Changeset 53899 in webkit

Timestamp:

Jan 26, 2010 9:57:34 PM (14 years ago)

Author:

ap@apple.com

Message:

Reviewed by Darin Adler.

​https://bugs.webkit.org/show_bug.cgi?id=34150
WebKit needs a mechanism to catch stale HashMap entries

It is very difficult to catch stale pointers that are HashMap keys - since a pointer's hash
is just its value, it is very unlikely that any observable problem is reproducible.

This extends hash table consistency checks to check that pointers are referencing allocated
memory blocks, and makes it possible to invoke the checks explicitly (it is not feasible
to enable CHECK_HASHTABLE_CONSISTENCY by default, because that affects performance too much).

• wtf/HashMap.h: (WTF::::checkConsistency): Call through to HashTable implementation. We can add similar calls to HashSet and HashCountedSet, but I haven't seen hard to debug problems with those yet.

• wtf/HashSet.h: (WTF::::remove): The version of checkTableConsistency that's guarded by CHECK_HASHTABLE_CONSISTENCY is now called internalCheckTableConsistency().

• wtf/HashTable.h: (WTF::HashTable::internalCheckTableConsistency): (WTF::HashTable::internalCheckTableConsistencyExceptSize): (WTF::HashTable::checkTableConsistencyExceptSize): Expose checkTableConsistency() even if CHECK_HASHTABLE_CONSISTENCY is off. (WTF::::add): Updated for checkTableConsistency renaming. (WTF::::addPassingHashCode): Ditto. (WTF::::removeAndInvalidate): Ditto. (WTF::::remove): Ditto. (WTF::::rehash): Ditto. (WTF::::checkTableConsistency): The assertion for !shouldExpand() was not correct - this function returns true for tables with m_table == 0. (WTF::::checkTableConsistencyExceptSize): Call checkValueConsistency for key. Potentially, we could do the same for values.

• wtf/HashTraits.h: (WTF::GenericHashTraits::checkValueConsistency): An empty function that can be overridden to add checks. Currently, the only override is for pointer hashes.

• wtf/RefPtrHashMap.h: (WTF::::remove): Updated for checkTableConsistency renaming.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/wtf/HashMap.h (modified) (3 diffs)
• JavaScriptCore/wtf/HashSet.h (modified) (1 diff)
• JavaScriptCore/wtf/HashTable.h (modified) (15 diffs)
• JavaScriptCore/wtf/HashTraits.h (modified) (3 diffs)
• JavaScriptCore/wtf/RefPtrHashMap.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSStyleSelector.cpp (modified) (2 diffs)
• WebCore/dom/CheckedRadioButtons.cpp (modified) (2 diffs)
• WebCore/dom/ContainerNodeAlgorithms.h (modified) (2 diffs)
• WebCore/dom/Document.cpp (modified) (5 diffs)
• WebCore/dom/Document.h (modified) (1 diff)
• WebCore/editing/markup.cpp (modified) (3 diffs)
• WebCore/html/CollectionCache.cpp (modified) (1 diff)
• WebCore/html/CollectionCache.h (modified) (2 diffs)
• WebCore/html/HTMLCollection.cpp (modified) (2 diffs)
• WebCore/html/HTMLFormCollection.cpp (modified) (1 diff)
• WebCore/html/HTMLSelectElement.h (modified) (1 diff)
• WebCore/loader/loader.cpp (modified) (5 diffs)
• WebCore/page/animation/CompositeAnimation.cpp (modified) (12 diffs)
• WebCore/platform/TreeShared.h (modified) (2 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-01-26  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34150
+        WebKit needs a mechanism to catch stale HashMap entries
+
+        It is very difficult to catch stale pointers that are HashMap keys - since a pointer's hash
+        is just its value, it is very unlikely that any observable problem is reproducible.
+
+        This extends hash table consistency checks to check that pointers are referencing allocated
+        memory blocks, and makes it possible to invoke the checks explicitly (it is not feasible
+        to enable CHECK_HASHTABLE_CONSISTENCY by default, because that affects performance too much).
+
+        * wtf/HashMap.h: (WTF::::checkConsistency): Call through to HashTable implementation. We can
+        add similar calls to HashSet and HashCountedSet, but I haven't seen hard to debug problems
+        with those yet.
+
+        * wtf/HashSet.h: (WTF::::remove): The version of checkTableConsistency that's guarded by
+        CHECK_HASHTABLE_CONSISTENCY is now called internalCheckTableConsistency().
+
+        * wtf/HashTable.h:
+        (WTF::HashTable::internalCheckTableConsistency):
+        (WTF::HashTable::internalCheckTableConsistencyExceptSize):
+        (WTF::HashTable::checkTableConsistencyExceptSize):
+        Expose checkTableConsistency() even if CHECK_HASHTABLE_CONSISTENCY is off.
+        (WTF::::add): Updated for checkTableConsistency renaming.
+        (WTF::::addPassingHashCode): Ditto.
+        (WTF::::removeAndInvalidate): Ditto.
+        (WTF::::remove): Ditto.
+        (WTF::::rehash): Ditto.
+        (WTF::::checkTableConsistency): The assertion for !shouldExpand() was not correct - this
+        function returns true for tables with m_table == 0.
+        (WTF::::checkTableConsistencyExceptSize): Call checkValueConsistency for key. Potentially,
+        we could do the same for values.
+
+        * wtf/HashTraits.h:
+        (WTF::GenericHashTraits::checkValueConsistency): An empty function that can be overridden
+        to add checks. Currently, the only override is for pointer hashes.
+
+        * wtf/RefPtrHashMap.h: (WTF::::remove): Updated for checkTableConsistency renaming.
+
 2010-01-26  Lyon Chen  <liachen@rim.com>
 

