Oct 10, 2017 6:02:47 AM (7 years ago)

Author:

Antti Koivisto

Message:

RenderObject::destroy() should only be invoked after renderer has been removed from the tree
​https://bugs.webkit.org/show_bug.cgi?id=178075

Reviewed by Zalan Bujtas.

Source/WebCore:

This patch fixes the remaining cases where the renderer is still in the tree while destroy()
is called and adds the assert.

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::removeLeftoverAnonymousBlock):
(WebCore::RenderBlock::takeChild):

• rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::willBeDestroyed):

• rendering/RenderLayer.cpp:

(WebCore::RenderLayer::~RenderLayer):

Null the parent pointers for m_scrollCorner/m_resizer.

(WebCore::RenderLayer::calculateClipRects const):

• rendering/RenderLayer.h:
• rendering/RenderObject.cpp:

(WebCore::RenderObject::willBeDestroyed):
(WebCore::RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers):
(WebCore::RenderObject::destroy):

Use RELEASE_ASSERT as these are cheap and important checks.
Also turn isBeingDestroyed test into RELEASE_ASSERT.
Remove AX call that no longer does anything.

(WebCore::RenderObject::destroyAndCleanupAnonymousWrappers): Deleted.

• rendering/RenderObject.h:
• rendering/RenderRubyBase.cpp:

(WebCore::RenderRubyBase::moveBlockChildren):

• rendering/RenderTableRow.cpp:

(WebCore::RenderTableRow::collapseAndDestroyAnonymousSiblingRows):
(WebCore::RenderTableRow::destroyAndCollapseAnonymousSiblingRows): Deleted.

Renamed and made this no longer destroy itself. The caller now takes care of that.
Removed an unnecessary lambda.

• rendering/RenderTableRow.h:
• style/RenderTreeUpdater.cpp:

(WebCore::RenderTreeUpdater::tearDownRenderers):
(WebCore::RenderTreeUpdater::tearDownRenderer):

• style/RenderTreeUpdaterListItem.cpp:

(WebCore::RenderTreeUpdater::ListItem::updateMarker):

LayoutTests:

• accessibility/mac/textbox-role-reports-notifications.html:

This passed because spurious AXValueChanged notifications. Force layout to prevent coalescing between mutations.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/accessibility/mac/textbox-role-reports-notifications.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (3 diffs)
• Source/WebCore/rendering/RenderBoxModelObject.cpp (modified) (1 diff)
• Source/WebCore/rendering/RenderLayer.cpp (modified) (8 diffs)
• Source/WebCore/rendering/RenderLayer.h (modified) (1 diff)
• Source/WebCore/rendering/RenderObject.cpp (modified) (4 diffs)
• Source/WebCore/rendering/RenderObject.h (modified) (2 diffs)
• Source/WebCore/rendering/RenderRubyBase.cpp (modified) (1 diff)
• Source/WebCore/rendering/RenderTableRow.cpp (modified) (1 diff)
• Source/WebCore/rendering/RenderTableRow.h (modified) (1 diff)
• Source/WebCore/style/RenderTreeUpdater.cpp (modified) (2 diffs)
• Source/WebCore/style/RenderTreeUpdaterListItem.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-10-10  Antti Koivisto  <antti@apple.com>
+
+        RenderObject::destroy() should only be invoked after renderer has been removed from the tree
+        https://bugs.webkit.org/show_bug.cgi?id=178075
+
+        Reviewed by Zalan Bujtas.
+
+        * accessibility/mac/textbox-role-reports-notifications.html:
+
+        This passed because spurious AXValueChanged notifications. Force layout to prevent coalescing between mutations.
+
 2017-10-10  Joanmarie Diggs  <jdiggs@igalia.com>
 

