Changeset 180051 in webkit

Timestamp:

Feb 13, 2015 9:32:14 AM (9 years ago)

Author:

Antti Koivisto

Message:

Add some RELEASE_ASSERTs to try to catch crashes in StyleResolver::loadPendingImages
​https://bugs.webkit.org/show_bug.cgi?id=141561

Reviewed by Simon Fraser.

One possibility is that loads triggered by loadPendingImages end up synchronously destroying or re-entering
style resolver. Try to catch these in release builds.

• css/StyleResolver.cpp:

(WebCore::StyleResolver::~StyleResolver):
(WebCore::StyleResolver::styleForElement):
(WebCore::StyleResolver::styleForKeyframe):
(WebCore::StyleResolver::styleForPage):
(WebCore::StyleResolver::loadPendingImages):

• css/StyleResolver.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• css/StyleResolver.cpp (modified) (6 diffs)
• css/StyleResolver.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-02-13  Antti Koivisto  <antti@apple.com>
+
+        Add some RELEASE_ASSERTs to try to catch crashes in StyleResolver::loadPendingImages
+        https://bugs.webkit.org/show_bug.cgi?id=141561
+
+        Reviewed by Simon Fraser.
+
+        One possibility is that loads triggered by loadPendingImages end up synchronously destroying or re-entering
+        style resolver. Try to catch these in release builds.
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::~StyleResolver):
+        (WebCore::StyleResolver::styleForElement):
+        (WebCore::StyleResolver::styleForKeyframe):
+        (WebCore::StyleResolver::styleForPage):
+        (WebCore::StyleResolver::loadPendingImages):
+        * css/StyleResolver.h:
+
 2015-02-13  ChangSeok Oh  <changseok.oh@collabora.com>
 

trunk/Source/WebCore/css/StyleResolver.cpp

@@ -141 +141 @@
 #include <bitset>
 #include <wtf/StdLibExtras.h>
+#include <wtf/TemporaryChange.h>
 #include <wtf/Vector.h>
 
@@ -345 +346 @@
 StyleResolver::~StyleResolver()
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
 #if ENABLE(CSS_DEVICE_ADAPTATION)
     m_viewportStyleResolver->clearDocument();
@@ -741 +744 @@
     StyleSharingBehavior sharingBehavior, RuleMatchingBehavior matchingBehavior, const RenderRegion* regionForStyling)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     // Once an element has a renderer, we don't try to destroy it, since otherwise the renderer
     // will vanish if a style recalc happens during loading.
@@ -812 +817 @@
 Ref<RenderStyle> StyleResolver::styleForKeyframe(const RenderStyle* elementStyle, const StyleKeyframe* keyframe, KeyframeValue& keyframeValue)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     MatchResult result;
     result.addMatchedProperties(keyframe->properties());
@@ -979 +986 @@
 Ref<RenderStyle> StyleResolver::styleForPage(int pageIndex)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     m_state.initForStyleResolve(m_document, m_document.documentElement(), m_document.renderStyle());
 
@@ -2429 +2438 @@
 void StyleResolver::loadPendingImages()
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+    TemporaryChange<bool> { m_inLoadPendingImages, true };
+
     if (m_state.pendingImageProperties().isEmpty())
         return;

trunk/Source/WebCore/css/StyleResolver.h

@@ -526 +526 @@
     State m_state;
 
+    // Try to catch a crash. https://bugs.webkit.org/show_bug.cgi?id=141561.
+    bool m_inLoadPendingImages { false };
+
     friend bool operator==(const MatchedProperties&, const MatchedProperties&);
     friend bool operator!=(const MatchedProperties&, const MatchedProperties&);