[webkit-changes] [202716] trunk/Source/WebCore

Thu, 30 Jun 2016 16:12:16 -0700

Title: [202716] trunk/Source/WebCore
Revision
202716
Author
an...@apple.com
Date
2016-06-30 16:12:03 -0700 (Thu, 30 Jun 2016)

Log Message

WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()
https://bugs.webkit.org/show_bug.cgi?id=159307
<rdar://problem/26184868>

Reviewed by Andreas Kling.

Pseudo elements are resolved in RenderTreeUpdater (instead of Style::TreeResolver). Their resolution may trigger
resource loads which can cause synchronous layout (when failing synchronously) and lead to destruction of the
the style resolver in post layout task.

No known reliable way to test this.

* style/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::commit):

    Use PostResolutionCallbackDisabler in RenderTreeUpdater similarly to Style::TreeResolver. This prevents
    post layout tasks from running synchronously and closes this particular crash path.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (202715 => 202716)


--- trunk/Source/WebCore/ChangeLog	2016-06-30 22:54:38 UTC (rev 202715)
+++ trunk/Source/WebCore/ChangeLog	2016-06-30 23:12:03 UTC (rev 202716)
@@ -1,3 +1,23 @@
+2016-06-30  Antti Koivisto  <an...@apple.com>
+
+        WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()
+        https://bugs.webkit.org/show_bug.cgi?id=159307
+        <rdar://problem/26184868>
+
+        Reviewed by Andreas Kling.
+
+        Pseudo elements are resolved in RenderTreeUpdater (instead of Style::TreeResolver). Their resolution may trigger
+        resource loads which can cause synchronous layout (when failing synchronously) and lead to destruction of the
+        the style resolver in post layout task.
+
+        No known reliable way to test this.
+
+        * style/RenderTreeUpdater.cpp:
+        (WebCore::RenderTreeUpdater::commit):
+
+            Use PostResolutionCallbackDisabler in RenderTreeUpdater similarly to Style::TreeResolver. This prevents
+            post layout tasks from running synchronously and closes this particular crash path.
+
 2016-06-30  Antoine Quint  <grao...@apple.com>
 
         Drawing an SVG image into a <canvas> that is not in the DOM draws the wrong region

Modified: trunk/Source/WebCore/style/RenderTreeUpdater.cpp (202715 => 202716)


--- trunk/Source/WebCore/style/RenderTreeUpdater.cpp	2016-06-30 22:54:38 UTC (rev 202715)
+++ trunk/Source/WebCore/style/RenderTreeUpdater.cpp	2016-06-30 23:12:03 UTC (rev 202716)
@@ -93,6 +93,8 @@
     if (!m_document.shouldCreateRenderers() || !m_document.renderView())
         return;
 
+    Style::PostResolutionCallbackDisabler callbackDisabler(m_document);
+
     m_styleUpdate = WTFMove(styleUpdate);
 
     for (auto* root : findRenderingRoots(*m_styleUpdate))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to