trunk/JavaScriptCore/wtf/HashMap.h

@@ -101 +101 @@
         template<typename T, typename HashTranslator> pair<iterator, bool> add(const T&, const MappedType&);
 
+        void checkConsistency() const;
+
     private:
         pair<iterator, bool> inlineAdd(const KeyType&, const MappedType&);
@@ -282 +284 @@
         if (it.m_impl == m_impl.end())
             return;
-        m_impl.checkTableConsistency();
+        m_impl.internalCheckTableConsistency();
         m_impl.removeWithoutEntryConsistencyCheck(it.m_impl);
     }
@@ -310 +312 @@
         return result;
     }
+
+    template<typename T, typename U, typename V, typename W, typename X>
+    inline void HashMap<T, U, V, W, X>::checkConsistency() const
+    {
+        m_impl.checkTableConsistency();
+    }
+
 
     template<typename T, typename U, typename V, typename W, typename X>

trunk/JavaScriptCore/wtf/HashSet.h

@@ -225 +225 @@
         if (it.m_impl == m_impl.end())
             return;
-        m_impl.checkTableConsistency();
+        m_impl.internalCheckTableConsistency();
         m_impl.removeWithoutEntryConsistencyCheck(it.m_impl);
     }

trunk/JavaScriptCore/wtf/HashTable.h

@@ -31 +31 @@
 
 #define DUMP_HASHTABLE_STATS 0
+// Enables internal WTF consistency checks that are invoked automatically. Non-WTF callers can call checkTableConsistency() even if internal checks are disabled.
 #define CHECK_HASHTABLE_CONSISTENCY 0
 
@@ -341 +342 @@
         template<typename T, typename HashTranslator> ValueType* lookup(const T&);
 
-#if CHECK_HASHTABLE_CONSISTENCY
+#if !ASSERT_DISABLED
         void checkTableConsistency() const;
 #else
         static void checkTableConsistency() { }
+#endif
+#if CHECK_HASHTABLE_CONSISTENCY
+        void internalCheckTableConsistency() const { checkTableConsistency(); }
+        void internalCheckTableConsistencyExceptSize() const { checkTableConsistencyExceptSize(); }
+#else
+        static void internalCheckTableConsistencyExceptSize() { }
+        static void internalCheckTableConsistency() { }
 #endif
 
@@ -384 +392 @@
         const_iterator makeKnownGoodConstIterator(ValueType* pos) const { return const_iterator(this, pos, m_table + m_tableSize, HashItemKnownGood); }
 
-#if CHECK_HASHTABLE_CONSISTENCY
+#if !ASSERT_DISABLED
         void checkTableConsistencyExceptSize() const;
 #else
-        static void checkTableConsistencyExceptSize() { }
+        static void checkTableConsistencyExceptSize() const { }
 #endif
 
@@ -625 +633 @@
             expand();
 
-        checkTableConsistency();
+        internalCheckTableConsistency();
 
         ASSERT(m_table);
@@ -694 +702 @@
         }
         
-        checkTableConsistency();
+        internalCheckTableConsistency();
         
         return std::make_pair(makeKnownGoodIterator(entry), true);
@@ -710 +718 @@
             expand();
 
