Source/core/page/FrameView.cpp - Issue 14329005: UpdateWidget() can fire beforeload event synchronously blowing away RenderArena and its associated …

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/page/FrameView.cpp

Issue 14329005: UpdateWidget() can fire beforeload event synchronously blowing away RenderArena and its associated … (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: Source/core/page/FrameView.cpp

diff --git a/Source/core/page/FrameView.cpp b/Source/core/page/FrameView.cpp

index 1cdd7314885e2f0d434f1fa212f685a041aa4daa..f2a7cfe48279acd45bf293cee8fb8dc45311eb67 100644

--- a/Source/core/page/FrameView.cpp

+++ b/Source/core/page/FrameView.cpp

@@ -2261,7 +2261,7 @@ void FrameView::scrollToAnchor()

void FrameView::updateWidget(RenderObject* object)

{

ASSERT(!object->node() || object->node()->isElementNode());

- Element* ownerElement = toElement(object->node());

+ RefPtr<Element> ownerElement = toElement(object->node());

eseidel 2013/04/18 02:14:23 I don't believe that holding onto the Element will

// The object may have already been destroyed (thus node cleared),

// but FrameView holds a manual ref, so it won't have been deleted.

ASSERT(m_widgetUpdateSet->contains(object));

@@ -2277,7 +2277,7 @@ void FrameView::updateWidget(RenderObject* object)

// FIXME: This could turn into a real virtual dispatch if we defined

// updateWidget(PluginCreationOption) on HTMLElement.

if (ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag) || ownerElement->hasTagName(appletTag)) {

- HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement);

+ HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement.get());

if (pluginElement->needsWidgetUpdate())

pluginElement->updateWidget(CreateAnyWidgetType);

} else

@@ -2285,6 +2285,7 @@ void FrameView::updateWidget(RenderObject* object)

// Caution: it's possible the object was destroyed again, since loading a

// plugin may run any arbitrary JavaScript.

+ RELEASE_ASSERT(ownerElement->renderer() == embeddedObject);

eseidel 2013/04/18 00:13:00 Why is crashing the right thing to do here? What

eseidel 2013/04/18 02:14:23 I wouldn't ASSERT, I would just return here. We d

embeddedObject->updateWidgetPosition();

}

« no previous file with comments | « no previous file | no next file » | no next file with comments »