trunk/LayoutTests/accessibility/mac/textbox-role-reports-notifications.html

@@ -20 +20 @@
         pendingNotifications = 3;
         ariaTextBox.firstChild.deleteData(0, 5);
+        ariaTextBox.offsetWidth;
         ariaTextBox.textContent = "changed textContent";
+        ariaTextBox.offsetWidth;
         ariaTextBox.innerText = "changed innerText";
     }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-10-10  Antti Koivisto  <antti@apple.com>
+
+        RenderObject::destroy() should only be invoked after renderer has been removed from the tree
+        https://bugs.webkit.org/show_bug.cgi?id=178075
+
+        Reviewed by Zalan Bujtas.
+
+        This patch fixes the remaining cases where the renderer is still in the tree while destroy()
+        is called and adds the assert.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeLeftoverAnonymousBlock):
+        (WebCore::RenderBlock::takeChild):
+        * rendering/RenderBoxModelObject.cpp:
+        (WebCore::RenderBoxModelObject::willBeDestroyed):
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::~RenderLayer):
+
+            Null the parent pointers for m_scrollCorner/m_resizer.
+
+        (WebCore::RenderLayer::calculateClipRects const):
+        * rendering/RenderLayer.h:
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::willBeDestroyed):
+        (WebCore::RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers):
+        (WebCore::RenderObject::destroy):
+
+            Use RELEASE_ASSERT as these are cheap and important checks.
+            Also turn isBeingDestroyed test into RELEASE_ASSERT.
+            Remove AX call that no longer does anything.
+
+        (WebCore::RenderObject::destroyAndCleanupAnonymousWrappers): Deleted.
+        * rendering/RenderObject.h:
+        * rendering/RenderRubyBase.cpp:
+        (WebCore::RenderRubyBase::moveBlockChildren):
+        * rendering/RenderTableRow.cpp:
+        (WebCore::RenderTableRow::collapseAndDestroyAnonymousSiblingRows):
+        (WebCore::RenderTableRow::destroyAndCollapseAnonymousSiblingRows): Deleted.
+
+            Renamed and made this no longer destroy itself. The caller now takes care of that.
+            Removed an unnecessary lambda.
+
+        * rendering/RenderTableRow.h:
+        * style/RenderTreeUpdater.cpp:
+        (WebCore::RenderTreeUpdater::tearDownRenderers):
+        (WebCore::RenderTreeUpdater::tearDownRenderer):
+        * style/RenderTreeUpdaterListItem.cpp:
+        (WebCore::RenderTreeUpdater::ListItem::updateMarker):
+
 2017-10-09  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -765 +765 @@
     }
 
-    child->setFirstChild(0);
-    child->m_next = 0;
+    child->setFirstChild(nullptr);
+    child->m_next = nullptr;
 
     // Remove all the information in the flow thread associated with the leftover anonymous block.
     child->resetFragmentedFlowStateOnRemoval();
 
-    child->setParent(0);
-    child->setPreviousSibling(0);
-    child->setNextSibling(0);
+    child->setParent(nullptr);
+    child->setPreviousSibling(nullptr);
+    child->setNextSibling(nullptr);
 
     child->destroy();
@@ -876 +876 @@
             // Delete the now-empty block's lines and nuke it.
             nextBlock.deleteLines();
-            nextBlock.destroy();
+            nextBlock.removeFromParentAndDestroy();
             next = nullptr;
         }
@@ -935 +935 @@
             }
             setContinuation(nullptr);
-            destroy();
+            // FIXME: This is dangerous.
+            removeFromParentAndDestroy();
         }
     }

trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp

@@ -189 +189 @@
 {
     if (hasContinuation()) {
-        continuation()->destroy();
+        continuation()->removeFromParentAndDestroy();
         setContinuation(nullptr);
     }

trunk/Source/WebCore/rendering/RenderLayer.cpp

@@ -370 +370 @@
         removeReflection();
 
+    clearScrollCorner();
+    clearResizer();
+
     FilterInfo::remove(*this);
 
@@ -6664 +6667 @@
 
     if (!corner) {
-        m_scrollCorner = nullptr;
+        clearScrollCorner();
         return;
     }
@@ -6670 +6673 @@
     if (!m_scrollCorner) {
         m_scrollCorner = createRenderer<RenderScrollbarPart>(renderer().document(), WTFMove(*corner));
+        // FIXME: A renderer should be a child of its parent!
         m_scrollCorner->setParent(&renderer());
         m_scrollCorner->initializeStyle();
@@ -6676 +6680 @@
 }
 
