Title: [139596] trunk
- Revision
- 139596
- Author
- [email protected]
- Date
- 2013-01-14 01:55:11 -0800 (Mon, 14 Jan 2013)
Log Message
Crash caused by incomplete cleanup of regions information for anonymous block
https://bugs.webkit.org/show_bug.cgi?id=106191
Patch by Andrei Bucur <[email protected]> on 2013-01-14
Reviewed by Abhishek Arya.
Source/WebCore:
When an anonymous block is no longer required it is removed from the render tree and deleted. For example, this can happen when an anonymous block children change
from inlines to blocks. The patch updates the removeLeftoverAnonymousBlock function to delete the flow thread information attached to the obsolete anonymous block.
The removeFromRenderFlowThread() function is recursive and it needs to be called after the anonymous block children were reparented and the child list cleared.
I've also placed the children reset operation before clearing the parent because the latter also deletes the inRenderFlowThread flag from the object and it makes
flow thread ownership detection impossible.
Tests: fast/regions/remove-leftover-anon-block-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeLeftoverAnonymousBlock):
LayoutTests:
* fast/regions/remove-leftover-anon-block-crash-expected.txt: Added.
* fast/regions/remove-leftover-anon-block-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (139595 => 139596)
--- trunk/LayoutTests/ChangeLog 2013-01-14 09:52:20 UTC (rev 139595)
+++ trunk/LayoutTests/ChangeLog 2013-01-14 09:55:11 UTC (rev 139596)
@@ -1,3 +1,13 @@
+2013-01-14 Andrei Bucur <[email protected]>
+
+ Crash caused by incomplete cleanup of regions information for anonymous block
+ https://bugs.webkit.org/show_bug.cgi?id=106191
+
+ Reviewed by Abhishek Arya.
+
+ * fast/regions/remove-leftover-anon-block-crash-expected.txt: Added.
+ * fast/regions/remove-leftover-anon-block-crash.html: Added.
+
2013-01-14 Pablo Flouret <[email protected]>
Allow nesting of at-rules
Added: trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash-expected.txt (0 => 139596)
--- trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash-expected.txt 2013-01-14 09:55:11 UTC (rev 139596)
@@ -0,0 +1,7 @@
+Test for WebKit Bug 106191 Crash when an anonymous block in a flow thread is deleted because it has only block children.
+
+The test passes if it does not crash or assert.
+
+PASS
+
+
Added: trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash.html (0 => 139596)
--- trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash.html (rev 0)
+++ trunk/LayoutTests/fast/regions/remove-leftover-anon-block-crash.html 2013-01-14 09:55:11 UTC (rev 139596)
@@ -0,0 +1,30 @@
+<!doctype html>
+<html>
+ <style>
+ #article { -webkit-flow-into: flow; }
+ #region { -webkit-flow-from: flow; }
+ @-webkit-region #region {
+ #article { color: #00ff00; }
+ }
+ </style>
+ <p>Test for <a href="" Bug 106191</a> Crash when an anonymous block in a flow thread is deleted because it has only block children. </p>
+ <p>The test passes if it does not crash or assert.</p>
+ <p>PASS</p>
+ <div id="article">
+ <em style="display: block;"></em>
+ Text color styled in region: #00ff00.
+ <em id="em">Em color styled in region: #008000.</em>
+ </div>
+ <div id="region"></div>
+<script>
+if (window.testRunner)
+ window.testRunner.dumpAsText();
+
+document.body.offsetTop;
+var elem = document.getElementById("em");
+var new_elem = document.createElement("table");
+elem.parentNode.insertBefore(new_elem, elem);
+document.body.offsetTop;
+document.getElementById("article").style.visibility = "hidden";
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (139595 => 139596)
--- trunk/Source/WebCore/ChangeLog 2013-01-14 09:52:20 UTC (rev 139595)
+++ trunk/Source/WebCore/ChangeLog 2013-01-14 09:55:11 UTC (rev 139596)
@@ -1,3 +1,21 @@
+2013-01-14 Andrei Bucur <[email protected]>
+
+ Crash caused by incomplete cleanup of regions information for anonymous block
+ https://bugs.webkit.org/show_bug.cgi?id=106191
+
+ Reviewed by Abhishek Arya.
+
+ When an anonymous block is no longer required it is removed from the render tree and deleted. For example, this can happen when an anonymous block children change
+ from inlines to blocks. The patch updates the removeLeftoverAnonymousBlock function to delete the flow thread information attached to the obsolete anonymous block.
+ The removeFromRenderFlowThread() function is recursive and it needs to be called after the anonymous block children were reparented and the child list cleared.
+ I've also placed the children reset operation before clearing the parent because the latter also deletes the inRenderFlowThread flag from the object and it makes
+ flow thread ownership detection impossible.
+
+ Tests: fast/regions/remove-leftover-anon-block-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::removeLeftoverAnonymousBlock):
+
2013-01-14 Kentaro Hara <[email protected]>
[V8] Make an Isolate parameter mandatory in v8DateOrNull()
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (139595 => 139596)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-14 09:52:20 UTC (rev 139595)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-14 09:55:11 UTC (rev 139596)
@@ -1081,12 +1081,17 @@
if (child->nextSibling())
child->nextSibling()->setPreviousSibling(child->previousSibling());
}
+
+ child->children()->setFirstChild(0);
+ child->m_next = 0;
+
+ // Remove all the information in the flow thread associated with the leftover anonymous block.
+ if (child->inRenderFlowThread())
+ child->removeFromRenderFlowThread();
+
child->setParent(0);
child->setPreviousSibling(0);
child->setNextSibling(0);
-
- child->children()->setFirstChild(0);
- child->m_next = 0;
child->destroy();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
