Add some RELEASE_ASSERTs to try to catch crashes in StyleResolver::loadPendingImages
authorantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Feb 2015 17:32:14 +0000 (17:32 +0000)
committerantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Feb 2015 17:32:14 +0000 (17:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=141561

Reviewed by Simon Fraser.

One possibility is that loads triggered by loadPendingImages end up synchronously destroying or re-entering
style resolver. Try to catch these in release builds.

* css/StyleResolver.cpp:
(WebCore::StyleResolver::~StyleResolver):
(WebCore::StyleResolver::styleForElement):
(WebCore::StyleResolver::styleForKeyframe):
(WebCore::StyleResolver::styleForPage):
(WebCore::StyleResolver::loadPendingImages):
* css/StyleResolver.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@180051 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/css/StyleResolver.cpp
Source/WebCore/css/StyleResolver.h

index 414e6ee..61b7c02 100644 (file)
@@ -1,3 +1,21 @@
+2015-02-13  Antti Koivisto  <antti@apple.com>
+
+        Add some RELEASE_ASSERTs to try to catch crashes in StyleResolver::loadPendingImages
+        https://bugs.webkit.org/show_bug.cgi?id=141561
+
+        Reviewed by Simon Fraser.
+
+        One possibility is that loads triggered by loadPendingImages end up synchronously destroying or re-entering
+        style resolver. Try to catch these in release builds.
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::~StyleResolver):
+        (WebCore::StyleResolver::styleForElement):
+        (WebCore::StyleResolver::styleForKeyframe):
+        (WebCore::StyleResolver::styleForPage):
+        (WebCore::StyleResolver::loadPendingImages):
+        * css/StyleResolver.h:
+
 2015-02-13  ChangSeok Oh  <changseok.oh@collabora.com>
 
         Div having contentEditable and display:grid cannot be edited if it is empty.
index 113691e..424a8a0 100644 (file)
 #include "XMLNames.h"
 #include <bitset>
 #include <wtf/StdLibExtras.h>
+#include <wtf/TemporaryChange.h>
 #include <wtf/Vector.h>
 
 #if ENABLE(CSS_GRID_LAYOUT)
@@ -344,6 +345,8 @@ void StyleResolver::addKeyframeStyle(PassRefPtr<StyleRuleKeyframes> rule)
 
 StyleResolver::~StyleResolver()
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
 #if ENABLE(CSS_DEVICE_ADAPTATION)
     m_viewportStyleResolver->clearDocument();
 #endif
@@ -740,6 +743,8 @@ static inline bool isAtShadowBoundary(const Element* element)
 Ref<RenderStyle> StyleResolver::styleForElement(Element* element, RenderStyle* defaultParent,
     StyleSharingBehavior sharingBehavior, RuleMatchingBehavior matchingBehavior, const RenderRegion* regionForStyling)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     // Once an element has a renderer, we don't try to destroy it, since otherwise the renderer
     // will vanish if a style recalc happens during loading.
     if (sharingBehavior == AllowStyleSharing && !element->document().haveStylesheetsLoaded() && !element->renderer()) {
@@ -811,6 +816,8 @@ Ref<RenderStyle> StyleResolver::styleForElement(Element* element, RenderStyle* d
 
 Ref<RenderStyle> StyleResolver::styleForKeyframe(const RenderStyle* elementStyle, const StyleKeyframe* keyframe, KeyframeValue& keyframeValue)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     MatchResult result;
     result.addMatchedProperties(keyframe->properties());
 
@@ -978,6 +985,8 @@ PassRefPtr<RenderStyle> StyleResolver::pseudoStyleForElement(Element* element, c
 
 Ref<RenderStyle> StyleResolver::styleForPage(int pageIndex)
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+
     m_state.initForStyleResolve(m_document, m_document.documentElement(), m_document.renderStyle());
 
     m_state.setStyle(RenderStyle::create());
@@ -2428,6 +2437,9 @@ void StyleResolver::loadPendingShapeImage(ShapeValue* shapeValue)
 
 void StyleResolver::loadPendingImages()
 {
+    RELEASE_ASSERT(!m_inLoadPendingImages);
+    TemporaryChange<bool> { m_inLoadPendingImages, true };
+
     if (m_state.pendingImageProperties().isEmpty())
         return;
 
index ab65ede..97275d8 100644 (file)
@@ -525,6 +525,9 @@ private:
 
     State m_state;
 
+    // Try to catch a crash. https://bugs.webkit.org/show_bug.cgi?id=141561.
+    bool m_inLoadPendingImages { false };
+
     friend bool operator==(const MatchedProperties&, const MatchedProperties&);
     friend bool operator!=(const MatchedProperties&, const MatchedProperties&);
     friend bool operator==(const MatchRanges&, const MatchRanges&);