+void RenderLayer::clearScrollCorner()
+{
+    if (!m_scrollCorner)
+        return;
+    m_scrollCorner->setParent(nullptr);
+    m_scrollCorner = nullptr;
+}
+
 void RenderLayer::updateResizerStyle()
 {
@@ -6682 +6694 @@
 
     if (!resizer) {
-        m_resizer = nullptr;
+        clearResizer();
         return;
     }
@@ -6688 +6700 @@
     if (!m_resizer) {
         m_resizer = createRenderer<RenderScrollbarPart>(renderer().document(), WTFMove(*resizer));
+        // FIXME: A renderer should be a child of its parent!
         m_resizer->setParent(&renderer());
         m_resizer->initializeStyle();
@@ -6694 +6707 @@
 }
 
+void RenderLayer::clearResizer()
+{
+    if (!m_resizer)
+        return;
+    m_resizer->setParent(nullptr);
+    m_resizer = nullptr;
+}
+
 RenderLayer* RenderLayer::reflectionLayer() const
 {
@@ -6703 +6724 @@
     ASSERT(!m_reflection);
     m_reflection = createRenderer<RenderReplica>(renderer().document(), createReflectionStyle());
+    // FIXME: A renderer should be a child of its parent!
     m_reflection->setParent(&renderer()); // We create a 1-way connection.
     m_reflection->initializeStyle();

trunk/Source/WebCore/rendering/RenderLayer.h

@@ -979 +979 @@
     void positionOverflowControls(const IntSize&);
     void updateScrollCornerStyle();
+    void clearScrollCorner();
     void updateResizerStyle();
+    void clearResizer();
 
     void drawPlatformResizerImage(GraphicsContext&, const LayoutRect& resizerCornerRect);

trunk/Source/WebCore/rendering/RenderObject.cpp

@@ -1429 +1429 @@
 void RenderObject::willBeDestroyed()
 {
-    // For accessibility management, notify the parent of the imminent change to its child set.
-    // We do it now, before remove(), while the parent pointer is still available.
-    if (AXObjectCache* cache = document().existingAXObjectCache())
-        cache->childrenChanged(this->parent());
-
-    if (m_parent) {
-        // FIXME: We should have always been removed from the parent before being destroyed.
-        auto takenThis = m_parent->takeChild(*this);
-        auto* leakedPtr = takenThis.release();
-        UNUSED_PARAM(leakedPtr);
-    }
-
+    ASSERT(!m_parent);
     ASSERT(renderTreeBeingDestroyed() || !is<RenderElement>(*this) || !view().frameView().hasSlowRepaintObject(downcast<RenderElement>(*this)));
 
-    // The remove() call above may invoke axObjectCache()->childrenChanged() on the parent, which may require the AX render
-    // object for this renderer. So we remove the AX render object now, after the renderer is removed.
     if (AXObjectCache* cache = document().existingAXObjectCache())
         cache->remove(this);
@@ -1477 +1464 @@
 }
 
-void RenderObject::destroyAndCleanupAnonymousWrappers()
+void RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers()
 {
     // If the tree is destroyed, there is no need for a clean-up phase.
     if (renderTreeBeingDestroyed()) {
-        destroy();
+        removeFromParentAndDestroy();
         return;
     }
@@ -1498 +1485 @@
     }
 
-    if (is<RenderTableRow>(*destroyRoot)) {
-        downcast<RenderTableRow>(*destroyRoot).destroyAndCollapseAnonymousSiblingRows();
-        return;
-    }
-
-    destroyRoot->destroy();
+    if (is<RenderTableRow>(*destroyRoot))
+        downcast<RenderTableRow>(*destroyRoot).collapseAndDestroyAnonymousSiblingRows();
+
+    destroyRoot->removeFromParentAndDestroy();
     // WARNING: |this| is deleted here.
 }
@@ -1509 +1494 @@
 void RenderObject::destroy()
 {
-    ASSERT(!m_bitfields.beingDestroyed());
+    RELEASE_ASSERT(!m_parent);
+    RELEASE_ASSERT(!m_next);
+    RELEASE_ASSERT(!m_previous);
+    RELEASE_ASSERT(!m_bitfields.beingDestroyed());
+
     m_bitfields.setBeingDestroyed(true);
 

trunk/Source/WebCore/rendering/RenderObject.h

@@ -722 +722 @@
     bool renderTreeBeingDestroyed() const;
 
-    void destroyAndCleanupAnonymousWrappers();
     void destroy();
 
