Title: [108547] trunk
- Revision
- 108547
- Author
- infe...@chromium.org
- Date
- 2012-02-22 13:33:33 -0800 (Wed, 22 Feb 2012)
Log Message
Source/WebCore: Crash due to accessing removed parent lineboxes when clearing view selection.
https://bugs.webkit.org/show_bug.cgi?id=79264
Reviewed by Eric Seidel.
When our block needed a full layout, we were deleting our own lineboxes
and letting descendant children (at any level in hierarchy and not just
immediate children) clear their own lineboxes as we keep laying them out.
This was problematic because those descendant children lineboxes were
pointing to removed parent lineboxes in the meantime. An example scenario
where this would go wrong is first-letter object removal, which can cause
clearing view selection, leading to accessing parent lineboxes. The patch
modifies clearing the entire linebox tree upfront. It shouldn't introduce
performance issues since it will eventually happen as we are laying out
those children.
Test: fast/css-generated-content/first-letter-textbox-parent-crash.html
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlock::layoutInlineChildren):
LayoutTests: Crash due to accessing removed parent lineboxes when clearing view selection.
https://bugs.webkit.org/show_bug.cgi?id=79264
Reviewed by Eric Seidel.
* fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added.
* fast/css-generated-content/first-letter-textbox-parent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (108546 => 108547)
--- trunk/LayoutTests/ChangeLog 2012-02-22 21:24:31 UTC (rev 108546)
+++ trunk/LayoutTests/ChangeLog 2012-02-22 21:33:33 UTC (rev 108547)
@@ -1,5 +1,15 @@
2012-02-22 Abhishek Arya <infe...@chromium.org>
+ Crash due to accessing removed parent lineboxes when clearing view selection.
+ https://bugs.webkit.org/show_bug.cgi?id=79264
+
+ Reviewed by Eric Seidel.
+
+ * fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added.
+ * fast/css-generated-content/first-letter-textbox-parent-crash.html: Added.
+
+2012-02-22 Abhishek Arya <infe...@chromium.org>
+
Cloning and linebox issues in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=78273
Added: trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt (0 => 108547)
--- trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt 2012-02-22 21:33:33 UTC (rev 108547)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html (0 => 108547)
--- trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html 2012-02-22 21:33:33 UTC (rev 108547)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test2:first-letter { display: block; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+window._onload_ = function() {
+ test1 = document.createElement('div');
+ document.body.appendChild(test1);
+ test2 = document.createElement('div');
+ test2.setAttribute('id', 'test2');
+ test2.appendChild(document.createTextNode('AAA'));
+ test2.style.display = 'inline-block';
+ test1.appendChild(test2);
+ test1.appendChild(document.createTextNode('A'));
+ document.execCommand('selectall');
+ document.body.offsetTop;
+ document.styleSheets[0].insertRule("#test2 { text-transform: capitalize }");
+ document.body.offsetTop;
+ document.body.innerHTML = "PASS";
+}
+</script>
+</head>
+<body>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (108546 => 108547)
--- trunk/Source/WebCore/ChangeLog 2012-02-22 21:24:31 UTC (rev 108546)
+++ trunk/Source/WebCore/ChangeLog 2012-02-22 21:33:33 UTC (rev 108547)
@@ -1,5 +1,28 @@
2012-02-22 Abhishek Arya <infe...@chromium.org>
+ Crash due to accessing removed parent lineboxes when clearing view selection.
+ https://bugs.webkit.org/show_bug.cgi?id=79264
+
+ Reviewed by Eric Seidel.
+
+ When our block needed a full layout, we were deleting our own lineboxes
+ and letting descendant children (at any level in hierarchy and not just
+ immediate children) clear their own lineboxes as we keep laying them out.
+ This was problematic because those descendant children lineboxes were
+ pointing to removed parent lineboxes in the meantime. An example scenario
+ where this would go wrong is first-letter object removal, which can cause
+ clearing view selection, leading to accessing parent lineboxes. The patch
+ modifies clearing the entire linebox tree upfront. It shouldn't introduce
+ performance issues since it will eventually happen as we are laying out
+ those children.
+
+ Test: fast/css-generated-content/first-letter-textbox-parent-crash.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlock::layoutInlineChildren):
+
+2012-02-22 Abhishek Arya <infe...@chromium.org>
+
Cloning and linebox issues in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=78273
Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (108546 => 108547)
--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2012-02-22 21:24:31 UTC (rev 108546)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2012-02-22 21:33:33 UTC (rev 108547)
@@ -1462,7 +1462,7 @@
LineLayoutState layoutState(isFullLayout, repaintLogicalTop, repaintLogicalBottom);
if (isFullLayout)
- lineBoxes()->deleteLineBoxes(renderArena());
+ deleteLineBoxTree();
// Text truncation only kicks in if your overflow isn't visible and your text-overflow-mode isn't
// clip.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
