Index: Source/core/page/FrameView.cpp |
diff --git a/Source/core/page/FrameView.cpp b/Source/core/page/FrameView.cpp |
index 1cdd7314885e2f0d434f1fa212f685a041aa4daa..f2a7cfe48279acd45bf293cee8fb8dc45311eb67 100644 |
--- a/Source/core/page/FrameView.cpp |
+++ b/Source/core/page/FrameView.cpp |
@@ -2261,7 +2261,7 @@ void FrameView::scrollToAnchor() |
void FrameView::updateWidget(RenderObject* object) |
{ |
ASSERT(!object->node() || object->node()->isElementNode()); |
- Element* ownerElement = toElement(object->node()); |
+ RefPtr<Element> ownerElement = toElement(object->node()); |
eseidel
2013/04/18 02:14:23
I don't believe that holding onto the Element will
|
// The object may have already been destroyed (thus node cleared), |
// but FrameView holds a manual ref, so it won't have been deleted. |
ASSERT(m_widgetUpdateSet->contains(object)); |
@@ -2277,7 +2277,7 @@ void FrameView::updateWidget(RenderObject* object) |
// FIXME: This could turn into a real virtual dispatch if we defined |
// updateWidget(PluginCreationOption) on HTMLElement. |
if (ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag) || ownerElement->hasTagName(appletTag)) { |
- HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement); |
+ HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement.get()); |
if (pluginElement->needsWidgetUpdate()) |
pluginElement->updateWidget(CreateAnyWidgetType); |
} else |
@@ -2285,6 +2285,7 @@ void FrameView::updateWidget(RenderObject* object) |
// Caution: it's possible the object was destroyed again, since loading a |
// plugin may run any arbitrary JavaScript. |
+ RELEASE_ASSERT(ownerElement->renderer() == embeddedObject); |
eseidel
2013/04/18 00:13:00
Why is crashing the right thing to do here? What
eseidel
2013/04/18 02:14:23
I wouldn't ASSERT, I would just return here. We d
|
embeddedObject->updateWidgetPosition(); |
} |
} |