Title: [210246] trunk/Source/WebCore
- Revision
- 210246
- Author
- [email protected]
- Date
- 2017-01-03 12:46:08 -0800 (Tue, 03 Jan 2017)
Log Message
REGRESSION(r210226): fast/history/back-from-page-with-focused-iframe.html crashes under GuardMalloc
<https://webkit.org/b/166657>
<rdar://problem/29848806>
Reviewed by Antti Koivisto.
The problem was that tearDownRenderers() would cause commit Widget hierarchy updates
before returning, which is just before Document clears its m_renderView pointer.
This led to an awkward callback into Page::setActivityState() which ended up trying
to clear the selection inside a partially dead render tree.
Fix this by adding a WidgetHierarchyUpdatesSuspensionScope to Document::destroyRenderTree()
which ensures that Widget updates don't happen until after Document::m_renderView is cleared.
* dom/Document.cpp:
(WebCore::Document::destroyRenderTree):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (210245 => 210246)
--- trunk/Source/WebCore/ChangeLog 2017-01-03 20:32:49 UTC (rev 210245)
+++ trunk/Source/WebCore/ChangeLog 2017-01-03 20:46:08 UTC (rev 210246)
@@ -1,5 +1,24 @@
2017-01-03 Andreas Kling <[email protected]>
+ REGRESSION(r210226): fast/history/back-from-page-with-focused-iframe.html crashes under GuardMalloc
+ <https://webkit.org/b/166657>
+ <rdar://problem/29848806>
+
+ Reviewed by Antti Koivisto.
+
+ The problem was that tearDownRenderers() would cause commit Widget hierarchy updates
+ before returning, which is just before Document clears its m_renderView pointer.
+ This led to an awkward callback into Page::setActivityState() which ended up trying
+ to clear the selection inside a partially dead render tree.
+
+ Fix this by adding a WidgetHierarchyUpdatesSuspensionScope to Document::destroyRenderTree()
+ which ensures that Widget updates don't happen until after Document::m_renderView is cleared.
+
+ * dom/Document.cpp:
+ (WebCore::Document::destroyRenderTree):
+
+2017-01-03 Andreas Kling <[email protected]>
+
Placeholder style mechanism leaks CSSFontSelector for first Document styled.
<https://webkit.org/b/166652>
Modified: trunk/Source/WebCore/dom/Document.cpp (210245 => 210246)
--- trunk/Source/WebCore/dom/Document.cpp 2017-01-03 20:32:49 UTC (rev 210245)
+++ trunk/Source/WebCore/dom/Document.cpp 2017-01-03 20:46:08 UTC (rev 210246)
@@ -2203,6 +2203,9 @@
{
ASSERT(hasLivingRenderTree());
+ // Prevent Widget tree changes from committing until the RenderView is dead and gone.
+ WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
+
SetForScope<bool> change(m_renderTreeBeingDestroyed, true);
if (this == &topDocument())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
