Title: [224976] trunk/Source/WebCore
- Revision
- 224976
- Author
- [email protected]
- Date
- 2017-11-17 11:34:32 -0800 (Fri, 17 Nov 2017)
Log Message
Move destroyLeftoverChildren call to RenderObject::destroy
https://bugs.webkit.org/show_bug.cgi?id=179819
Reviewed by Zalan Bujtas.
This is currently called inconsistenly from various willBeDestroyed implementations.
We should always call it before invoking willBeDestroyed.
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::willBeDestroyed):
* rendering/RenderElement.cpp:
(WebCore::RenderElement::willBeDestroyed):
* rendering/RenderElement.h:
(WebCore::RenderElement::setLastChild):
* rendering/RenderInline.cpp:
(WebCore::RenderInline::willBeDestroyed):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::~RenderLayer):
Add some release asserts verifying layer has been detached before destruction.
This would reveal cases where destroyLeftoverChildren was called too late.
* rendering/RenderObject.cpp:
(WebCore::RenderObject::destroy):
Call destroyLeftoverChildren.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (224975 => 224976)
--- trunk/Source/WebCore/ChangeLog 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/ChangeLog 2017-11-17 19:34:32 UTC (rev 224976)
@@ -1,3 +1,32 @@
+2017-11-17 Antti Koivisto <[email protected]>
+
+ Move destroyLeftoverChildren call to RenderObject::destroy
+ https://bugs.webkit.org/show_bug.cgi?id=179819
+
+ Reviewed by Zalan Bujtas.
+
+ This is currently called inconsistenly from various willBeDestroyed implementations.
+ We should always call it before invoking willBeDestroyed.
+
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::willBeDestroyed):
+ * rendering/RenderElement.cpp:
+ (WebCore::RenderElement::willBeDestroyed):
+ * rendering/RenderElement.h:
+ (WebCore::RenderElement::setLastChild):
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::willBeDestroyed):
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::~RenderLayer):
+
+ Add some release asserts verifying layer has been detached before destruction.
+ This would reveal cases where destroyLeftoverChildren was called too late.
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::destroy):
+
+ Call destroyLeftoverChildren.
+
2017-11-17 Said Abou-Hallawa <[email protected]>
SVG scrolling anchor should be reset if the fragmentIdentifier does not exist or is not provided
Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-11-17 19:34:32 UTC (rev 224976)
@@ -132,10 +132,6 @@
void RenderBlockFlow::willBeDestroyed()
{
- // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
- // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
- destroyLeftoverChildren();
-
if (!renderTreeBeingDestroyed()) {
if (firstRootBox()) {
// We can't wait for RenderBox::destroy to clear the selection,
Modified: trunk/Source/WebCore/rendering/RenderElement.cpp (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderElement.cpp 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderElement.cpp 2017-11-17 19:34:32 UTC (rev 224976)
@@ -1126,8 +1126,6 @@
if (m_style.hasFixedBackgroundImage() && !settings().fixedBackgroundsPaintRelativeToDocument())
view().frameView().removeSlowRepaintObject(this);
- destroyLeftoverChildren();
-
unregisterForVisibleInViewportCallback();
if (hasCounterNodeMap())
Modified: trunk/Source/WebCore/rendering/RenderElement.h (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderElement.h 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderElement.h 2017-11-17 19:34:32 UTC (rev 224976)
@@ -229,6 +229,8 @@
bool isFirstLetter() const { return m_isFirstLetter; }
void setIsFirstLetter() { m_isFirstLetter = true; }
+ void destroyLeftoverChildren();
+
protected:
enum BaseTypeFlag {
RenderLayerModelObjectFlag = 1 << 0,
@@ -254,7 +256,6 @@
void setFirstChild(RenderObject* child) { m_firstChild = child; }
void setLastChild(RenderObject* child) { m_lastChild = child; }
- void destroyLeftoverChildren();
virtual void styleWillChange(StyleDifference, const RenderStyle& newStyle);
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
Modified: trunk/Source/WebCore/rendering/RenderInline.cpp (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderInline.cpp 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderInline.cpp 2017-11-17 19:34:32 UTC (rev 224976)
@@ -84,10 +84,6 @@
}
#endif
- // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
- // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
- destroyLeftoverChildren();
-
if (!renderTreeBeingDestroyed()) {
if (firstLineBox()) {
// We can't wait for RenderBoxModelObject::destroy to clear the selection,
Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-11-17 19:34:32 UTC (rev 224976)
@@ -435,6 +435,10 @@
// we don't need to delete them ourselves.
clearBacking(true);
+
+ // Layer and all its children should be removed from the tree before destruction.
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(renderer().renderTreeBeingDestroyed() || !m_parent);
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(renderer().renderTreeBeingDestroyed() || !m_first);
}
String RenderLayer::name() const
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (224975 => 224976)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2017-11-17 19:29:34 UTC (rev 224975)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2017-11-17 19:34:32 UTC (rev 224976)
@@ -1519,6 +1519,9 @@
RELEASE_ASSERT(!m_previous);
RELEASE_ASSERT(!m_bitfields.beingDestroyed());
+ if (is<RenderElement>(*this))
+ downcast<RenderElement>(*this).destroyLeftoverChildren();
+
m_bitfields.setBeingDestroyed(true);
#if PLATFORM(IOS)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
