[webkit-changes] [222292] trunk/Source/WebCore

[zalan]

Title: [222292] trunk/Source/WebCore

Revision

222292

Author

za...@apple.com

Date

2017-09-20 15:03:06 -0700 (Wed, 20 Sep 2017)

Log Message

FloatingObject should not hold a raw pointer to RootInlineBox.
https://bugs.webkit.org/show_bug.cgi?id=177266

Reviewed by Simon Fraser.

FloatingObject and RootInlineBox objects' lifetimes are very much independent from each other.

Not testable.

* rendering/FloatingObjects.cpp:
(WebCore::FloatingObjects::clearLineBoxTreePointers):
* rendering/FloatingObjects.h:
(WebCore::FloatingObject::originatingLine const):
(WebCore::FloatingObject::clearOriginatingLine):
(WebCore::FloatingObject::setOriginatingLine):
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::removeFloatingObject):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::appendFloatingObjectToLastLine):
(WebCore::RenderBlockFlow::reattachCleanLineFloats):
(WebCore::RenderBlockFlow::determineStartPosition):
* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::RootInlineBox):
* rendering/RootInlineBox.h:
(WebCore::RootInlineBox::createWeakPtr):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/FloatingObjects.cpp
• trunk/Source/WebCore/rendering/FloatingObjects.h
• trunk/Source/WebCore/rendering/RenderBlockFlow.cpp
• trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp
• trunk/Source/WebCore/rendering/RootInlineBox.cpp
• trunk/Source/WebCore/rendering/RootInlineBox.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (222291 => 222292)

--- trunk/Source/WebCore/ChangeLog	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/ChangeLog	2017-09-20 22:03:06 UTC (rev 222292)
@@ -1,3 +1,31 @@
+2017-09-20  Zalan Bujtas  <za...@apple.com>
+
+        FloatingObject should not hold a raw pointer to RootInlineBox.
+        https://bugs.webkit.org/show_bug.cgi?id=177266
+
+        Reviewed by Simon Fraser.
+
+        FloatingObject and RootInlineBox objects' lifetimes are very much independent from each other.
+
+        Not testable.
+
+        * rendering/FloatingObjects.cpp:
+        (WebCore::FloatingObjects::clearLineBoxTreePointers):
+        * rendering/FloatingObjects.h:
+        (WebCore::FloatingObject::originatingLine const):
+        (WebCore::FloatingObject::clearOriginatingLine):
+        (WebCore::FloatingObject::setOriginatingLine):
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::removeFloatingObject):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::appendFloatingObjectToLastLine):
+        (WebCore::RenderBlockFlow::reattachCleanLineFloats):
+        (WebCore::RenderBlockFlow::determineStartPosition):
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::RootInlineBox):
+        * rendering/RootInlineBox.h:
+        (WebCore::RootInlineBox::createWeakPtr):
+
 2017-09-20  Chris Dumez  <cdu...@apple.com>
 
         Drop legacy DOMError type

Modified: trunk/Source/WebCore/rendering/FloatingObjects.cpp (222291 => 222292)

--- trunk/Source/WebCore/rendering/FloatingObjects.cpp	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/FloatingObjects.cpp	2017-09-20 22:03:06 UTC (rev 222292)
@@ -263,7 +263,7 @@
     // Clear references to originating lines, since the lines are being deleted
     for (auto it = m_set.begin(), end = m_set.end(); it != end; ++it) {
         ASSERT(!((*it)->originatingLine()) || &((*it)->originatingLine()->renderer()) == &m_renderer);
-        (*it)->setOriginatingLine(0);
+        (*it)->clearOriginatingLine();
     }
 }
 

Modified: trunk/Source/WebCore/rendering/FloatingObjects.h (222291 => 222292)

--- trunk/Source/WebCore/rendering/FloatingObjects.h	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/FloatingObjects.h	2017-09-20 22:03:06 UTC (rev 222292)
@@ -26,6 +26,7 @@
 #include "PODIntervalTree.h"
 #include "RootInlineBox.h"
 #include <wtf/ListHashSet.h>
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
@@ -82,8 +83,9 @@
     void setIsDescendant(bool isDescendant) { m_isDescendant = isDescendant; }
 
     // FIXME: Callers of these methods are dangerous and should be whitelisted explicitly or removed.
-    RootInlineBox* originatingLine() const { return m_originatingLine; }
-    void setOriginatingLine(RootInlineBox* line) { m_originatingLine = line; }
+    RootInlineBox* originatingLine() const { return m_originatingLine.get(); }
+    void clearOriginatingLine() { m_originatingLine = nullptr; }
+    void setOriginatingLine(RootInlineBox& line) { m_originatingLine = line.createWeakPtr(); }
 
