-
simon.fraser@apple.com authored
Reviewed by Dan Bernstein, Darin Adler. Re-entrant layout via plug-ins may cause crashes with bad RenderWidgets https://bugs.webkit.org/show_bug.cgi?id=36675 <rdar://problem/7787617> Fix two places in the code where RenderWidgets can get destroyed while being iterated over. This can happen when plug-ins execute script from NPP_SetWindow, and that script makes a change to the page that destroys a RenderWidget. Tests: plugins/reentrant-update-widget-positions.html plugins/update-widgets-crash.html * page/FrameView.cpp: (WebCore::FrameView::updateWidgets): ref() the RenderEmbeddedObjects that are put into the vector before iterating of them, and deref() them at the end. Rather than checking the m_widgetUpdateSet to see if the RenderWidget is still live, test object->node(). * rendering/RenderView.cpp: (WebCore::RenderView::RenderView): Initialize some data members to make it more obvious in the debugger that the object is not garbage. (WebCore::RenderView::updateWidgetPositions): Use a Vector of RenderWidget* to keep the RenderWidgets alive during iteration, by reffing and dereffing them. * rendering/RenderWidget.h: (WebCore::RenderWidget::ref): Make this and deref() public. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56646 268f45cc-cd09-0410-ab3c-d52691b4dbfc
9585cfdf