Oilpan: switch ImageLoader to be prefinalized.
If an ImageLoader for an SVGImage ends up being swept out along with a
FrameView (a ScrollableArea), the former may circuitously end up accessing
the latter via its destructor. Having both be eagerly finalized, or
prefinalized, doesn't guarantee a correct destruction order.
Hence, to address, arrange for the ImageLoader to be finalized/disposed of
first by way of a prefinalizing action.
R=haraken
BUG=491488
Review URL: https://codereview.chromium.org/1226373008
git-svn-id: svn://svn.chromium.org/blink/trunk@198753 bbb929c8-8fbe-4397-9dbb-9b2b20218538
diff --git a/third_party/WebKit/Source/core/loader/ImageLoader.cpp b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
index 9f80239..1488764 100644
--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
@@ -148,10 +148,20 @@
, m_highPriorityClientCount(0)
{
WTF_LOG(Timers, "new ImageLoader %p", this);
+#if ENABLE(OILPAN)
+ ThreadState::current()->registerPreFinalizer(this);
+#endif
}
ImageLoader::~ImageLoader()
{
+#if !ENABLE(OILPAN)
+ dispose();
+#endif
+}
+
+void ImageLoader::dispose()
+{
WTF_LOG(Timers, "~ImageLoader %p; m_hasPendingLoadEvent=%d, m_hasPendingErrorEvent=%d",
this, m_hasPendingLoadEvent, m_hasPendingErrorEvent);
diff --git a/third_party/WebKit/Source/core/loader/ImageLoader.h b/third_party/WebKit/Source/core/loader/ImageLoader.h
index 4c21261..f7e004a 100644
--- a/third_party/WebKit/Source/core/loader/ImageLoader.h
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.h
@@ -59,16 +59,11 @@
typedef EventSender<ImageLoader> ImageEventSender;
class CORE_EXPORT ImageLoader : public NoBaseWillBeGarbageCollectedFinalized<ImageLoader>, public ImageResourceClient {
+ WILL_BE_USING_PRE_FINALIZER(ImageLoader, dispose);
public:
explicit ImageLoader(Element*);
~ImageLoader() override;
- // We must run the destructor in the eager sweeping phase and call
- // m_image->removeClient(this). Otherwise, the ImageResource can invoke
- // didAddClient() for the ImageLoader that is about to die in the current
- // lazy sweeping, and the didAddClient() can access on-heap objects that
- // have already been finalized in the current lazy sweeping.
- EAGERLY_FINALIZE();
DECLARE_TRACE();
enum UpdateFromElementBehavior {
@@ -156,12 +151,20 @@
void willRemoveClient(ImageLoaderClient&);
+ // For Oilpan, we must run dispose() as a prefinalizer and call
+ // m_image->removeClient(this) (and more.) Otherwise, the ImageResource can invoke
+ // didAddClient() for the ImageLoader that is about to die in the current
+ // lazy sweeping, and the didAddClient() can access on-heap objects that
+ // have already been finalized in the current lazy sweeping.
+ void dispose();
+
RawPtrWillBeMember<Element> m_element;
ResourcePtr<ImageResource> m_image;
// FIXME: Oilpan: We might be able to remove this Persistent hack when
// ImageResourceClient is traceable.
GC_PLUGIN_IGNORE("http://crbug.com/383741")
RefPtrWillBePersistent<Element> m_keepAlive;
+
#if ENABLE(OILPAN)
class ImageLoaderClientRemover {
public:
@@ -173,6 +176,7 @@
ImageLoaderClient& m_client;
};
friend class ImageLoaderClientRemover;
+
// Oilpan: This ImageLoader object must outlive its clients because they
// need to call ImageLoader::willRemoveClient before they
// die. Non-Persistent HeapHashMap doesn't work well because weak processing