@@ -749 +748 @@
 
     void removeFromParentAndDestroy();
+    void removeFromParentAndDestroyCleaningUpAnonymousWrappers();
 
     CSSAnimationController& animation() const;

trunk/Source/WebCore/rendering/RenderRubyBase.cpp

@@ -126 +126 @@
         anonBlockHere->moveAllChildrenTo(anonBlockThere, true);
         anonBlockHere->deleteLines();
-        anonBlockHere->destroy();
+        anonBlockHere->removeFromParentAndDestroy();
     }
     // Move all remaining children normally.

trunk/Source/WebCore/rendering/RenderTableRow.cpp

@@ -285 +285 @@
 }
 
-void RenderTableRow::destroyAndCollapseAnonymousSiblingRows()
-{
-    auto collapseAnonymousSiblingRows = [&] {
-        auto* section = this->section();
-        if (!section)
+void RenderTableRow::collapseAndDestroyAnonymousSiblingRows()
+{
+    auto* section = this->section();
+    if (!section)
+        return;
+
+    // All siblings generated?
+    for (auto* current = section->firstRow(); current; current = current->nextRow()) {
+        if (current == this)
+            continue;
+        if (!current->isAnonymous())
             return;
-
-        // All siblings generated?
-        for (auto* current = section->firstRow(); current; current = current->nextRow()) {
-            if (current == this)
-                continue;
-            if (!current->isAnonymous())
-                return;
-        }
-
-        RenderTableRow* rowToInsertInto = nullptr;
-        auto* currentRow = section->firstRow();
-        while (currentRow) {
-            if (currentRow == this) {
-                currentRow = currentRow->nextRow();
-                continue;
-            }
-            if (!rowToInsertInto) {
-                rowToInsertInto = currentRow;
-                currentRow = currentRow->nextRow();
-                continue;
-            }
-            currentRow->moveAllChildrenTo(rowToInsertInto);
-            auto* destroyThis = currentRow;
+    }
+
+    RenderTableRow* rowToInsertInto = nullptr;
+    auto* currentRow = section->firstRow();
+    while (currentRow) {
+        if (currentRow == this) {
             currentRow = currentRow->nextRow();
-            destroyThis->destroy();
-        }
-        if (rowToInsertInto)
-            rowToInsertInto->setNeedsLayout();
-    };
-
-    collapseAnonymousSiblingRows();
-    destroy();
+            continue;
+        }
+        if (!rowToInsertInto) {
+            rowToInsertInto = currentRow;
+            currentRow = currentRow->nextRow();
+            continue;
+        }
+        currentRow->moveAllChildrenTo(rowToInsertInto);
+        auto toDestroy = section->takeChild(*currentRow);
+        currentRow = currentRow->nextRow();
+    }
+    if (rowToInsertInto)
+        rowToInsertInto->setNeedsLayout();
 }
 

trunk/Source/WebCore/rendering/RenderTableRow.h

@@ -63 +63 @@
     bool nodeAtPoint(const HitTestRequest&, HitTestResult&, const HitTestLocation& locationInContainer, const LayoutPoint& accumulatedOffset, HitTestAction) override;
 
-    void destroyAndCollapseAnonymousSiblingRows();
+    void collapseAndDestroyAnonymousSiblingRows();
 
 private:

trunk/Source/WebCore/style/RenderTreeUpdater.cpp

@@ -521 +521 @@
 
             if (auto* renderer = element.renderer()) {
-                renderer->destroyAndCleanupAnonymousWrappers();
+                renderer->removeFromParentAndDestroyCleaningUpAnonymousWrappers();
                 element.setRenderer(nullptr);
             }
@@ -551 +551 @@
     if (!renderer)
         return;
-    renderer->destroyAndCleanupAnonymousWrappers();
+    renderer->removeFromParentAndDestroyCleaningUpAnonymousWrappers();
     text.setRenderer(nullptr);
 }

trunk/Source/WebCore/style/RenderTreeUpdaterListItem.cpp

@@ -117 +117 @@
         // If current parent is an anonymous block that has lost all its children, destroy it.
         if (currentParent && currentParent->isAnonymousBlock() && !currentParent->firstChild() && !downcast<RenderBlock>(*currentParent).continuation())
-            currentParent->destroy();
+            currentParent->removeFromParentAndDestroy();
     }
 }