Skip to site navigation (Press enter)

[webkit-changes] [186454] releases/WebKitGTK/webkit-2.8/Source/WebCore

carlosgc Tue, 07 Jul 2015 05:28:59 -0700

Title: [186454] releases/WebKitGTK/webkit-2.8/Source/WebCore

Revision: 186454
Author: [email protected]
Date: 2015-07-07 05:28:13 -0700 (Tue, 07 Jul 2015)

Log Message

Merge r186366 - Crash: LayoutState root's container is nullptr when the layout root is detached.
https://bugs.webkit.org/show_bug.cgi?id=146646
rdar://problem/21371544


Reviewed by Simon Fraser.

This is a speculative fix to ensure that when the root of the LayoutState is detached
we don't try to access its container (nullptr).
This is related to trac.webkit.org/r185484.

Not reproducible.

* rendering/LayoutState.cpp:
(WebCore::LayoutState::LayoutState):
* rendering/LayoutState.h:
(WebCore::LayoutState::LayoutState): Deleted.

Modified Paths

releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.cpp
releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.h

Diff

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186453 => 186454)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 12:25:05 UTC (rev 186453)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 12:28:13 UTC (rev 186454)
@@ -1,3 +1,22 @@
+2015-07-06  Zalan Bujtas  <[email protected]>
+
+        Crash: LayoutState root's container is nullptr when the layout root is detached.
+        https://bugs.webkit.org/show_bug.cgi?id=146646
+        rdar://problem/21371544
+
+        Reviewed by Simon Fraser.
+
+        This is a speculative fix to ensure that when the root of the LayoutState is detached
+        we don't try to access its container (nullptr).
+        This is related to trac.webkit.org/r185484.
+
+        Not reproducible.
+
+        * rendering/LayoutState.cpp:
+        (WebCore::LayoutState::LayoutState):
+        * rendering/LayoutState.h:
+        (WebCore::LayoutState::LayoutState): Deleted.
+
 2015-07-05  Chris Dumez  <[email protected]>
 
         [WK2] WebBackForwardListItems' pageState is not kept up-to-date

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.cpp (186453 => 186454)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.cpp	2015-07-07 12:25:05 UTC (rev 186453)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.cpp	2015-07-07 12:28:13 UTC (rev 186454)
@@ -35,8 +35,7 @@
 namespace WebCore {
 
 LayoutState::LayoutState(std::unique_ptr<LayoutState> next, RenderBox* renderer, const LayoutSize& offset, LayoutUnit pageLogicalHeight, bool pageLogicalHeightChanged)
-    : m_lineGrid(0)
-    , m_next(WTF::move(next))
+    : m_next(WTF::move(next))
 #ifndef NDEBUG
     , m_renderer(renderer)
 #endif
@@ -130,23 +129,23 @@
     , m_layoutDeltaXSaturated(false)
     , m_layoutDeltaYSaturated(false)
 #endif    
-    , m_lineGrid(0)
-    , m_pageLogicalHeight(0)
 #ifndef NDEBUG
     , m_renderer(&root)
 #endif
 {
-    RenderElement* container = root.container();
-    FloatPoint absContentPoint = container->localToAbsolute(FloatPoint(), UseTransforms);
-    m_paintOffset = LayoutSize(absContentPoint.x(), absContentPoint.y());
+    if (RenderElement* container = root.container()) {
+        FloatPoint absContentPoint = container->localToAbsolute(FloatPoint(), UseTransforms);
+        m_paintOffset = LayoutSize(absContentPoint.x(), absContentPoint.y());
 
-    if (container->hasOverflowClip()) {
-        m_clipped = true;
-        auto& containerBox = downcast<RenderBox>(*container);
-        m_clipRect = LayoutRect(toLayoutPoint(m_paintOffset), containerBox.cachedSizeForOverflowClip());
-        m_paintOffset -= containerBox.scrolledContentOffset();
+        if (container->hasOverflowClip()) {
+            m_clipped = true;
+            auto& containerBox = downcast<RenderBox>(*container);
+            m_clipRect = LayoutRect(toLayoutPoint(m_paintOffset), containerBox.cachedSizeForOverflowClip());
+            m_paintOffset -= containerBox.scrolledContentOffset();
+        }
     }
 }
+
 void LayoutState::clearPaginationInformation()
 {
     m_pageLogicalHeight = m_next->m_pageLogicalHeight;

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.h (186453 => 186454)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.h	2015-07-07 12:25:05 UTC (rev 186453)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/LayoutState.h	2015-07-07 12:28:13 UTC (rev 186454)
@@ -52,11 +52,6 @@
         , m_layoutDeltaXSaturated(false)
         , m_layoutDeltaYSaturated(false)
 #endif
-        , m_lineGrid(nullptr)
-        , m_pageLogicalHeight(0)
-#ifndef NDEBUG
-        , m_renderer(nullptr)
-#endif
     {
     }
 
@@ -103,7 +98,7 @@
 #endif
 
     // The current line grid that we're snapping to and the offset of the start of the grid.
-    RenderBlockFlow* m_lineGrid;
+    RenderBlockFlow* m_lineGrid { nullptr };
     std::unique_ptr<LayoutState> m_next;
 
     // FIXME: Distinguish between the layout clip rect and the paint clip rect which may be larger,
@@ -129,7 +124,7 @@
     RenderFlowThread* m_currentRenderFlowThread { nullptr };
 
 #ifndef NDEBUG
-    RenderObject* m_renderer;
+    RenderObject* m_renderer { nullptr };
 #endif
 };

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes