Title: [112283] trunk/Source/WebCore
- Revision
- 112283
- Author
- [email protected]
- Date
- 2012-03-27 11:00:50 -0700 (Tue, 27 Mar 2012)
Log Message
Frame flattening: childframe in FrameView::layout() needs protector.
https://bugs.webkit.org/show_bug.cgi?id=82345
Patch by Zalan Bujtas <[email protected]> on 2012-03-27
Reviewed by Kenneth Rohde Christiansen.
RefPtr<FrameView> protector(this) is supposed to protect the current frameview in
FrameView::layout() from being destroyed by recalcStyle().
However, when frame flattening is on and a child frame is re-starting layout from
the topmost parent, the protection is missing and parent's recalcStyle()
can destroy the child frame.
Moving the protector before the layout re-starting is initiated makes the child frame
safe.
No new tests. Unable to create a test case, where this scenario is reproducible.
* page/FrameView.cpp:
(WebCore::FrameView::layout):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (112282 => 112283)
--- trunk/Source/WebCore/ChangeLog 2012-03-27 17:47:39 UTC (rev 112282)
+++ trunk/Source/WebCore/ChangeLog 2012-03-27 18:00:50 UTC (rev 112283)
@@ -1,3 +1,23 @@
+2012-03-27 Zalan Bujtas <[email protected]>
+
+ Frame flattening: childframe in FrameView::layout() needs protector.
+ https://bugs.webkit.org/show_bug.cgi?id=82345
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ RefPtr<FrameView> protector(this) is supposed to protect the current frameview in
+ FrameView::layout() from being destroyed by recalcStyle().
+ However, when frame flattening is on and a child frame is re-starting layout from
+ the topmost parent, the protection is missing and parent's recalcStyle()
+ can destroy the child frame.
+ Moving the protector before the layout re-starting is initiated makes the child frame
+ safe.
+
+ No new tests. Unable to create a test case, where this scenario is reproducible.
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::layout):
+
2012-03-27 Antti Koivisto <[email protected]>
Construct CSSCharsetRule on CSSOM API access only
Modified: trunk/Source/WebCore/page/FrameView.cpp (112282 => 112283)
--- trunk/Source/WebCore/page/FrameView.cpp 2012-03-27 17:47:39 UTC (rev 112282)
+++ trunk/Source/WebCore/page/FrameView.cpp 2012-03-27 18:00:50 UTC (rev 112283)
@@ -916,6 +916,9 @@
if (m_inLayout)
return;
+ // Protect the view from being deleted during layout (in recalcStyle)
+ RefPtr<FrameView> protector(this);
+
bool inChildFrameLayoutWithFrameFlattening = isInChildFrameWithFrameFlattening();
if (inChildFrameLayoutWithFrameFlattening) {
@@ -936,9 +939,6 @@
m_delayedLayout = false;
m_setNeedsLayoutWasDeferred = false;
- // Protect the view from being deleted during layout (in recalcStyle)
- RefPtr<FrameView> protector(this);
-
if (!m_frame) {
// FIXME: Do we need to set m_size.width here?
// FIXME: Should we set m_size.height here too?
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
