<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186409] releases/WebKitGTK/webkit-2.8</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186409">186409</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-07-07 00:21:38 -0700 (Tue, 07 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/185484">r185484</a> - Do not crash when the descendant frame tree is destroyed during layout.
https://bugs.webkit.org/show_bug.cgi?id=144540
rdar://problem/20793184
Reviewed by Andreas Kling.
Source/WebCore:
Widget::setFrameRect(), through WebHTMLView layout, could trigger a style recalc, which in turn
could initiate an onBeforeLoad callback.
If javascript happens to destroy the current iframe in the onBeforeLoad callback, we lose the descendant
render tree, including the child FrameView (the iframe element's view). However the RenderIFrame
object stays protected until after the layout is done. (see protectRenderWidgetUntilLayoutIsDone())
Climbing back on the callstack, we need to make sure that
1. the root widget of the descendant render tree (FrameView) stays valid as long as it is needed.
2. RenderFrameBase::layoutWithFlattening() can handle the case when the associated widget (child FrameView) is set to nullptr.
(see RenderWidget::willBeDestroyed() -> setWidget(nullptr))
(and later, when layout is finished this (RenderIFrame) object gets destroyed too.)
Covered by fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.
* page/FrameView.cpp:
(WebCore::FrameView::setFrameRect):
(WebCore::FrameView::updateEmbeddedObject):
(WebCore::FrameView::updateWidgetPositions):
* platform/ScrollView.cpp:
(WebCore::ScrollView::setFrameRect):
* platform/mac/WidgetMac.mm:
(WebCore::Widget::setFrameRect):
* rendering/RenderFrameBase.cpp:
(WebCore::RenderFrameBase::layoutWithFlattening):
(WebCore::RenderFrameBase::childRenderView):
(WebCore::RenderFrameBase::peformLayoutWithFlattening):
* rendering/RenderFrameBase.h:
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::updateWidgetPosition):
* rendering/RenderWidget.h:
LayoutTests:
Unskip fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.
* TestExpectations:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorepageFrameViewcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/page/FrameView.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreplatformScrollViewcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/ScrollView.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreplatformmacWidgetMacmm">releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/mac/WidgetMac.mm</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorerenderingRenderFrameBasecpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorerenderingRenderFrameBaseh">releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.h</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorerenderingRenderWidgetcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorerenderingRenderWidgeth">releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2015-06-11 Zalan Bujtas <zalan@apple.com>
+
+ Do not crash when the descendant frame tree is destroyed during layout.
+ https://bugs.webkit.org/show_bug.cgi?id=144540
+ rdar://problem/20793184
+
+ Reviewed by Andreas Kling.
+
+ Unskip fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.
+
+ * TestExpectations:
+
</ins><span class="cx"> 2015-06-10 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -1,3 +1,43 @@
</span><ins>+2015-06-11 Zalan Bujtas <zalan@apple.com>
+
+ Do not crash when the descendant frame tree is destroyed during layout.
+ https://bugs.webkit.org/show_bug.cgi?id=144540
+ rdar://problem/20793184
+
+ Reviewed by Andreas Kling.
+
+ Widget::setFrameRect(), through WebHTMLView layout, could trigger a style recalc, which in turn
+ could initiate an onBeforeLoad callback.
+ If javascript happens to destroy the current iframe in the onBeforeLoad callback, we lose the descendant
+ render tree, including the child FrameView (the iframe element's view). However the RenderIFrame
+ object stays protected until after the layout is done. (see protectRenderWidgetUntilLayoutIsDone())
+
+ Climbing back on the callstack, we need to make sure that
+ 1. the root widget of the descendant render tree (FrameView) stays valid as long as it is needed.
+ 2. RenderFrameBase::layoutWithFlattening() can handle the case when the associated widget (child FrameView) is set to nullptr.
+ (see RenderWidget::willBeDestroyed() -> setWidget(nullptr))
+
+ (and later, when layout is finished this (RenderIFrame) object gets destroyed too.)
+
+ Covered by fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::setFrameRect):
+ (WebCore::FrameView::updateEmbeddedObject):
+ (WebCore::FrameView::updateWidgetPositions):
+ * platform/ScrollView.cpp:
+ (WebCore::ScrollView::setFrameRect):
+ * platform/mac/WidgetMac.mm:
+ (WebCore::Widget::setFrameRect):
+ * rendering/RenderFrameBase.cpp:
+ (WebCore::RenderFrameBase::layoutWithFlattening):
+ (WebCore::RenderFrameBase::childRenderView):
+ (WebCore::RenderFrameBase::peformLayoutWithFlattening):
+ * rendering/RenderFrameBase.h:
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::updateWidgetPosition):
+ * rendering/RenderWidget.h:
+
</ins><span class="cx"> 2015-06-10 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorepageFrameViewcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/page/FrameView.cpp (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/page/FrameView.cpp 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/page/FrameView.cpp 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -436,6 +436,7 @@
</span><span class="cx">
</span><span class="cx"> void FrameView::setFrameRect(const IntRect& newRect)
</span><span class="cx"> {
</span><ins>+ Ref<FrameView> protect(*this);
</ins><span class="cx"> IntRect oldRect = frameRect();
</span><span class="cx"> if (newRect == oldRect)
</span><span class="cx"> return;
</span><span class="lines">@@ -2907,7 +2908,8 @@
</span><span class="cx"> if (!weakRenderer)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- embeddedObject.updateWidgetPosition();
</del><ins>+ auto ignoreWidgetState = embeddedObject.updateWidgetPosition();
+ UNUSED_PARAM(ignoreWidgetState);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool FrameView::updateEmbeddedObjects()
</span><span class="lines">@@ -4699,11 +4701,11 @@
</span><span class="cx"> // updateWidgetPosition() can possibly cause layout to be re-entered (via plug-ins running
</span><span class="cx"> // scripts in response to NPP_SetWindow, for example), so we need to keep the Widgets
</span><span class="cx"> // alive during enumeration.
