Changeset 183788 in webkit
- Timestamp:
- May 4, 2015 8:22:35 PM (9 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 7 edited
-
ChangeLog (modified) (1 diff)
-
page/FrameView.cpp (modified) (1 diff)
-
rendering/RenderFrameBase.cpp (modified) (2 diffs)
-
rendering/RenderObject.cpp (modified) (2 diffs)
-
rendering/RenderView.h (modified) (3 diffs)
-
rendering/RenderWidget.cpp (modified) (1 diff)
-
rendering/RenderWidget.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r183783 r183788 1 2015-05-04 Zalan Bujtas <zalan@apple.com> 2 3 RenderWidget::setWidgetGeometry() can end up destroying *this*. 4 https://bugs.webkit.org/show_bug.cgi?id=144601 5 6 Reviewed by Andreas Kling. 7 8 This is a speculative fix to ensure we don't crash on an invalid *this* renderer 9 while flattening the current iframe. 10 Calling RenderWidget::setWidgetGeometry() can result in destroying the current renderer. 11 While it is not a issue in case of normal layout flow as widget positions are updated at post layout, 12 frame flattening initiates this action in the middle of layout. 13 This patch re-introduces refcount model for RenderWidgets so that the renderer is protected during layout 14 when frame flattening is in use. 15 16 * rendering/RenderFrameBase.cpp: 17 (WebCore::RenderFrameBase::layoutWithFlattening): Let's be paranoid about child view. 18 * rendering/RenderObject.cpp: 19 (WebCore::RenderObject::destroy): 20 * rendering/FrameView.cpp: 21 (WebCore::FrameView::layout): 22 * rendering/RenderView.h: 23 * rendering/RenderWidget.cpp: 24 (WebCore::RenderWidget::~RenderWidget): 25 * rendering/RenderWidget.h: 26 (WebCore::RenderWidget::ref): 27 (WebCore::RenderWidget::deref): 28 1 29 2015-05-04 Doug Russell <d_russell@apple.com> 2 30 -
trunk/Source/WebCore/page/FrameView.cpp
r183777 r183788 1362 1362 root->view().repaintRootContents(); 1363 1363 1364 root->view().releaseProtectedRenderWidgets(); 1365 1364 1366 ASSERT(!root->needsLayout()); 1365 1367 -
trunk/Source/WebCore/rendering/RenderFrameBase.cpp
r177259 r183788 55 55 void RenderFrameBase::layoutWithFlattening(bool hasFixedWidth, bool hasFixedHeight) 56 56 { 57 FrameView* childFrameView = childView();58 RenderView* childRoot = child FrameView ? childFrameView->frame().contentRenderer() : 0;57 view().protectRenderWidgetUntilLayoutIsDone(*this); 58 RenderView* childRoot = childView() ? childView()->frame().contentRenderer() : 0; 59 59 60 60 if (!childRoot || !shouldExpandFrame(width(), height(), hasFixedWidth, hasFixedHeight)) { 61 61 updateWidgetPosition(); 62 if (child FrameView)63 child FrameView->layout();62 if (childView()) 63 childView()->layout(); 64 64 clearNeedsLayout(); 65 65 return; … … 84 84 // update again to pass the new width to the child frame 85 85 updateWidgetPosition(); 86 childFrameView->layout(); 86 if (childView()) 87 childView()->layout(); 87 88 } 88 89 89 // expand the frame by setting frame height = content height 90 if (isScrollable || !hasFixedHeight || childRoot->isFrameSet()) 91 setHeight(std::max<LayoutUnit>(height(), childFrameView->contentsHeight() + vBorder)); 92 if (isScrollable || !hasFixedWidth || childRoot->isFrameSet()) 93 setWidth(std::max<LayoutUnit>(width(), childFrameView->contentsWidth() + hBorder)); 94 90 if (childView()) { 91 // expand the frame by setting frame height = content height 92 if (isScrollable || !hasFixedHeight || childRoot->isFrameSet()) 93 setHeight(std::max<LayoutUnit>(height(), childView()->contentsHeight() + vBorder)); 94 if (isScrollable || !hasFixedWidth || childRoot->isFrameSet()) 95 setWidth(std::max<LayoutUnit>(width(), childView()->contentsWidth() + hBorder)); 96 } 95 97 updateWidgetPosition(); 96 98 97 ASSERT(!child FrameView->layoutPending());99 ASSERT(!childView()->layoutPending()); 98 100 ASSERT(!childRoot->needsLayout()); 99 101 ASSERT(!childRoot->firstChild() || !childRoot->firstChild()->firstChildSlow() || !childRoot->firstChild()->firstChildSlow()->needsLayout()); -
trunk/Source/WebCore/rendering/RenderObject.cpp
r183314 r183788 61 61 #include "RenderTheme.h" 62 62 #include "RenderView.h" 63 #include "RenderWidget.h" 63 64 #include "SVGRenderSupport.h" 64 65 #include "Settings.h" … … 2025 2026 2026 2027 willBeDestroyed(); 2028 if (is<RenderWidget>(*this)) { 2029 downcast<RenderWidget>(*this).deref(); 2030 return; 2031 } 2027 2032 delete this; 2028 2033 } -
trunk/Source/WebCore/rendering/RenderView.h
r183636 r183788 27 27 #include "Region.h" 28 28 #include "RenderBlockFlow.h" 29 #include "RenderWidget.h" 29 30 #include "SelectionSubtreeRoot.h" 30 31 #include <memory> … … 245 246 void unscheduleLazyRepaint(RenderBox&); 246 247 248 void protectRenderWidgetUntilLayoutIsDone(RenderWidget& widget) { m_protectedRenderWidgets.append(&widget); } 249 void releaseProtectedRenderWidgets() { m_protectedRenderWidgets.clear(); } 250 247 251 protected: 248 252 virtual void mapLocalToContainer(const RenderLayerModelObject* repaintContainer, TransformState&, MapCoordinatesFlags, bool* wasFixed) const override; … … 363 367 364 368 HashSet<RenderElement*> m_renderersWithPausedImageAnimation; 369 Vector<RefPtr<RenderWidget>> m_protectedRenderWidgets; 365 370 366 371 #if ENABLE(SERVICE_CONTROLS) -
trunk/Source/WebCore/rendering/RenderWidget.cpp
r180063 r183788 107 107 RenderWidget::~RenderWidget() 108 108 { 109 ASSERT(!m_refCount); 109 110 } 110 111 -
trunk/Source/WebCore/rendering/RenderWidget.h
r177259 r183788 75 75 WeakPtr<RenderWidget> createWeakPtr() { return m_weakPtrFactory.createWeakPtr(); } 76 76 77 void ref() { ++m_refCount; } 78 void deref(); 79 77 80 protected: 78 81 RenderWidget(HTMLFrameOwnerElement&, Ref<RenderStyle>&&); … … 103 106 RefPtr<Widget> m_widget; 104 107 IntRect m_clipRect; // The rectangle needs to remain correct after scrolling, so it is stored in content view coordinates, and not clipped to window. 108 unsigned m_refCount { 1 }; 105 109 }; 110 111 inline void RenderWidget::deref() 112 { 113 ASSERT(m_refCount); 114 if (!--m_refCount) 115 delete this; 116 } 106 117 107 118 } // namespace WebCore
Note: See TracChangeset
for help on using the changeset viewer.
