Never notify of insertedIntoTree during document destruction.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2012 00:45:17 +0000 (00:45 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2012 00:45:17 +0000 (00:45 +0000)
https://bugs.webkit.org/show_bug.cgi?id=94535

Patch by Elliott Sprehn <esprehn@chromium.org> on 2012-08-20
Reviewed by Eric Seidel.

Never notify of insertedIntoTree during document destruction. Previously since we
avoid notifying of willBeRemovedFromTree it's possible we could have gotten several
insertedIntoTree notifications without ever being told we were removed.

No tests needed since this just closes holes related to future code.

* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::appendChildNode): Never call insertedIntoTree during document destruction.
(WebCore::RenderObjectChildList::insertChildNode): Same.
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::attachRegion): Removed unneeded document destruction check.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@126107 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderObjectChildList.cpp
Source/WebCore/rendering/RenderRegion.cpp

index 925ed08..a7718e4 100644 (file)
@@ -1,3 +1,22 @@
+2012-08-20  Elliott Sprehn  <esprehn@chromium.org>
+
+        Never notify of insertedIntoTree during document destruction.
+        https://bugs.webkit.org/show_bug.cgi?id=94535
+
+        Reviewed by Eric Seidel.
+
+        Never notify of insertedIntoTree during document destruction. Previously since we
+        avoid notifying of willBeRemovedFromTree it's possible we could have gotten several
+        insertedIntoTree notifications without ever being told we were removed.
+
+        No tests needed since this just closes holes related to future code.
+
+        * rendering/RenderObjectChildList.cpp:
+        (WebCore::RenderObjectChildList::appendChildNode): Never call insertedIntoTree during document destruction.
+        (WebCore::RenderObjectChildList::insertChildNode): Same.
+        * rendering/RenderRegion.cpp:
+        (WebCore::RenderRegion::attachRegion): Removed unneeded document destruction check.
+
 2012-08-20  James Robinson  <jamesr@chromium.org>
 
         [chromium] Initialize GraphicsLayerChromium::m_contentsLayerId when setting contents layer
index 7864aca..bdb5516 100644 (file)
@@ -138,7 +138,7 @@ void RenderObjectChildList::appendChildNode(RenderObject* owner, RenderObject* n
 
     setLastChild(newChild);
     
-    if (notifyRenderer)
+    if (!owner->documentBeingDestroyed() && notifyRenderer)
         newChild->insertedIntoTree();
 
     if (!owner->documentBeingDestroyed()) {
@@ -178,7 +178,7 @@ void RenderObjectChildList::insertChildNode(RenderObject* owner, RenderObject* c
 
     child->setParent(owner);
     
-    if (notifyRenderer)
+    if (!owner->documentBeingDestroyed() && notifyRenderer)
         child->insertedIntoTree();
 
     if (!owner->documentBeingDestroyed()) {
index f5b4b36..b9b33f3 100644 (file)
@@ -193,9 +193,7 @@ void RenderRegion::layout()
 
 void RenderRegion::attachRegion()
 {
-    if (documentBeingDestroyed())
-        return;
-
+    ASSERT(view());
     ASSERT(!m_flowThread);
     // Initialize the flow thread reference and create the flow thread object if needed.
     // The flow thread lifetime is influenced by the number of regions attached to it,