Chromium Code Reviews Chromium Code Reviews
Issue
132913002:
Harden the machinery around updateWidgetPositions() (Closed)
DescriptionHarden the machinery around updateWidgetPositions()
updateWidgetPositions() can blow away the RenderView by running script or
calling into plugins. This patch moves it from RenderView to FrameView
since having this method on RenderView which might destroy itself is not
safe. It also switches to using normal RefPtr instead of manually managing
the refcount and finally adds RefPtr to callers of updateWidgetPositions()
to avoid use-after-frees.
There's one final call inside RenderLayerScrollableArea::setScrollOffset
which is not safe but is difficult to mitigate since we're way down a
callstack by the time this call is made which can destroy the render tree
and the RenderLayerScrollableArea. This patch adds a RELEASE_ASSERT to
kill the renderer in case we get into a sitaution where this happens.
In the future we should detangle this concept entirely so such an
ASSERT isn't needed and so that the render tree can never destroy itself
from the inside.
It's not clear how to write a test for this since you need to get us to
go into the scrolling code with a dirty tree or have a plugin that does
something nefarious.
BUG=322891
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=165052
Patch Set 1 #
Total comments: 4
Patch Set 2 : Add FIXME #
Messages
Total messages: 9 (0 generated)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
