RenderFragmentContainerRange should not hold raw pointers.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Oct 2017 14:37:19 +0000 (14:37 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Oct 2017 14:37:19 +0000 (14:37 +0000)
https://bugs.webkit.org/show_bug.cgi?id=177854
<rdar://problem/34805954>

Reviewed by Antti Koivisto.

m_startFragment and m_endFragment object's lifetimes are not tied to the lifetime of
RenderFragmentContainerRange.

Covered by existing tests.

* rendering/RenderFragmentedFlow.cpp:
(WebCore::RenderFragmentedFlow::setFragmentRangeForBox):
* rendering/RenderFragmentedFlow.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222847 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFragmentedFlow.cpp
Source/WebCore/rendering/RenderFragmentedFlow.h

index 25c30c7..9fee179 100644 (file)
@@ -1,5 +1,22 @@
 2017-10-04  Zalan Bujtas  <zalan@apple.com>
 
+        RenderFragmentContainerRange should not hold raw pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=177854
+        <rdar://problem/34805954>
+
+        Reviewed by Antti Koivisto.
+
+        m_startFragment and m_endFragment object's lifetimes are not tied to the lifetime of
+        RenderFragmentContainerRange.
+
+        Covered by existing tests.
+
+        * rendering/RenderFragmentedFlow.cpp:
+        (WebCore::RenderFragmentedFlow::setFragmentRangeForBox):
+        * rendering/RenderFragmentedFlow.h:
+
+2017-10-04  Zalan Bujtas  <zalan@apple.com>
+
         RenderMultiColumnSpannerPlaceholder should not hold raw pointers.
         https://bugs.webkit.org/show_bug.cgi?id=177840
         <rdar://problem/34800109>
index 7bdebc8..7d38c78 100644 (file)
@@ -564,20 +564,15 @@ void RenderFragmentedFlow::setFragmentRangeForBox(const RenderBox& box, RenderFr
 {
     ASSERT(hasFragments());
     ASSERT(startFragment && endFragment && startFragment->fragmentedFlow() == this && endFragment->fragmentedFlow() == this);
-
-    auto it = m_fragmentRangeMap.find(&box);
-    if (it == m_fragmentRangeMap.end()) {
-        m_fragmentRangeMap.set(&box, RenderFragmentContainerRange(startFragment, endFragment));
+    auto result = m_fragmentRangeMap.set(&box, RenderFragmentContainerRange(startFragment, endFragment));
+    if (result.isNewEntry)
         return;
-    }
 
     // If nothing changed, just bail.
-    RenderFragmentContainerRange& range = it->value;
+    auto& range = result.iterator->value;
     if (range.startFragment() == startFragment && range.endFragment() == endFragment)
         return;
-
     clearRenderBoxFragmentInfoAndCustomStyle(box, startFragment, endFragment, range.startFragment(), range.endFragment());
-    range.setRange(startFragment, endFragment);
 }
 
 bool RenderFragmentedFlow::hasCachedFragmentRangeForBox(const RenderBox& box) const
index 57989c2..be404c8 100644 (file)
@@ -31,6 +31,7 @@
 
 #include "LayerFragment.h"
 #include "RenderBlockFlow.h"
+#include "RenderFragmentContainer.h"
 #include <wtf/ListHashSet.h>
 
 namespace WebCore {
@@ -214,11 +215,7 @@ protected:
 
     class RenderFragmentContainerRange {
     public:
-        RenderFragmentContainerRange()
-        {
-            setRange(nullptr, nullptr);
-        }
-
+        RenderFragmentContainerRange() = default;
         RenderFragmentContainerRange(RenderFragmentContainer* start, RenderFragmentContainer* end)
         {
             setRange(start, end);
@@ -226,19 +223,19 @@ protected:
         
         void setRange(RenderFragmentContainer* start, RenderFragmentContainer* end)
         {
-            m_startFragment = start;
-            m_endFragment = end;
+            m_startFragment = makeWeakPtr(start);
+            m_endFragment = makeWeakPtr(end);
             m_rangeInvalidated = true;
         }
 
-        RenderFragmentContainer* startFragment() const { return m_startFragment; }
-        RenderFragmentContainer* endFragment() const { return m_endFragment; }
+        RenderFragmentContainer* startFragment() const { return m_startFragment.get(); }
+        RenderFragmentContainer* endFragment() const { return m_endFragment.get(); }
         bool rangeInvalidated() const { return m_rangeInvalidated; }
         void clearRangeInvalidated() { m_rangeInvalidated = false; }
 
     private:
-        RenderFragmentContainer* m_startFragment;
-        RenderFragmentContainer* m_endFragment;
+        WeakPtr<RenderFragmentContainer> m_startFragment;
+        WeakPtr<RenderFragmentContainer> m_endFragment;
         bool m_rangeInvalidated;
     };