-        checkTableConsistency();
+        internalCheckTableConsistency();
 
         FullLookupType lookupResult = fullLookupForWriting<T, HashTranslator>(key);
@@ -739 +747 @@
         }
 
-        checkTableConsistency();
+        internalCheckTableConsistency();
 
         return std::make_pair(makeKnownGoodIterator(entry), true);
@@ -806 +814 @@
     {
         invalidateIterators();
-        checkTableConsistency();
+        internalCheckTableConsistency();
         remove(pos);
     }
@@ -824 +832 @@
             shrink();
 
-        checkTableConsistency();
+        internalCheckTableConsistency();
     }
 
@@ -893 +901 @@
     void HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::rehash(int newTableSize)
     {
-        checkTableConsistencyExceptSize();
+        internalCheckTableConsistencyExceptSize();
 
         int oldTableSize = m_tableSize;
@@ -915 +923 @@
         deallocateTable(oldTable, oldTableSize);
 
-        checkTableConsistency();
+        internalCheckTableConsistency();
     }
 
@@ -982 +990 @@
     }
 
-#if CHECK_HASHTABLE_CONSISTENCY
+#if !ASSERT_DISABLED
 
     template<typename Key, typename Value, typename Extractor, typename HashFunctions, typename Traits, typename KeyTraits>
@@ -988 +996 @@
     {
         checkTableConsistencyExceptSize();
-        ASSERT(!shouldExpand());
+        ASSERT(!m_table || !shouldExpand());
         ASSERT(!shouldShrink());
     }
@@ -1013 +1021 @@
             ASSERT(entry == it.m_position);
             ++count;
+
+            KeyTraits::checkValueConsistency(it->first);
         }
 
@@ -1022 +1032 @@
     }
 
-#endif // CHECK_HASHTABLE_CONSISTENCY
+#endif // ASSERT_DISABLED
 
 #if CHECK_HASHTABLE_ITERATORS

trunk/JavaScriptCore/wtf/HashTraits.h

@@ -27 +27 @@
 #include <limits>
 
+#if OS(DARWIN)
+#include <malloc/malloc.h>
+#endif
+
 namespace WTF {
 
@@ -52 +56 @@
         typedef T TraitType;
         static T emptyValue() { return T(); }
+        static void checkValueConsistency(const T&) { }
     };
 
@@ -80 +85 @@
         static void constructDeletedValue(P*& slot) { slot = reinterpret_cast<P*>(-1); }
         static bool isDeletedValue(P* value) { return value == reinterpret_cast<P*>(-1); }
+#if !ASSERT_DISABLED
+        static void checkValueConsistency(const P* p)
+        {
+#if (defined(USE_SYSTEM_MALLOC) && USE_SYSTEM_MALLOC) || !defined(NDEBUG)
+#if OS(DARWIN)
+            ASSERT(malloc_size(p));
+#elif COMPILER(MSVC)
+            ASSERT(_msize(p));
+#endif
+#endif
+            HashTraits<P>::checkValueConsistency(*p);
+        }
+#endif
     };
 

trunk/JavaScriptCore/wtf/RefPtrHashMap.h

@@ -286 +286 @@
         if (it.m_impl == m_impl.end())
             return;
-        m_impl.checkTableConsistency();
+        m_impl.internalCheckTableConsistency();
         m_impl.removeWithoutEntryConsistencyCheck(it.m_impl);
     }