     LayoutSize locationOffsetOfBorderBox() const
     {
@@ -95,7 +97,7 @@
 
 private:
     RenderBox& m_renderer;
-    RootInlineBox* m_originatingLine { nullptr };
+    WeakPtr<RootInlineBox> m_originatingLine;
     LayoutRect m_frameRect;
     LayoutUnit m_paginationStrut;
     LayoutSize m_marginOffset;

Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (222291 => 222292)

--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2017-09-20 22:03:06 UTC (rev 222292)
@@ -2326,7 +2326,7 @@
                         floatingObject.originatingLine()->markDirty();
                     }
 #if !ASSERT_DISABLED
-                    floatingObject.setOriginatingLine(0);
+                    floatingObject.clearOriginatingLine();
 #endif
                 }
                 markLinesDirtyInBlockRange(0, logicalBottom);

Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (222291 => 222292)

--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2017-09-20 22:03:06 UTC (rev 222292)
@@ -1096,7 +1096,8 @@
 void RenderBlockFlow::appendFloatingObjectToLastLine(FloatingObject& floatingObject)
 {
     ASSERT_WITH_SECURITY_IMPLICATION(!floatingObject.originatingLine());
-    floatingObject.setOriginatingLine(lastRootBox());
+    ASSERT(lastRootBox());
+    floatingObject.setOriginatingLine(*lastRootBox());
     lastRootBox()->appendFloat(floatingObject.renderer());
 }
 
@@ -1557,7 +1558,7 @@
             continue;
         }
         ASSERT_WITH_SECURITY_IMPLICATION(!floatingObject->originatingLine());
-        floatingObject->setOriginatingLine(&cleanLine);
+        floatingObject->setOriginatingLine(cleanLine);
         setLogicalHeight(logicalTopForChild(*floatingBox) - marginBeforeForChild(*floatingBox) + delta);
         positionNewFloats();
     }
@@ -1870,7 +1871,7 @@
                     auto* floatingBox = *it;
                     auto* floatingObject = insertFloatingObject(*floatingBox);
                     ASSERT_WITH_SECURITY_IMPLICATION(!floatingObject->originatingLine());
-                    floatingObject->setOriginatingLine(line);
+                    floatingObject->setOriginatingLine(*line);
                     setLogicalHeight(logicalTopForChild(*floatingBox) - marginBeforeForChild(*floatingBox));
                     positionNewFloats();
                     floats.setLastCleanFloat(*floatingBox);

Modified: trunk/Source/WebCore/rendering/RootInlineBox.cpp (222291 => 222292)

--- trunk/Source/WebCore/rendering/RootInlineBox.cpp	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/RootInlineBox.cpp	2017-09-20 22:03:06 UTC (rev 222292)
@@ -43,7 +43,7 @@
 
 struct SameSizeAsRootInlineBox : public InlineFlowBox {
     unsigned variables[7];
-    void* pointers[3];
+    void* pointers[4];
 };
 
 COMPILE_ASSERT(sizeof(RootInlineBox) == sizeof(SameSizeAsRootInlineBox), RootInlineBox_should_stay_small);
@@ -61,6 +61,8 @@
     : InlineFlowBox(block)
     , m_lineBreakPos(0)
     , m_lineBreakObj(nullptr)
+    , m_weakPtrFactory(this)
+
 {
     setIsHorizontal(block.isHorizontalWritingMode());
 }

Modified: trunk/Source/WebCore/rendering/RootInlineBox.h (222291 => 222292)

--- trunk/Source/WebCore/rendering/RootInlineBox.h	2017-09-20 21:59:19 UTC (rev 222291)
+++ trunk/Source/WebCore/rendering/RootInlineBox.h	2017-09-20 22:03:06 UTC (rev 222292)
@@ -22,6 +22,7 @@
 
 #include "BidiContext.h"
 #include "InlineFlowBox.h"
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
@@ -38,6 +39,7 @@
 public:
     explicit RootInlineBox(RenderBlockFlow&);
     virtual ~RootInlineBox();
+    WeakPtr<RootInlineBox> createWeakPtr() { return m_weakPtrFactory.createWeakPtr(); }
 
     RenderBlockFlow& blockFlow() const;
 
@@ -227,6 +229,7 @@
     // Floats hanging off the line are pushed into this vector during layout. It is only
     // good for as long as the line has not been marked dirty.
     std::unique_ptr<Vector<RenderBox*>> m_floats;
+    WeakPtrFactory<RootInlineBox> m_weakPtrFactory;
 };
 
 inline RootInlineBox* RootInlineBox::nextRootBox() const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes