Title: [164718] trunk/Source/WebCore
- Revision
- 164718
- Author
- zandober...@gmail.com
- Date
- 2014-02-26 09:54:28 -0800 (Wed, 26 Feb 2014)
Log Message
REGRESSION(r162947): Document::topDocument() returns an incorrect reference for cached Documents
https://bugs.webkit.org/show_bug.cgi?id=128175
Reviewed by Antti Koivisto.
* dom/Document.cpp:
(WebCore::Document::topDocument): Fall back to pre-r162947 way of determining the top document
when the Document is in page cache or is in the middle of having its render tree destroyed.
In the first case, the determined top document is actually the document currently loaded in the
Frame to which the cached document is still connected, which is obviously not desired. In the
second case the top document is similarly incorrectly deduced, leading to non-deletion of the
proper top document's AXObjectCache. Because of this AccessibilityRenderObjects are not detached
which results in assertions in RenderObject destructor where the objects are found to be still
flagged as in use by the AX cache.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (164717 => 164718)
--- trunk/Source/WebCore/ChangeLog 2014-02-26 16:42:06 UTC (rev 164717)
+++ trunk/Source/WebCore/ChangeLog 2014-02-26 17:54:28 UTC (rev 164718)
@@ -1,3 +1,20 @@
+2014-02-26 Zan Dobersek <zdober...@igalia.com>
+
+ REGRESSION(r162947): Document::topDocument() returns an incorrect reference for cached Documents
+ https://bugs.webkit.org/show_bug.cgi?id=128175
+
+ Reviewed by Antti Koivisto.
+
+ * dom/Document.cpp:
+ (WebCore::Document::topDocument): Fall back to pre-r162947 way of determining the top document
+ when the Document is in page cache or is in the middle of having its render tree destroyed.
+ In the first case, the determined top document is actually the document currently loaded in the
+ Frame to which the cached document is still connected, which is obviously not desired. In the
+ second case the top document is similarly incorrectly deduced, leading to non-deletion of the
+ proper top document's AXObjectCache. Because of this AccessibilityRenderObjects are not detached
+ which results in assertions in RenderObject destructor where the objects are found to be still
+ flagged as in use by the AX cache.
+
2014-02-26 Mihnea Ovidenie <mih...@adobe.com>
[CSSRegions] Remove unused method RenderFlowThread::updateLayerToRegionMappings()
Modified: trunk/Source/WebCore/dom/Document.cpp (164717 => 164718)
--- trunk/Source/WebCore/dom/Document.cpp 2014-02-26 16:42:06 UTC (rev 164717)
+++ trunk/Source/WebCore/dom/Document.cpp 2014-02-26 17:54:28 UTC (rev 164718)
@@ -4290,11 +4290,20 @@
Document& Document::topDocument() const
{
- if (!m_frame)
- return const_cast<Document&>(*this);
- // This should always be non-null.
- Document* mainFrameDocument = m_frame->mainFrame().document();
- return mainFrameDocument ? *mainFrameDocument : const_cast<Document&>(*this);
+ // FIXME: This special-casing avoids incorrectly determined top documents during the process
+ // of AXObjectCache teardown or notification posting for cached or being-destroyed documents.
+ if (!m_inPageCache && !m_renderTreeBeingDestroyed) {
+ if (!m_frame)
+ return const_cast<Document&>(*this);
+ // This should always be non-null.
+ Document* mainFrameDocument = m_frame->mainFrame().document();
+ return mainFrameDocument ? *mainFrameDocument : const_cast<Document&>(*this);
+ }
+
+ Document* document = const_cast<Document*>(this);
+ while (Element* element = document->ownerElement())
+ document = &element->document();
+ return *document;
}
PassRefPtr<Attr> Document::createAttribute(const String& name, ExceptionCode& ec)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
