Changeset 112283 in webkit


Ignore:
Timestamp:
Mar 27, 2012 11:00:50 AM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Frame flattening: childframe in FrameView::layout() needs protector.
https://bugs.webkit.org/show_bug.cgi?id=82345

Patch by Zalan Bujtas <zbujtas@gmail.com> on 2012-03-27
Reviewed by Kenneth Rohde Christiansen.

RefPtr<FrameView> protector(this) is supposed to protect the current frameview in
FrameView::layout() from being destroyed by recalcStyle().
However, when frame flattening is on and a child frame is re-starting layout from
the topmost parent, the protection is missing and parent's recalcStyle()
can destroy the child frame.
Moving the protector before the layout re-starting is initiated makes the child frame
safe.

No new tests. Unable to create a test case, where this scenario is reproducible.

  • page/FrameView.cpp:

(WebCore::FrameView::layout):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r112281 r112283  
     12012-03-27  Zalan Bujtas  <zbujtas@gmail.com>
     2
     3        Frame flattening: childframe in FrameView::layout() needs protector.
     4        https://bugs.webkit.org/show_bug.cgi?id=82345
     5
     6        Reviewed by Kenneth Rohde Christiansen.
     7
     8        RefPtr<FrameView> protector(this) is supposed to protect the current frameview in
     9        FrameView::layout() from being destroyed by recalcStyle().
     10        However, when frame flattening is on and a child frame is re-starting layout from
     11        the topmost parent, the protection is missing and parent's recalcStyle()
     12        can destroy the child frame.
     13        Moving the protector before the layout re-starting is initiated makes the child frame
     14        safe.
     15
     16        No new tests. Unable to create a test case, where this scenario is reproducible.
     17
     18        * page/FrameView.cpp:
     19        (WebCore::FrameView::layout):
     20
    1212012-03-27  Antti Koivisto  <antti@apple.com>
    222
  • trunk/Source/WebCore/page/FrameView.cpp

    r111901 r112283  
    917917        return;
    918918
     919    // Protect the view from being deleted during layout (in recalcStyle)
     920    RefPtr<FrameView> protector(this);
     921
    919922    bool inChildFrameLayoutWithFrameFlattening = isInChildFrameWithFrameFlattening();
    920923
     
    936939    m_delayedLayout = false;
    937940    m_setNeedsLayoutWasDeferred = false;
    938 
    939     // Protect the view from being deleted during layout (in recalcStyle)
    940     RefPtr<FrameView> protector(this);
    941941
    942942    if (!m_frame) {
Note: See TracChangeset for help on using the changeset viewer.