Fix canvas-related crash caused by bad object teardown sequence

third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.cpp

 /*
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2007 Alp Toker <alp@atoker.com>
  * Copyright (C) 2008 Eric Seidel <eric@webkit.org>
  * Copyright (C) 2008 Dirk Schulze <krit@webkit.org>
  * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved.
  * Copyright (C) 2012, 2013 Intel Corporation. All rights reserved.
  * Copyright (C) 2013 Adobe Systems Incorporated. All rights reserved.
  *
@@ skipping 123 matching lines @@
 void CanvasRenderingContext2D::unwindStateStack()
 {
     if (size_t stackSize = m_stateStack.size()) {
         if (SkCanvas* skCanvas = canvas()->existingDrawingCanvas()) {
             while (--stackSize)
                 skCanvas->restore();
         }
     }
 }
 
-CanvasRenderingContext2D::~CanvasRenderingContext2D()
-{
-}
+CanvasRenderingContext2D::~CanvasRenderingContext2D() { }
 
 void CanvasRenderingContext2D::dispose()
 {
     if (m_pruneLocalFontCacheScheduled)
         Platform::current()->currentThread()->removeTaskObserver(this);
 }
 
 void CanvasRenderingContext2D::validateStateStack()
 {
 #if ENABLE(ASSERT)
@@ skipping 22 matching lines @@
 bool CanvasRenderingContext2D::isContextLost() const
 {
     return m_contextLostMode != NotLostContext;
 }
 
 void CanvasRenderingContext2D::loseContext(LostContextMode lostMode)
 {
     if (m_contextLostMode != NotLostContext)
         return;
     m_contextLostMode = lostMode;
-    if (m_contextLostMode == SyntheticLostContext) {
+    if (m_contextLostMode == SyntheticLostContext && canvas()) {
         canvas()->discardImageBuffer();
     }
     m_dispatchContextLostEventTimer.startOneShot(0, BLINK_FROM_HERE);
 }
 
 void CanvasRenderingContext2D::didSetSurfaceSize()
 {
     if (!m_contextRestorable)
         return;
     // This code path is for restoring from an eviction
@@ skipping 14 matching lines @@
 DEFINE_TRACE(CanvasRenderingContext2D)
 {
     visitor->trace(m_hitRegionManager);
     CanvasRenderingContext::trace(visitor);
     BaseRenderingContext2D::trace(visitor);
     SVGResourceClient::trace(visitor);
 }
 
 void CanvasRenderingContext2D::dispatchContextLostEvent(Timer<CanvasRenderingContext2D>*)
 {
-    if (contextLostRestoredEventsEnabled()) {
+    if (canvas() && contextLostRestoredEventsEnabled()) {
         Event* event = Event::createCancelable(EventTypeNames::contextlost);
         canvas()->dispatchEvent(event);
         if (event->defaultPrevented()) {
             m_contextRestorable = false;
         }
     }
 
     // If RealLostContext, it means the context was not lost due to surface failure
     // but rather due to a an eviction, which means image buffer exists.
     if (m_contextRestorable && m_contextLostMode == RealLostContext) {
         m_tryRestoreContextAttemptCount = 0;
         m_tryRestoreContextEventTimer.startRepeating(TryRestoreContextInterval, BLINK_FROM_HERE);
     }
 }
 
 void CanvasRenderingContext2D::tryRestoreContextEvent(Timer<CanvasRenderingContext2D>* timer)
 {
     if (m_contextLostMode == NotLostContext) {
         // Canvas was already restored (possibly thanks to a resize), so stop trying.
         m_tryRestoreContextEventTimer.stop();
         return;
     }
 
-    ASSERT(m_contextLostMode == RealLostContext);
+    DCHECK(m_contextLostMode == RealLostContext);
     if (canvas()->hasImageBuffer() && canvas()->buffer()->restoreSurface()) {
         m_tryRestoreContextEventTimer.stop();
         dispatchContextRestoredEvent(nullptr);
     }
 
     if (++m_tryRestoreContextAttemptCount > MaxTryRestoreContextAttempts) {
         // final attempt: allocate a brand new image buffer instead of restoring
         canvas()->discardImageBuffer();
         m_tryRestoreContextEventTimer.stop();
         if (canvas()->buffer())
@@ skipping 246 matching lines @@
 void CanvasRenderingContext2D::schedulePruneLocalFontCacheIfNeeded()
 {
     if (m_pruneLocalFontCacheScheduled)
         return;
     m_pruneLocalFontCacheScheduled = true;
     Platform::current()->currentThread()->addTaskObserver(this);
 }
 
 void CanvasRenderingContext2D::didProcessTask()
 {
+    Platform::current()->currentThread()->removeTaskObserver(this);
+
+    // This should be the only place where canvas() needs to be checked for nullness
+    // because the circular refence with HTMLCanvasElement mean the canvas and the
+    // context keep each other alive as long as the pair is referenced the task
+    // observer is the only persisten refernce to this object that is not traced,
+    // so didProcessTask() may be call at a time when the canvas has been garbage
+    // collected but not the context.
+    if (!canvas())
+        return;
+
     // The rendering surface needs to be prepared now because it will be too late
     // to create a layer once we are in the paint invalidation phase.
     canvas()->prepareSurfaceForPaintingIfNeeded();
 
     pruneLocalFontCache(canvas()->document().canvasFontCache()->maxFonts());
     m_pruneLocalFontCacheScheduled = false;
-    Platform::current()->currentThread()->removeTaskObserver(this);
 }
 
 void CanvasRenderingContext2D::pruneLocalFontCache(size_t targetSize)
 {
     if (targetSize == 0) {
         // Short cut: LRU does not matter when evicting everything
         m_fontLRUList.clear();
         m_fontsResolvedUsingCurrentStyle.clear();
         return;
     }
@@ skipping 518 matching lines @@
 
 unsigned CanvasRenderingContext2D::hitRegionsCount() const
 {
     if (m_hitRegionManager)
         return m_hitRegionManager->getHitRegionsCount();
 
     return 0;
 }
 
 } // namespace blink