| Index: Source/core/rendering/RenderLayerScrollableArea.cpp
|
| diff --git a/Source/core/rendering/RenderLayerScrollableArea.cpp b/Source/core/rendering/RenderLayerScrollableArea.cpp
|
| index 65872f9b9e8b72ba5b7f1fada072e4a73005f9de..ce5dab5a7bd70846861ceff7a76a7110673d385d 100644
|
| --- a/Source/core/rendering/RenderLayerScrollableArea.cpp
|
| +++ b/Source/core/rendering/RenderLayerScrollableArea.cpp
|
| @@ -330,38 +330,34 @@ void RenderLayerScrollableArea::setScrollOffset(const IntPoint& newScrollOffset)
|
| setScrollOffset(toIntSize(newScrollOffset));
|
|
|
| Frame* frame = m_box->frame();
|
| - InspectorInstrumentation::willScrollLayer(m_box);
|
| + ASSERT(frame);
|
|
|
| - RenderView* view = m_box->view();
|
| + RefPtr<FrameView> frameView = m_box->frameView();
|
|
|
| - // We should have a RenderView if we're trying to scroll.
|
| - ASSERT(view);
|
| + InspectorInstrumentation::willScrollLayer(m_box);
|
|
|
| // Update the positions of our child layers (if needed as only fixed layers should be impacted by a scroll).
|
| // We don't update compositing layers, because we need to do a deep update from the compositing ancestor.
|
| - bool inLayout = view ? view->frameView()->isInLayout() : false;
|
| - if (!inLayout) {
|
| + if (!frameView->isInLayout()) {
|
| // If we're in the middle of layout, we'll just update layers once layout has finished.
|
| layer()->updateLayerPositionsAfterOverflowScroll();
|
| - if (view) {
|
| - // Update regions, scrolling may change the clip of a particular region.
|
| - view->frameView()->updateAnnotatedRegions();
|
| - view->updateWidgetPositions();
|
| - }
|
| -
|
| + // Update regions, scrolling may change the clip of a particular region.
|
| + frameView->updateAnnotatedRegions();
|
| + // FIXME: We shouldn't call updateWidgetPositions() here since it might tear down the render tree,
|
| + // for now we just crash to avoid allowing an attacker to use after free.
|
| + frameView->updateWidgetPositions();
|
| + RELEASE_ASSERT(frameView->renderView());
|
| updateCompositingLayersAfterScroll();
|
| }
|
|
|
| RenderLayerModelObject* repaintContainer = m_box->containerForRepaint();
|
| - if (frame) {
|
| - // The caret rect needs to be invalidated after scrolling
|
| - frame->selection().setCaretRectNeedsUpdate();
|
| -
|
| - FloatQuad quadForFakeMouseMoveEvent = FloatQuad(layer()->repainter().repaintRect());
|
| - if (repaintContainer)
|
| - quadForFakeMouseMoveEvent = repaintContainer->localToAbsoluteQuad(quadForFakeMouseMoveEvent);
|
| - frame->eventHandler().dispatchFakeMouseMoveEventSoonInQuad(quadForFakeMouseMoveEvent);
|
| - }
|
| + // The caret rect needs to be invalidated after scrolling
|
| + frame->selection().setCaretRectNeedsUpdate();
|
| +
|
| + FloatQuad quadForFakeMouseMoveEvent = FloatQuad(layer()->repainter().repaintRect());
|
| + if (repaintContainer)
|
| + quadForFakeMouseMoveEvent = repaintContainer->localToAbsoluteQuad(quadForFakeMouseMoveEvent);
|
| + frame->eventHandler().dispatchFakeMouseMoveEventSoonInQuad(quadForFakeMouseMoveEvent);
|
|
|
| bool requiresRepaint = true;
|
|
|
| @@ -377,7 +373,7 @@ void RenderLayerScrollableArea::setScrollOffset(const IntPoint& newScrollOffset)
|
| }
|
|
|
| // Just schedule a full repaint of our object.
|
| - if (view && requiresRepaint)
|
| + if (requiresRepaint)
|
| m_box->repaintUsingContainer(repaintContainer, pixelSnappedIntRect(layer()->repainter().repaintRect()));
|
|
|
| // Schedule the scroll DOM event.
|
|
|
Chromium Code Reviews
Issue 132913002:
Harden the machinery around updateWidgetPositions() (Closed)
Base URL: svn://svn.chromium.org/blink/trunk