Title: [179750] trunk/Source/WebCore
- Revision
- 179750
- Author
- m...@apple.com
- Date
- 2015-02-06 10:56:48 -0800 (Fri, 06 Feb 2015)
Log Message
REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
https://bugs.webkit.org/show_bug.cgi?id=141324
Reviewed by Alexey Proskuryakov.
No new tests. This is caught by existing tests under ASAN, and I don't know how to reproduce
it without ASAN.
* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Give up
and just always invalidate the next line. It's too hard to come up
with the condition that catches all needed cases, doesn't itself
cause a crash, and isn't overzealous. And we do this for the
previous line anyway. Also clean up the code a bit since it
confusingly reuses a variable, and declares it uninitialized, for
no good reason.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (179749 => 179750)
--- trunk/Source/WebCore/ChangeLog 2015-02-06 18:50:25 UTC (rev 179749)
+++ trunk/Source/WebCore/ChangeLog 2015-02-06 18:56:48 UTC (rev 179750)
@@ -1,3 +1,22 @@
+2015-02-06 Maciej Stachowiak <m...@apple.com>
+
+ REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
+ https://bugs.webkit.org/show_bug.cgi?id=141324
+
+ Reviewed by Alexey Proskuryakov.
+
+ No new tests. This is caught by existing tests under ASAN, and I don't know how to reproduce
+ it without ASAN.
+
+ * rendering/RenderLineBoxList.cpp:
+ (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Give up
+ and just always invalidate the next line. It's too hard to come up
+ with the condition that catches all needed cases, doesn't itself
+ cause a crash, and isn't overzealous. And we do this for the
+ previous line anyway. Also clean up the code a bit since it
+ confusingly reuses a variable, and declares it uninitialized, for
+ no good reason.
+
2015-02-05 Dhi Aurrahman <diorah...@rockybars.com>
Remove duplicate loop after r179532
Modified: trunk/Source/WebCore/rendering/RenderLineBoxList.cpp (179749 => 179750)
--- trunk/Source/WebCore/rendering/RenderLineBoxList.cpp 2015-02-06 18:50:25 UTC (rev 179749)
+++ trunk/Source/WebCore/rendering/RenderLineBoxList.cpp 2015-02-06 18:56:48 UTC (rev 179750)
@@ -378,7 +378,6 @@
// If we found a line box, then dirty it.
if (box) {
- RootInlineBox* adjacentBox;
box->markDirty();
// dirty the adjacent lines that might be affected
@@ -388,17 +387,13 @@
// calls setLineBreakInfo with the result of findNextLineBreak. findNextLineBreak,
// despite the name, actually returns the first RenderObject after the BR.
// <rdar://problem/3849947> "Typing after pasting line does not appear until after window resize."
- adjacentBox = box->prevRootBox();
- if (adjacentBox)
- adjacentBox->markDirty();
- adjacentBox = box->nextRootBox();
- // If |child| has been inserted before the first element in the linebox, but after collapsed leading
- // space, the search for |child|'s linebox will go past the leading space to the previous linebox and select that
- // one as |box|. If we hit that situation here, dirty the |box| actually containing the child too.
- bool insertedAfterLeadingSpace = box->lineBreakObj() == child.previousSibling();
- if (adjacentBox && (adjacentBox->lineBreakObj()->isDescendantOf(&child) || child.isBR() || (current && current->isBR())
- || insertedAfterLeadingSpace || isIsolated(container.style().unicodeBidi())))
- adjacentBox->markDirty();
+ if (RootInlineBox* prevBox = box->prevRootBox())
+ prevBox->markDirty();
+
+ // FIXME: We shouldn't need to always dirty the next line. This is only strictly
+ // necessary some of the time, in situations involving BRs.
+ if (RootInlineBox* nextBox = box->nextRootBox())
+ nextBox->markDirty();
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
