| Index: Source/core/page/FrameView.cpp
|
| diff --git a/Source/core/page/FrameView.cpp b/Source/core/page/FrameView.cpp
|
| index e1f7ea2eef7c9a4a6e6e14cd10a670ffb75ed941..ec91b231a2501f124be41833ee30d171f9650ed5 100644
|
| --- a/Source/core/page/FrameView.cpp
|
| +++ b/Source/core/page/FrameView.cpp
|
| @@ -2202,26 +2202,26 @@ void FrameView::scrollToAnchor()
|
| m_maintainScrollPositionAnchor = anchorNode;
|
| }
|
|
|
| -void FrameView::updateWidget(RenderObject* object)
|
| +bool FrameView::updateWidget(RenderObject* object)
|
| {
|
| ASSERT(!object->node() || object->node()->isElementNode());
|
| - Element* ownerElement = toElement(object->node());
|
| + RefPtr<Element> ownerElement = toElement(object->node());
|
| // The object may have already been destroyed (thus node cleared),
|
| // but FrameView holds a manual ref, so it won't have been deleted.
|
| ASSERT(m_widgetUpdateSet->contains(object));
|
| if (!ownerElement)
|
| - return;
|
| + return true;
|
|
|
| if (object->isEmbeddedObject()) {
|
| RenderEmbeddedObject* embeddedObject = static_cast<RenderEmbeddedObject*>(object);
|
| // No need to update if it's already crashed or known to be missing.
|
| if (embeddedObject->showsUnavailablePluginIndicator())
|
| - return;
|
| + return true;
|
|
|
| // FIXME: This could turn into a real virtual dispatch if we defined
|
| // updateWidget(PluginCreationOption) on HTMLElement.
|
| if (ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag) || ownerElement->hasTagName(appletTag)) {
|
| - HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement);
|
| + HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement.get());
|
| if (pluginElement->needsWidgetUpdate())
|
| pluginElement->updateWidget(CreateAnyWidgetType);
|
| } else
|
| @@ -2229,8 +2229,14 @@ void FrameView::updateWidget(RenderObject* object)
|
|
|
| // Caution: it's possible the object was destroyed again, since loading a
|
| // plugin may run any arbitrary JavaScript.
|
| + if (ownerElement->renderer() != embeddedObject) {
|
| + m_widgetUpdateSet->clear();
|
| + return false;
|
| + }
|
| embeddedObject->updateWidgetPosition();
|
| }
|
| +
|
| + return true;
|
| }
|
|
|
| bool FrameView::updateWidgets()
|
| @@ -2255,7 +2261,8 @@ bool FrameView::updateWidgets()
|
|
|
| for (size_t i = 0; i < size; ++i) {
|
| RenderObject* object = objects[i];
|
| - updateWidget(object);
|
| + if (!updateWidget(object))
|
| + return false;
|
| m_widgetUpdateSet->remove(object);
|
| }
|
|
|
| @@ -2338,6 +2345,9 @@ void FrameView::performPostLayoutTasks()
|
|
|
| m_actionScheduler->resume();
|
|
|
| + // Refetch render view since it can be destroyed by updateWidget()
|
| + // call above.
|
| + renderView = this->renderView();
|
| if (renderView && !renderView->printing()) {
|
| IntSize currentSize;
|
| currentSize = visibleContentRect(IncludeScrollbars).size();
|
|
|
Chromium Code Reviews
Issue 14329005:
UpdateWidget() can fire beforeload event synchronously blowing away RenderArena and its associated … (Closed)
Base URL: svn://svn.chromium.org/blink/trunk