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-01-26  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34150
+        WebKit needs a mechanism to catch stale HashMap entries
+
+        * WebCore.xcodeproj/project.pbxproj: Added ContainerNodeAlgorithms.h to the project to make
+        it easier to search for.
+
+        * css/CSSStyleSelector.cpp:
+        (WebCore::CSSRuleSet::getIDRules):
+        (WebCore::CSSRuleSet::getClassRules):
+        (WebCore::CSSRuleSet::getTagRules):
+        (WebCore::CSSStyleSelector::keyframeStylesForAnimation):
+        * dom/CheckedRadioButtons.cpp:
+        (WebCore::CheckedRadioButtons::checkedButtonForGroup):
+        (WebCore::CheckedRadioButtons::removeButton):
+        * dom/Document.cpp:
+        (WebCore::Document::getElementById):
+        (WebCore::Document::removeElementById):
+        (WebCore::Document::removeImageMap):
+        (WebCore::Document::getImageMap):
+        (WebCore::Document::nameCollectionInfo):
+        * dom/Document.h:
+        (WebCore::Document::collectionInfo):
+        * editing/markup.cpp:
+        (WebCore::shouldAddNamespaceAttr):
+        (WebCore::appendNamespace):
+        (WebCore::appendStartMarkup):
+        * html/HTMLCollection.cpp:
+        (WebCore::HTMLCollection::namedItems):
+        (WebCore::HTMLCollection::nextNamedItem):
+        * html/HTMLFormCollection.cpp:
+        (WebCore::HTMLFormCollection::formCollectionInfo):
+        * html/HTMLSelectElement.h:
+        (WebCore::HTMLSelectElement::collectionInfo):
+        * loader/loader.cpp:
+        (WebCore::Loader::load):
+        (WebCore::Loader::servePendingRequests):
+        (WebCore::Loader::nonCacheRequestInFlight):
+        (WebCore::Loader::nonCacheRequestComplete):
+        (WebCore::Loader::cancelRequests):
+        * page/animation/CompositeAnimation.cpp:
+        (WebCore::CompositeAnimation::clearRenderer):
+        (WebCore::CompositeAnimation::updateKeyframeAnimations):
+        (WebCore::CompositeAnimation::animate):
+        (WebCore::CompositeAnimation::getAnimatedStyle):
+        (WebCore::CompositeAnimation::setAnimating):
+        (WebCore::CompositeAnimation::timeToNextService):
+        (WebCore::CompositeAnimation::getAnimationForProperty):
+        (WebCore::CompositeAnimation::suspendAnimations):
+        (WebCore::CompositeAnimation::resumeAnimations):
+        (WebCore::CompositeAnimation::isAnimatingProperty):
+        (WebCore::CompositeAnimation::pauseAnimationAtTime):
+        (WebCore::CompositeAnimation::numberOfActiveAnimations):
+        Added checkConsistency checks before lookups in HashMaps with AtomicStringImpl* keys.
+
+        * dom/ContainerNodeAlgorithms.h: (WebCore::removeAllChildrenInContainer): Be sure to notify
+        about removed child nodes that can be deleted immediately.
+
+        * html/CollectionCache.cpp:
+        (WebCore::CollectionCache::checkConsistency):
+        * html/CollectionCache.h:
+        Added a checkConsistency() method that checks both HashMaps in the cache.
+
+        * platform/TreeShared.h:
+        (WebCore::TreeShared::~TreeShared): Assert that m_refCount is null. Since Nodes can be
+        destroyed with operator delete (as done in ContainerNodeAlgorithms), this is important to check.
+        (WebCore::TreeShared::deref): Assert that m_refCount isn't already negative.
+
 2010-01-26  Daniel Bates  <dbates@webkit.org>
 

trunk/WebCore/css/CSSStyleSelector.cpp

@@ -362 +362 @@
                       CSSStyleRule* rule, CSSSelector* sel);
     
-    CSSRuleDataList* getIDRules(AtomicStringImpl* key) { return m_idRules.get(key); }
-    CSSRuleDataList* getClassRules(AtomicStringImpl* key) { return m_classRules.get(key); }
-    CSSRuleDataList* getTagRules(AtomicStringImpl* key) { return m_tagRules.get(key); }
+    CSSRuleDataList* getIDRules(AtomicStringImpl* key) { m_idRules.checkConsistency(); return m_idRules.get(key); }
+    CSSRuleDataList* getClassRules(AtomicStringImpl* key) { m_classRules.checkConsistency(); return m_classRules.get(key); }
+    CSSRuleDataList* getTagRules(AtomicStringImpl* key) { m_tagRules.checkConsistency(); return m_tagRules.get(key); }
     CSSRuleDataList* getUniversalRules() { return m_universalRules; }
     
@@ -1302 +1302 @@
     if (!e || list.animationName().isEmpty())
         return;
-            
+
+    m_keyframesRuleMap.checkConsistency();
+   
     if (!m_keyframesRuleMap.contains(list.animationName().impl()))
         return;

trunk/WebCore/dom/CheckedRadioButtons.cpp

@@ -61 +61 @@
     if (!m_nameToCheckedRadioButtonMap)
         return 0;
+
+    m_nameToCheckedRadioButtonMap->checkConsistency();
     
     return m_nameToCheckedRadioButtonMap->get(name.impl());
@@ -70 +72 @@
         return;
     
