Fix <rdar://problem/
5452943>
REGRESSION (r25283): Reproducible crash in HTMLObjectElement::getInstance under guard malloc
Calling updateLayoutIgnorePendingStylesheets() may do arbitrary things to render tree so
no RenderObjects can be cached over it.
* html/HTMLEmbedElement.cpp:
(WebCore::findWidgetRenderer):
(WebCore::HTMLEmbedElement::getInstance):
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::getInstance):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@25334
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-08-31 Antti Koivisto <antti@apple.com>
+
+ Reviewed by Anders.
+
+ Fix <rdar://problem/5452943>
+ REGRESSION (r25283): Reproducible crash in HTMLObjectElement::getInstance under guard malloc
+
+ Calling updateLayoutIgnorePendingStylesheets() may do arbitrary things to render tree so
+ no RenderObjects can be cached over it.
+
+ * html/HTMLEmbedElement.cpp:
+ (WebCore::findWidgetRenderer):
+ (WebCore::HTMLEmbedElement::getInstance):
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::getInstance):
+
2007-08-31 Anders Carlsson <andersca@apple.com>
Reviewed by Mitz.
}
#if USE(JAVASCRIPTCORE_BINDINGS)
+static inline RenderWidget* findWidgetRenderer(const Node* n)
+{
+ if (!n->renderer())
+ do
+ n = n->parentNode();
+ while (n && !n->hasTagName(objectTag));
+
+ return (n && n->renderer() && n->renderer()->isWidget())
+ ? static_cast<RenderWidget*>(n->renderer()) : 0;
+}
+
KJS::Bindings::Instance *HTMLEmbedElement::getInstance() const
{
Frame* frame = document()->frame();
if (m_instance)
return m_instance.get();
- RenderObject *r = renderer();
- if (!r) {
- Node *p = parentNode();
-
- while (p) {
- if (p->hasTagName(objectTag)) {
- r = p->renderer();
- break;
- }
-
- p = p->parentNode();
- }
- }
-
- if (r && r->isWidget()) {
- RenderWidget* renderWidget = static_cast<RenderWidget*>(r);
-
- if (!renderWidget->widget())
- document()->updateLayoutIgnorePendingStylesheets();
-
- if (Widget* widget = renderWidget->widget())
- m_instance = frame->createScriptInstanceForWidget(widget);
+ RenderWidget* renderWidget = findWidgetRenderer(this);
+ if (renderWidget && !renderWidget->widget()) {
+ document()->updateLayoutIgnorePendingStylesheets();
+ renderWidget = findWidgetRenderer(this);
}
+
+ if (renderWidget && renderWidget->widget())
+ m_instance = frame->createScriptInstanceForWidget(renderWidget->widget());
+
return m_instance.get();
}
#endif
if (m_instance)
return m_instance.get();
- RenderObject* r = renderer();
-
- if (r && r->isWidget()) {
- RenderWidget* renderWidget = static_cast<RenderWidget*>(r);
-
- if (!renderWidget->widget())
- document()->updateLayoutIgnorePendingStylesheets();
-
- if (Widget* widget = renderWidget->widget())
- m_instance = frame->createScriptInstanceForWidget(widget);
- }
+ RenderWidget* renderWidget = (renderer() && renderer()->isWidget()) ? static_cast<RenderWidget*>(renderer()) : 0;
+ if (renderWidget && !renderWidget->widget()) {
+ document()->updateLayoutIgnorePendingStylesheets();
+ renderWidget = (renderer() && renderer()->isWidget()) ? static_cast<RenderWidget*>(renderer()) : 0;
+ }
+ if (renderWidget && renderWidget->widget())
+ m_instance = frame->createScriptInstanceForWidget(renderWidget->widget());
return m_instance.get();
}
git://git.webkit.org / WebKit-https.git / commitdiff