Title: [124888] trunk
- Revision
- 124888
- Author
- infe...@chromium.org
- Date
- 2012-08-07 07:51:33 -0700 (Tue, 07 Aug 2012)
Log Message
Crash in InlineFlowBox::deleteLine.
https://bugs.webkit.org/show_bug.cgi?id=88795
Reviewed by Tony Chang.
Source/WebCore:
When we move the fullscreen object from its parent to RenderFullScreen, we forgot to clear the
line box tree underneath the object's containing block and mark it for layout. Before the patch,
the containing block never got laid out and maintained references to removed line boxes (since the
object moved under RenderFullScreen did get laid out and its lineboxes replaced with new ones).
Test: fullscreen/full-screen-line-boxes-crash.html
* rendering/RenderFullScreen.cpp:
(RenderFullScreen::wrapRenderer):
LayoutTests:
* fullscreen/full-screen-line-boxes-crash-expected.txt: Added.
* fullscreen/full-screen-line-boxes-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (124887 => 124888)
--- trunk/LayoutTests/ChangeLog 2012-08-07 14:32:15 UTC (rev 124887)
+++ trunk/LayoutTests/ChangeLog 2012-08-07 14:51:33 UTC (rev 124888)
@@ -1,3 +1,13 @@
+2012-08-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in InlineFlowBox::deleteLine.
+ https://bugs.webkit.org/show_bug.cgi?id=88795
+
+ Reviewed by Tony Chang.
+
+ * fullscreen/full-screen-line-boxes-crash-expected.txt: Added.
+ * fullscreen/full-screen-line-boxes-crash.html: Added.
+
2012-08-07 Csaba Osztrogonác <o...@webkit.org>
[Qt] Unreviewed gardening.
Added: trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash-expected.txt (0 => 124888)
--- trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash-expected.txt 2012-08-07 14:51:33 UTC (rev 124888)
@@ -0,0 +1,4 @@
+PASS. WebKit didn't crash.
+EVENT(webkitfullscreenchange)
+END OF TEST
+
Added: trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash.html (0 => 124888)
--- trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash.html (rev 0)
+++ trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash.html 2012-08-07 14:51:33 UTC (rev 124888)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<body style="-webkit-columns: 30;">
+PASS.
+<bdi>
+<span style="margin-top: 1em;">WebKit didn't crash.
+<script src=""
+<script>
+ if (Element.prototype.webkitRequestFullScreen == undefined) {
+ logResult(false, "Element.prototype.webkitRequestFullScreen == undefined");
+ endTest();
+ } else {
+ var fullscreenChanged = function(event)
+ {
+ callback(event)
+ };
+ waitForEventOnce(document, "webkitfullscreenchange", fullscreenChanged);
+ var span = document.getElementsByTagName('span')[0];
+ var spanEnteredFullScreen = function() {
+ runWithKeyDown(function() { document.documentElement.webkitRequestFullScreen(); });
+ setTimeout("endTest()", 0);
+ };
+
+ callback = spanEnteredFullScreen;
+ runWithKeyDown(function() { span.webkitRequestFullScreen(); });
+ }
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fullscreen/full-screen-line-boxes-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (124887 => 124888)
--- trunk/Source/WebCore/ChangeLog 2012-08-07 14:32:15 UTC (rev 124887)
+++ trunk/Source/WebCore/ChangeLog 2012-08-07 14:51:33 UTC (rev 124888)
@@ -1,3 +1,20 @@
+2012-08-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in InlineFlowBox::deleteLine.
+ https://bugs.webkit.org/show_bug.cgi?id=88795
+
+ Reviewed by Tony Chang.
+
+ When we move the fullscreen object from its parent to RenderFullScreen, we forgot to clear the
+ line box tree underneath the object's containing block and mark it for layout. Before the patch,
+ the containing block never got laid out and maintained references to removed line boxes (since the
+ object moved under RenderFullScreen did get laid out and its lineboxes replaced with new ones).
+
+ Test: fullscreen/full-screen-line-boxes-crash.html
+
+ * rendering/RenderFullScreen.cpp:
+ (RenderFullScreen::wrapRenderer):
+
2012-08-07 Vsevolod Vlasov <vse...@chromium.org>
Web Inspector: Do not disable network tracking while profiling cpu.
Modified: trunk/Source/WebCore/rendering/RenderFullScreen.cpp (124887 => 124888)
--- trunk/Source/WebCore/rendering/RenderFullScreen.cpp 2012-08-07 14:32:15 UTC (rev 124887)
+++ trunk/Source/WebCore/rendering/RenderFullScreen.cpp 2012-08-07 14:51:33 UTC (rev 124888)
@@ -117,9 +117,20 @@
// |object->parent()| can be null if the object is not yet attached
// to |parent|.
if (RenderObject* parent = object->parent()) {
+ RenderBlock* containingBlock = object->containingBlock();
+ ASSERT(containingBlock);
+ // Since we are moving the |object| to a new parent |fullscreenRenderer|,
+ // the line box tree underneath our |containingBlock| is not longer valid.
+ containingBlock->deleteLineBoxTree();
+
parent->addChild(fullscreenRenderer, object);
object->remove();
+
+ // Always just do a full layout to ensure that line boxes get deleted properly.
+ // Because objects moved from |parent| to |fullscreenRenderer|, we want to
+ // make new line boxes instead of leaving the old ones around.
parent->setNeedsLayoutAndPrefWidthsRecalc();
+ containingBlock->setNeedsLayoutAndPrefWidthsRecalc();
}
fullscreenRenderer->addChild(object);
fullscreenRenderer->setNeedsLayoutAndPrefWidthsRecalc();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