+    m_nameToCheckedRadioButtonMap->checkConsistency();
+
     NameToInputMap::iterator it = m_nameToCheckedRadioButtonMap->find(element->name().impl());
     if (it == m_nameToCheckedRadioButtonMap->end() || it->second != element)

trunk/WebCore/dom/ContainerNodeAlgorithms.h

@@ -34 +34 @@
     void addChildNodesToDeletionQueue(GenericNode*& head, GenericNode*& tail, GenericNodeContainer* container);
 
+    template<class GenericNode, bool dispatchRemovalNotification>
+    struct NodeRemovalDispatcher;
+
+    template<class GenericNode>
+    struct ShouldDispatchRemovalNotification;
+
 };
 
@@ -62 +68 @@
             Private::addChildNodesToDeletionQueue<GenericNode, GenericNodeContainer>(head, tail, static_cast<GenericNodeContainer*>(n));
 
+        Private::NodeRemovalDispatcher<GenericNode, Private::ShouldDispatchRemovalNotification<GenericNode>::value>::dispatch(n);
         delete n;
     }

trunk/WebCore/dom/Document.cpp

@@ -885 +885 @@
         return 0;
 
+    m_elementsById.checkConsistency();
+
     Element* element = m_elementsById.get(elementId.impl());
     if (element)
@@ -1076 +1078 @@
 void Document::removeElementById(const AtomicString& elementId, Element* element)
 {
+    m_elementsById.checkConsistency();
+
     if (m_elementsById.get(elementId.impl()) == element)
         m_elementsById.remove(elementId.impl());
@@ -3358 +3362 @@
         return;
 
+    m_imageMapsByName.checkConsistency();
+
     ImageMapsByName::iterator it = m_imageMapsByName.find(name.impl());
     if (it != m_imageMapsByName.end() && it->second == imageMap)
@@ -3370 +3376 @@
     String name = (hashPos < 0 ? url : url.substring(hashPos + 1)).impl();
     AtomicString mapName = isHTMLDocument() ? name.lower() : name;
+    m_imageMapsByName.checkConsistency();
     return m_imageMapsByName.get(mapName.impl());
 }
@@ -4175 +4182 @@
     if (iter == map.end())
         iter = map.add(name.impl(), new CollectionCache).first;
+    iter->second->checkConsistency();
     return iter->second;
 }

trunk/WebCore/dom/Document.h

@@ -350 +350 @@
         unsigned index = type - FirstUnnamedDocumentCachedType;
         ASSERT(index < NumUnnamedDocumentCachedTypes);
+        m_collectionInfo[index].checkConsistency();
         return &m_collectionInfo[index]; 
     }

trunk/WebCore/editing/markup.cpp

@@ -316 +316 @@
 static bool shouldAddNamespaceAttr(const Attribute* attr, HashMap<AtomicStringImpl*, AtomicStringImpl*>& namespaces)
 {
+    namespaces.checkConsistency();
+
     // Don't add namespace attributes twice
     if (attr->name() == XMLNSNames::xmlnsAttr) {
@@ -333 +335 @@
 static void appendNamespace(Vector<UChar>& result, const AtomicString& prefix, const AtomicString& ns, HashMap<AtomicStringImpl*, AtomicStringImpl*>& namespaces)
 {
+    namespaces.checkConsistency();
     if (ns.isEmpty())
         return;
@@ -393 +396 @@
 static void appendStartMarkup(Vector<UChar>& result, const Node* node, const Range* range, EAnnotateForInterchange annotate, bool convertBlocksToInlines = false, HashMap<AtomicStringImpl*, AtomicStringImpl*>* namespaces = 0, RangeFullySelectsNode rangeFullySelectsNode = DoesFullySelectNode)
 {
+    if (namespaces)
+        namespaces->checkConsistency();
+
     bool documentIsHTML = node->document()->isHTMLDocument();
     switch (node->nodeType()) {

trunk/WebCore/html/CollectionCache.cpp

@@ -86 +86 @@
 }
 
+#if !ASSERT_DISABLED
+void CollectionCache::checkConsistency()
+{
+    idCache.checkConsistency();
+    nameCache.checkConsistency();
+}
+#endif
+
 } // namespace WebCore

trunk/WebCore/html/CollectionCache.h

@@ -44 +44 @@
     void swap(CollectionCache&);
 
+    void checkConsistency();
+
     typedef HashMap<AtomicStringImpl*, Vector<Element*>*> NodeCacheMap;
 
@@ -60 +62 @@
 };
 
