Bug 180627

Summary: FloatingObjects/FloatingObject classes should hold weak references to renderers
Product: WebKit Reporter: alan <zalan>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, koivisto, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

alan
Reported 2017-12-09 15:55:51 PST
ssia
Attachments
Patch (38.05 KB, patch)
2017-12-09 16:07 PST, alan 		no flags
DetailsFormatted DiffDiff
Patch (38.09 KB, patch)
2017-12-09 16:58 PST, alan 		no flags
DetailsFormatted DiffDiff
Patch (17.35 KB, patch)
2017-12-11 09:42 PST, alan 		no flags
DetailsFormatted DiffDiff
Patch (17.35 KB, patch)
2017-12-11 09:49 PST, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2017-12-09 15:56:27 PST
This is in relation to rdar://problem/35953017
alan
Comment 2 2017-12-09 16:07:12 PST
Created attachment 328920 [details] Patch
Radar WebKit Bug Importer
Comment 3 2017-12-09 16:55:58 PST
<rdar://problem/35954069>
alan
Comment 4 2017-12-09 16:58:50 PST
Created attachment 328925 [details] Patch
Antti Koivisto
Comment 5 2017-12-11 08:34:16 PST
Comment on attachment 328925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=328925&action=review > Source/WebCore/ChangeLog:3 > + FloatingObjects/FloatingObject classes should not hold references to renderers A weak reference is still a reference. This should probably be retitled. > Source/WebCore/rendering/FloatingObjects.h:50 > - RenderBox& renderer() const { return m_renderer; } > + RenderBox* renderer() const { return m_renderer.get(); } I think you should still be returning a reference as this is semantically still never supposed to return a null. Call sites don't test for a null renderer either. You'll get the same (safe) nullptr dereference crash either way.
alan
Comment 6 2017-12-11 08:38:14 PST
(In reply to Antti Koivisto from comment #5) > Comment on attachment 328925 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=328925&action=review > > > Source/WebCore/ChangeLog:3 > > + FloatingObjects/FloatingObject classes should not hold references to renderers > > A weak reference is still a reference. This should probably be retitled. > > > Source/WebCore/rendering/FloatingObjects.h:50 > > - RenderBox& renderer() const { return m_renderer; } > > + RenderBox* renderer() const { return m_renderer.get(); } > > I think you should still be returning a reference as this is semantically > still never supposed to return a null. Call sites don't test for a null > renderer either. You'll get the same (safe) nullptr dereference crash either > way. With this patch, now they all do. However I think it's okay to go back to the original RenderBox& renderer() as long as it's not stability critical. I'll make that patch and leave this here just in case.
alan
Comment 7 2017-12-11 09:42:14 PST
Created attachment 328988 [details] Patch
WebKit Commit Bot
Comment 8 2017-12-11 09:43:29 PST
Comment on attachment 328988 [details] Patch Rejecting attachment 328988 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 328988, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in Source/WebCore/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/5616414
alan
Comment 9 2017-12-11 09:49:53 PST
Created attachment 328989 [details] Patch
WebKit Commit Bot
Comment 10 2017-12-11 10:23:52 PST
Comment on attachment 328989 [details] Patch Clearing flags on attachment: 328989 Committed r225748: <https://trac.webkit.org/changeset/225748>
WebKit Commit Bot
Comment 11 2017-12-11 10:23:54 PST
All reviewed patches have been landed. Closing bug.
Antti Koivisto
Comment 12 2017-12-11 10:43:05 PST
Comment on attachment 328989 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=328989&action=review > Source/WebCore/rendering/FloatingObjects.cpp:128 > + ComputeFloatOffsetAdapter(RenderBlockFlow& renderer, LayoutUnit lineTop, LayoutUnit lineBottom, LayoutUnit offset) > + : m_renderer(makeWeakPtr(renderer)) It would be nice to keep the const. Is the problem that WeakPtr<const RenderBlockFlow> doesn't work?
alan
Comment 13 2017-12-11 11:00:30 PST
(In reply to Antti Koivisto from comment #12) > Comment on attachment 328989 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=328989&action=review > > > Source/WebCore/rendering/FloatingObjects.cpp:128 > > + ComputeFloatOffsetAdapter(RenderBlockFlow& renderer, LayoutUnit lineTop, LayoutUnit lineBottom, LayoutUnit offset) > > + : m_renderer(makeWeakPtr(renderer)) > > It would be nice to keep the const. Is the problem that > > WeakPtr<const RenderBlockFlow> > > doesn't work? Yeah.
Note You need to log in before you can comment on or make changes to this bug.