</span><del>- auto protectedWidgets = collectAndProtectWidgets(m_widgetsInRenderTree);
-
- for (unsigned i = 0, size = protectedWidgets.size(); i < size; ++i) {
- if (RenderWidget* renderWidget = RenderWidget::find(protectedWidgets[i].get()))
- renderWidget->updateWidgetPosition();
</del><ins>+ for (auto& widget : collectAndProtectWidgets(m_widgetsInRenderTree)) {
+ if (RenderWidget* renderWidget = RenderWidget::find(widget.get())) {
+ auto ignoreWidgetState = renderWidget->updateWidgetPosition();
+ UNUSED_PARAM(ignoreWidgetState);
+ }
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreplatformScrollViewcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/ScrollView.cpp (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/ScrollView.cpp 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/ScrollView.cpp 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -1041,6 +1041,7 @@
</span><span class="cx">
</span><span class="cx"> void ScrollView::setFrameRect(const IntRect& newRect)
</span><span class="cx"> {
</span><ins>+ Ref<ScrollView> protect(*this);
</ins><span class="cx"> IntRect oldRect = frameRect();
</span><span class="cx">
</span><span class="cx"> if (newRect == oldRect)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreplatformmacWidgetMacmm"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/mac/WidgetMac.mm (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/mac/WidgetMac.mm 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/mac/WidgetMac.mm 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -159,7 +159,7 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> // Take a reference to this Widget, because sending messages to outerView can invoke arbitrary
</span><del>- // code, which can deref it.
</del><ins>+ // code including recalc style/layout, which can deref it.
</ins><span class="cx"> Ref<Widget> protect(*this);
</span><span class="cx">
</span><span class="cx"> NSRect frame = rect;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorerenderingRenderFrameBasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.cpp (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.cpp 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.cpp 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -55,23 +55,35 @@
</span><span class="cx"> void RenderFrameBase::layoutWithFlattening(bool hasFixedWidth, bool hasFixedHeight)
</span><span class="cx"> {
</span><span class="cx"> view().protectRenderWidgetUntilLayoutIsDone(*this);
</span><del>- RenderView* childRoot = childView() ? childView()->frame().contentRenderer() : 0;
</del><span class="cx">
</span><del>- if (!childRoot || !shouldExpandFrame(width(), height(), hasFixedWidth, hasFixedHeight)) {
- updateWidgetPosition();
- if (childView())
- childView()->layout();
- clearNeedsLayout();
</del><ins>+ peformLayoutWithFlattening(hasFixedWidth, hasFixedHeight);
+
+ clearNeedsLayout();
+}
+
+RenderView* RenderFrameBase::childRenderView() const
+{
+ if (!childView())
+ return nullptr;
+ return childView()->renderView();
+}
+
+void RenderFrameBase::peformLayoutWithFlattening(bool hasFixedWidth, bool hasFixedHeight)
+{
+ if (!childRenderView() || !shouldExpandFrame(width(), height(), hasFixedWidth, hasFixedHeight)) {
+ if (updateWidgetPosition() == ChildWidgetState::ChildWidgetIsDestroyed)
+ return;
+ childView()->layout();
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // need to update to calculate min/max correctly
</span><del>- updateWidgetPosition();
-
</del><ins>+ if (updateWidgetPosition() == ChildWidgetState::ChildWidgetIsDestroyed)
+ return;
+
</ins><span class="cx"> // if scrollbars are off, and the width or height are fixed
</span><span class="cx"> // we obey them and do not expand. With frame flattening
</span><span class="cx"> // no subframe much ever become scrollable.
