Layout: Add LayoutObject::is_destroyed when DCHECK is on

Add LayoutObject::is_destroyed which will be used in NOT_DESTROYED() to find Use-after-Free bugs. Bug: 1030176 Change-Id: Id793366fa732e57b179f637abb46e884c5913e61 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2444672 Commit-Queue: Yuki Yamada <yukiy@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Reviewed-by: Keishi Hattori <keishi@chromium.org> Cr-Commit-Position: refs/heads/master@{#815531}

Layout: Add LayoutObject::is_destroyed when DCHECK is on
Add LayoutObject::is_destroyed which will be used in NOT_DESTROYED() to find Use-after-Free bugs. Bug: 1030176 Change-Id: Id793366fa732e57b179f637abb46e884c5913e61 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2444672 Commit-Queue: Yuki Yamada <yukiy@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Reviewed-by: Keishi Hattori <keishi@chromium.org> Cr-Commit-Position: refs/heads/master@{#815531}
47dba4a9 · Yuki Yamada · Commit Bot · e8923087 · 47dba4a9 · 47dba4a9
Commit 47dba4a9 authored Oct 09, 2020 by Yuki Yamada Committed by Commit Bot Oct 09, 2020
2 changed files
--- a/third_party/blink/renderer/core/layout/layout_object.cc
+++ b/third_party/blink/renderer/core/layout/layout_object.cc
@@ -190,6 +190,9 @@ struct SameSizeAsLayoutObject : ImageResourceObserver, DisplayItemClient {
  // The following fields are in FragmentData.
  PhysicalOffset paint_offset_;
  std::unique_ptr<int> rare_data_;
+#if DCHECK_IS_ON()
+  bool is_destroyed_;
+#endif
 };

 ASSERT_SIZE(LayoutObject, SameSizeAsLayoutObject);
@@ -329,6 +332,9 @@ LayoutObject::~LayoutObject() {
  DCHECK(BeingDestroyed());
 #endif
  InstanceCounters::DecrementCounter(InstanceCounters::kLayoutObjectCounter);
+#if DCHECK_IS_ON()
+  is_destroyed_ = true;
+#endif
 }

 bool LayoutObject::IsDescendantOf(const LayoutObject* obj) const {

--- a/third_party/blink/renderer/core/layout/layout_object.h
+++ b/third_party/blink/renderer/core/layout/layout_object.h
@@ -4135,6 +4135,10 @@ class CORE_EXPORT LayoutObject : public ImageResourceObserver,
  static bool affects_parent_block_;

  FragmentData fragment_;
+
+#if DCHECK_IS_ON()
+  bool is_destroyed_ = false;
+#endif
 };

 // Allow equality comparisons of LayoutObjects by reference or pointer,