Google Git
Sign in
chromium / chromium / src / 2d604fe38c5feb78c4182e79e565f5410f78ac8a^! / .
commit2d604fe38c5feb78c4182e79e565f5410f78ac8a[log] [tgz]
authorsigbjornf@opera.com <sigbjornf@opera.com>Mon Jul 13 06:50:37 2015
committersigbjornf@opera.com <sigbjornf@opera.com>Mon Jul 13 06:50:37 2015
tree383bc9222c90b0f32081e9cc47bde557ca535d7f
parentcce1575146fd4943b6c24d3d9fbda4c07e47149b [diff]
Oilpan: switch ImageLoader to be prefinalized.

If an ImageLoader for an SVGImage ends up being swept out along with a
FrameView (a ScrollableArea), the former may circuitously end up accessing
the latter via its destructor. Having both be eagerly finalized, or
prefinalized, doesn't guarantee a correct destruction order.

Hence, to address, arrange for the ImageLoader to be finalized/disposed of
first by way of a prefinalizing action.

R=haraken
BUG=491488

Review URL: https://codereview.chromium.org/1226373008

git-svn-id: svn://svn.chromium.org/blink/trunk@198753 bbb929c8-8fbe-4397-9dbb-9b2b20218538

diff --git a/third_party/WebKit/Source/core/loader/ImageLoader.cpp b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
index 9f80239..1488764 100644
--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp

@@ -148,10 +148,20 @@
     , m_highPriorityClientCount(0)
 {
     WTF_LOG(Timers, "new ImageLoader %p", this);
+#if ENABLE(OILPAN)
+    ThreadState::current()->registerPreFinalizer(this);
+#endif
 }
 
 ImageLoader::~ImageLoader()
 {
+#if !ENABLE(OILPAN)
+    dispose();
+#endif
+}
+
+void ImageLoader::dispose()
+{
     WTF_LOG(Timers, "~ImageLoader %p; m_hasPendingLoadEvent=%d, m_hasPendingErrorEvent=%d",
         this, m_hasPendingLoadEvent, m_hasPendingErrorEvent);
 

diff --git a/third_party/WebKit/Source/core/loader/ImageLoader.h b/third_party/WebKit/Source/core/loader/ImageLoader.h
index 4c21261..f7e004a 100644
--- a/third_party/WebKit/Source/core/loader/ImageLoader.h
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.h

@@ -59,16 +59,11 @@
 typedef EventSender<ImageLoader> ImageEventSender;
 
 class CORE_EXPORT ImageLoader : public NoBaseWillBeGarbageCollectedFinalized<ImageLoader>, public ImageResourceClient {
+    WILL_BE_USING_PRE_FINALIZER(ImageLoader, dispose);
 public:
     explicit ImageLoader(Element*);
     ~ImageLoader() override;
 
-    // We must run the destructor in the eager sweeping phase and call
-    // m_image->removeClient(this). Otherwise, the ImageResource can invoke
-    // didAddClient() for the ImageLoader that is about to die in the current
-    // lazy sweeping, and the didAddClient() can access on-heap objects that
-    // have already been finalized in the current lazy sweeping.
-    EAGERLY_FINALIZE();
     DECLARE_TRACE();
 
     enum UpdateFromElementBehavior {
@@ -156,12 +151,20 @@
 
     void willRemoveClient(ImageLoaderClient&);
 
+    // For Oilpan, we must run dispose() as a prefinalizer and call
+    // m_image->removeClient(this) (and more.) Otherwise, the ImageResource can invoke
+    // didAddClient() for the ImageLoader that is about to die in the current
+    // lazy sweeping, and the didAddClient() can access on-heap objects that
+    // have already been finalized in the current lazy sweeping.
+    void dispose();
+
     RawPtrWillBeMember<Element> m_element;
     ResourcePtr<ImageResource> m_image;
     // FIXME: Oilpan: We might be able to remove this Persistent hack when
     // ImageResourceClient is traceable.
     GC_PLUGIN_IGNORE("http://crbug.com/383741")
     RefPtrWillBePersistent<Element> m_keepAlive;
+
 #if ENABLE(OILPAN)
     class ImageLoaderClientRemover {
     public:
@@ -173,6 +176,7 @@
         ImageLoaderClient& m_client;
     };
     friend class ImageLoaderClientRemover;
+
     // Oilpan: This ImageLoader object must outlive its clients because they
     // need to call ImageLoader::willRemoveClient before they
     // die. Non-Persistent HeapHashMap doesn't work well because weak processing