Title: [90388] trunk/Source/WebCore
- Revision
- 90388
- Author
- [email protected]
- Date
- 2011-07-05 02:31:24 -0700 (Tue, 05 Jul 2011)
Log Message
2011-07-05 Kent Tamura <[email protected]>
Add an assertion that percent height box is unregistered correctly.
https://bugs.webkit.org/show_bug.cgi?id=62792
Reviewed by Hajime Morita.
No new tests. This won't change behavior.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::hasPercentHeightDescendant): Added.
* rendering/RenderBlock.h: Declare hasPercentHeightDescendant().
* rendering/RenderBox.cpp:
(WebCore::RenderBox::destroy): Assert !hasPercentHeightDescendant().
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (90387 => 90388)
--- trunk/Source/WebCore/ChangeLog 2011-07-05 08:44:59 UTC (rev 90387)
+++ trunk/Source/WebCore/ChangeLog 2011-07-05 09:31:24 UTC (rev 90388)
@@ -1,3 +1,18 @@
+2011-07-05 Kent Tamura <[email protected]>
+
+ Add an assertion that percent height box is unregistered correctly.
+ https://bugs.webkit.org/show_bug.cgi?id=62792
+
+ Reviewed by Hajime Morita.
+
+ No new tests. This won't change behavior.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::hasPercentHeightDescendant): Added.
+ * rendering/RenderBlock.h: Declare hasPercentHeightDescendant().
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::destroy): Assert !hasPercentHeightDescendant().
+
2011-07-04 Pavel Feldman <[email protected]>
Web Inspector: Enable settings screen with settings for console and elements panels.
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (90387 => 90388)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-07-05 08:44:59 UTC (rev 90387)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-07-05 09:31:24 UTC (rev 90388)
@@ -3446,6 +3446,17 @@
return gPercentHeightDescendantsMap ? gPercentHeightDescendantsMap->get(this) : 0;
}
+#if !ASSERT_DISABLED
+bool RenderBlock::hasPercentHeightDescendant(RenderBox* descendant)
+{
+ ASSERT(descendant);
+ if (!gPercentHeightContainerMap)
+ return false;
+ HashSet<RenderBlock*>* containerSet = gPercentHeightContainerMap->take(descendant);
+ return containerSet && containerSet->size();
+}
+#endif
+
// FIXME: The logicalLeftOffsetForLine/logicalRightOffsetForLine functions are very slow if there are many floats
// present. We need to add a structure to floating objects to represent "lines" of floats. Then instead of checking
// each float individually, we'd just walk backwards through the "lines" and stop when we hit a line that is fully above
Modified: trunk/Source/WebCore/rendering/RenderBlock.h (90387 => 90388)
--- trunk/Source/WebCore/rendering/RenderBlock.h 2011-07-05 08:44:59 UTC (rev 90387)
+++ trunk/Source/WebCore/rendering/RenderBlock.h 2011-07-05 09:31:24 UTC (rev 90388)
@@ -102,6 +102,9 @@
void addPercentHeightDescendant(RenderBox*);
static void removePercentHeightDescendant(RenderBox*);
HashSet<RenderBox*>* percentHeightDescendants() const;
+#if !ASSERT_DISABLED
+ static bool hasPercentHeightDescendant(RenderBox*);
+#endif
RootInlineBox* createAndAppendRootInlineBox();
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (90387 => 90388)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2011-07-05 08:44:59 UTC (rev 90387)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2011-07-05 09:31:24 UTC (rev 90388)
@@ -203,6 +203,10 @@
if (style() && (style()->logicalHeight().isPercent() || style()->logicalMinHeight().isPercent() || style()->logicalMaxHeight().isPercent()))
RenderBlock::removePercentHeightDescendant(this);
+ // If the following assertion fails, logicalHeight()/logicalMinHeight()/
+ // logicalMaxHeight() values are changed from a percent value to a non-percent
+ // value during laying out. It causes a use-after-free bug.
+ ASSERT(!RenderBlock::hasPercentHeightDescendant(this));
RenderBoxModelObject::destroy();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
