Merge r167883 - [GTK] Crash in debug build with removing windowed plu…

…gin child widgets from the view https://bugs.webkit.org/show_bug.cgi?id=132252 Reviewed by Philippe Normand. It crashes due to an assert in HashTable that checks the iterators validity. The problem is that we are iterating the children map and the callback called on every iteration might modify the map, making the iterators invalid. This happens when the WebView is destroyed, GtkContainer calls gtk_container_foreach() with gtk_widget_destroy as callback. When a widget inside a container is destroyed, it's removed from the container, and in our case, the child widget is removed from the map. This fixes several crashes when running layout tests in debug bot. * UIProcess/API/gtk/WebKitWebViewBase.cpp: (webkitWebViewBaseContainerForall): Use copyKeysToVector() instead of using a range iterator for the map keys and check in every iteration that the child widget from the keys vector is still present in the map before calling the callback.
WebKit · May 5, 2014 · b5d96d9 · b5d96d9
1 parent c59b547
commit b5d96d9
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
@@ -1,3 +1,26 @@
+2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK] Crash in debug build with removing windowed plugin child widgets from the view
+        https://bugs.webkit.org/show_bug.cgi?id=132252
+
+        Reviewed by Philippe Normand.
+
+        It crashes due to an assert in HashTable that checks the iterators
+        validity. The problem is that we are iterating the children map
+        and the callback called on every iteration might modify the map,
+        making the iterators invalid. This happens when the WebView is
+        destroyed, GtkContainer calls gtk_container_foreach() with
+        gtk_widget_destroy as callback. When a widget inside a container
+        is destroyed, it's removed from the container, and in our case,
+        the child widget is removed from the map. This fixes several
+        crashes when running layout tests in debug bot.
+
+        * UIProcess/API/gtk/WebKitWebViewBase.cpp:
+        (webkitWebViewBaseContainerForall): Use copyKeysToVector() instead
+        of using a range iterator for the map keys and check in every
+        iteration that the child widget from the keys vector is still
+        present in the map before calling the callback.
+
 2014-04-22  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         [GTK] Crash after getting web view context property with g_object_get

diff --git a/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp b/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp
@@ -362,8 +362,12 @@ static void webkitWebViewBaseContainerForall(GtkContainer* container, gboolean i
     WebKitWebViewBase* webView = WEBKIT_WEB_VIEW_BASE(container);
     WebKitWebViewBasePrivate* priv = webView->priv;
 
-    for (const auto& widget : priv->children.keys())
-        (*callback)(widget, callbackData);
+    Vector<GtkWidget*> children;
+    copyKeysToVector(priv->children, children);
+    for (const auto& child : children) {
+        if (priv->children.contains(child))
+            (*callback)(child, callbackData);
+    }
 
     if (includeInternals && priv->inspectorView)
         (*callback)(priv->inspectorView, callbackData);