+#if ASSERT_DISABLED
+    inline void CollectionCache::checkConsistency() { }
+#endif
+
 } // namespace
 

trunk/WebCore/html/HTMLCollection.cpp

@@ -359 +359 @@
     resetCollectionInfo();
     updateNameCache();
-    
+    m_info->checkConsistency();
+
     Vector<Element*>* idResults = m_info->idCache.get(name.impl());
     Vector<Element*>* nameResults = m_info->nameCache.get(name.impl());
@@ -374 +375 @@
 {
     resetCollectionInfo();
+    m_info->checkConsistency();
 
     for (Element* e = itemAfter(m_info->current); e; e = itemAfter(e)) {

trunk/WebCore/html/HTMLFormCollection.cpp

@@ -41 +41 @@
     if (!form->collectionInfo)
         form->collectionInfo = new CollectionCache;
+    form->collectionInfo->checkConsistency();
     return form->collectionInfo;
 }

trunk/WebCore/html/HTMLSelectElement.h

@@ -77 +77 @@
     Node* item(unsigned index);
 
-    CollectionCache* collectionInfo() { return &m_collectionInfo; }
+    CollectionCache* collectionInfo() { m_collectionInfo.checkConsistency(); return &m_collectionInfo; }
 
     void scrollToSelection();

trunk/WebCore/loader/loader.cpp

@@ -126 +126 @@
     KURL url(ParsedURLString, resource->url());
     if (url.protocolInHTTPFamily()) {
+        m_hosts.checkConsistency();
         AtomicString hostName = url.host();
         host = m_hosts.get(hostName.impl());
@@ -170 +171 @@
 
     Vector<Host*> hostsToServe;
+    m_hosts.checkConsistency();
     HostMap::iterator i = m_hosts.begin();
     HostMap::iterator end = m_hosts.end();
@@ -206 +208 @@
     
     AtomicString hostName = url.host();
+    m_hosts.checkConsistency();
     RefPtr<Host> host = m_hosts.get(hostName.impl());
     if (!host) {
@@ -221 +224 @@
     
     AtomicString hostName = url.host();
+    m_hosts.checkConsistency();
     RefPtr<Host> host = m_hosts.get(hostName.impl());
     ASSERT(host);
@@ -237 +241 @@
     
     Vector<Host*> hostsToCancel;
+    m_hosts.checkConsistency();
     HostMap::iterator i = m_hosts.begin();
     HostMap::iterator end = m_hosts.end();

trunk/WebCore/page/animation/CompositeAnimation.cpp

@@ -58 +58 @@
     }
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -187 +188 @@
         return;
 
+    m_keyframeAnimations.checkConsistency();
+
     AnimationNameMap::const_iterator kfend = m_keyframeAnimations.end();
     
@@ -263 +266 @@
     updateTransitions(renderer, currentStyle, targetStyle);
     updateKeyframeAnimations(renderer, currentStyle, targetStyle);
+    m_keyframeAnimations.checkConsistency();
 
     if (currentStyle) {
@@ -296 +300 @@
     }
 
+    m_keyframeAnimations.checkConsistency();
+
     for (Vector<AtomicStringImpl*>::const_iterator it = m_keyframeAnimationOrderMap.begin(); it != m_keyframeAnimationOrderMap.end(); ++it) {
         RefPtr<KeyframeAnimation> keyframeAnimation = m_keyframeAnimations.get(*it);
@@ -316 +322 @@
     }
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -342 +349 @@
     }
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -363 +371 @@
     // So we need to iterate through all animations
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -382 +391 @@
 
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -406 +416 @@
 
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -451 +462 @@
 {
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {
@@ -474 +486 @@
     if (!name)
         return false;
+
+    m_keyframeAnimations.checkConsistency();
 
     RefPtr<KeyframeAnimation> keyframeAnim = m_keyframeAnimations.get(name.impl());
@@ -510 +524 @@
     
     if (!m_keyframeAnimations.isEmpty()) {
+        m_keyframeAnimations.checkConsistency();
         AnimationNameMap::const_iterator animationsEnd = m_keyframeAnimations.end();
         for (AnimationNameMap::const_iterator it = m_keyframeAnimations.begin(); it != animationsEnd; ++it) {

trunk/WebCore/platform/TreeShared.h

@@ -45 +45 @@
     {
         ASSERT(isMainThread());
+        ASSERT(!m_refCount);
         ASSERT(m_deletionHasBegun);
     }
@@ -59 +60 @@
     {
         ASSERT(isMainThread());
+        ASSERT(m_refCount >= 0);
         ASSERT(!m_deletionHasBegun);
         ASSERT(!m_inRemovedLastRefFunction);