</span><del>-
</del><span class="cx"> bool isScrollable = frameOwnerElement().scrollingMode() != ScrollbarAlwaysOff;
</span><span class="cx">
</span><span class="cx"> // consider iframe inset border
</span><span class="lines">@@ -80,27 +92,27 @@
</span><span class="cx">
</span><span class="cx"> // make sure minimum preferred width is enforced
</span><span class="cx"> if (isScrollable || !hasFixedWidth) {
</span><del>- setWidth(std::max(width(), childRoot->minPreferredLogicalWidth() + hBorder));
</del><ins>+ ASSERT(childRenderView());
+ setWidth(std::max(width(), childRenderView()->minPreferredLogicalWidth() + hBorder));
</ins><span class="cx"> // update again to pass the new width to the child frame
</span><del>- updateWidgetPosition();
- if (childView())
- childView()->layout();
</del><ins>+ if (updateWidgetPosition() == ChildWidgetState::ChildWidgetIsDestroyed)
+ return;
+ childView()->layout();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- if (childView()) {
- // expand the frame by setting frame height = content height
- if (isScrollable || !hasFixedHeight || childRoot->isFrameSet())
- setHeight(std::max<LayoutUnit>(height(), childView()->contentsHeight() + vBorder));
- if (isScrollable || !hasFixedWidth || childRoot->isFrameSet())
- setWidth(std::max<LayoutUnit>(width(), childView()->contentsWidth() + hBorder));
- }
- updateWidgetPosition();
</del><ins>+ ASSERT(childView());
+ // expand the frame by setting frame height = content height
+ if (isScrollable || !hasFixedHeight || childRenderView()->isFrameSet())
+ setHeight(std::max<LayoutUnit>(height(), childView()->contentsHeight() + vBorder));
+ if (isScrollable || !hasFixedWidth || childRenderView()->isFrameSet())
+ setWidth(std::max<LayoutUnit>(width(), childView()->contentsWidth() + hBorder));
</ins><span class="cx">
</span><ins>+ if (updateWidgetPosition() == ChildWidgetState::ChildWidgetIsDestroyed)
+ return;
+
</ins><span class="cx"> ASSERT(!childView()->layoutPending());
</span><del>- ASSERT(!childRoot->needsLayout());
- ASSERT(!childRoot->firstChild() || !childRoot->firstChild()->firstChildSlow() || !childRoot->firstChild()->firstChildSlow()->needsLayout());
-
- clearNeedsLayout();
</del><ins>+ ASSERT(!childRenderView()->needsLayout());
+ ASSERT(!childRenderView()->firstChild() || !childRenderView()->firstChild()->firstChildSlow() || !childRenderView()->firstChild()->firstChildSlow()->needsLayout());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorerenderingRenderFrameBaseh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.h (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.h 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderFrameBase.h 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="cx"> class HTMLFrameElementBase;
</span><ins>+class RenderView;
</ins><span class="cx">
</span><span class="cx"> // Base class for RenderFrame and RenderIFrame
</span><span class="cx"> class RenderFrameBase : public RenderWidget {
</span><span class="lines">@@ -44,6 +45,8 @@
</span><span class="cx"> void layoutWithFlattening(bool fixedWidth, bool fixedHeight);
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ void peformLayoutWithFlattening(bool hasFixedWidth, bool hasFixedHeight);
+ RenderView* childRenderView() const;
</ins><span class="cx"> void widget() const = delete;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorerenderingRenderWidgetcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.cpp (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.cpp 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.cpp 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -303,15 +303,15 @@
</span><span class="cx"> downcast<FrameView>(*m_widget).setIsOverlapped(isOverlapped);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void RenderWidget::updateWidgetPosition()
</del><ins>+RenderWidget::ChildWidgetState RenderWidget::updateWidgetPosition()
</ins><span class="cx"> {
</span><span class="cx"> if (!m_widget)
</span><del>- return;
</del><ins>+ return ChildWidgetState::ChildWidgetIsDestroyed;
</ins><span class="cx">
</span><span class="cx"> WeakPtr<RenderWidget> weakThis = createWeakPtr();
</span><span class="cx"> bool widgetSizeChanged = updateWidgetGeometry();
</span><del>- if (!weakThis)
- return;
</del><ins>+ if (!weakThis || !m_widget)
+ return ChildWidgetState::ChildWidgetIsDestroyed;
</ins><span class="cx">
</span><span class="cx"> // if the frame size got changed, or if view needs layout (possibly indicating
</span><span class="cx"> // content size is wrong) we have to do a layout to set the right widget size.
</span><span class="lines">@@ -321,6 +321,7 @@
</span><span class="cx"> if ((widgetSizeChanged || frameView.needsLayout()) && frameView.frame().page())
</span><span class="cx"> frameView.layout();
</span><span class="cx"> }
</span><ins>+ return ChildWidgetState::ChildWidgetIsValid;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> IntRect RenderWidget::windowClipRect() const
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorerenderingRenderWidgeth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.h (186408 => 186409)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.h 2015-07-07 07:07:02 UTC (rev 186408)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderWidget.h 2015-07-07 07:21:38 UTC (rev 186409)
</span><span class="lines">@@ -67,7 +67,8 @@
</span><span class="cx">
</span><span class="cx"> static RenderWidget* find(const Widget*);
</span><span class="cx">
</span><del>- void updateWidgetPosition();
</del><ins>+ enum class ChildWidgetState { ChildWidgetIsValid, ChildWidgetIsDestroyed };
+ ChildWidgetState updateWidgetPosition() WARN_UNUSED_RETURN;
</ins><span class="cx"> WEBCORE_EXPORT IntRect windowClipRect() const;
</span><span class="cx">
</span><span class="cx"> bool requiresAcceleratedCompositing() const;
</span></span></pre>
</div>
</div>
</body>
</html>