[webkit-changes] [97786] trunk

Tue, 18 Oct 2011 13:41:34 -0700

Title: [97786] trunk
Revision
97786
Author
[email protected]
Date
2011-10-18 13:42:23 -0700 (Tue, 18 Oct 2011)

Log Message

Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
https://bugs.webkit.org/show_bug.cgi?id=70183

Patch by Julien Chaffraix <[email protected]> on 2011-10-18
Reviewed by David Hyatt.

Source/WebCore: 

Test: fast/flexbox/layoutHorizontal-crash.html

The deferred scroll information update logic was not updated when an object was destroy'ed.

The fix is very simple. As the deferred logic was only used with deprecated flexbox, it is a
pretty uncommon cases so let's optimize the new code for the common case.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::willBeDestroyed):

LayoutTests: 

* fast/flexbox/layoutHorizontal-crash-expected.txt: Added.
* fast/flexbox/layoutHorizontal-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (97785 => 97786)


--- trunk/LayoutTests/ChangeLog	2011-10-18 20:09:02 UTC (rev 97785)
+++ trunk/LayoutTests/ChangeLog	2011-10-18 20:42:23 UTC (rev 97786)
@@ -1,3 +1,13 @@
+2011-10-18  Julien Chaffraix  <[email protected]>
+
+        Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+        https://bugs.webkit.org/show_bug.cgi?id=70183
+
+        Reviewed by David Hyatt.
+
+        * fast/flexbox/layoutHorizontal-crash-expected.txt: Added.
+        * fast/flexbox/layoutHorizontal-crash.html: Added.
+
 2011-10-13  Ojan Vafai  <[email protected]>
 
         implement flex-flow:column

Added: trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt (0 => 97786)


--- trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt	2011-10-18 20:42:23 UTC (rev 97786)
@@ -0,0 +1,3 @@
+
+bug 70183: Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+If this test did not CRASH or show errors in valgrind, it has PASSED.

Added: trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html (0 => 97786)


--- trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html	2011-10-18 20:42:23 UTC (rev 97786)
@@ -0,0 +1,25 @@
+<style>
+.c6:first-letter { visibility: hidden; }
+.c6:nth-last-child(2n+10000000000000000) { text-align: -webkit-center; width: 10px; }
+.c26:first-letter { visibility: inherit; overflow: scroll; float: left;</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function runTest() {
+    var button = document.createElement('button');
+    button.setAttribute('class', 'c6');
+    document.documentElement.appendChild(button);
+    document.documentElement.appendChild(document.createElement('dfn'));
+    var figCaption = document.createElement('figcaption');
+    figCaption.setAttribute('class', 'c26');
+    document.documentElement.appendChild(document.createElement('var'));
+    document.documentElement.appendChild(document.createElement('summary'));
+    var text = document.createTextNode("bug 70183: Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox");
+    figCaption.appendChild(text);
+    button.appendChild(figCaption);
+    document.body.offsetTop;
+    document.documentElement.appendChild(document.createTextNode("If this test did not CRASH or show errors in valgrind, it has PASSED."));
+}
+window._onload_ = runTest;
+</script>
Property changes on: trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (97785 => 97786)


--- trunk/Source/WebCore/ChangeLog	2011-10-18 20:09:02 UTC (rev 97785)
+++ trunk/Source/WebCore/ChangeLog	2011-10-18 20:42:23 UTC (rev 97786)
@@ -1,3 +1,20 @@
+2011-10-18  Julien Chaffraix  <[email protected]>
+
+        Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+        https://bugs.webkit.org/show_bug.cgi?id=70183
+
+        Reviewed by David Hyatt.
+
+        Test: fast/flexbox/layoutHorizontal-crash.html
+
+        The deferred scroll information update logic was not updated when an object was destroy'ed.
+
+        The fix is very simple. As the deferred logic was only used with deprecated flexbox, it is a
+        pretty uncommon cases so let's optimize the new code for the common case.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::willBeDestroyed):
+
 2011-10-18  Adam Klein  <[email protected]>
 
         [MutationObservers] Clean up MutationObserver code in Node

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (97785 => 97786)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-10-18 20:09:02 UTC (rev 97785)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-10-18 20:42:23 UTC (rev 97786)
@@ -197,6 +197,9 @@
 
     m_lineBoxes.deleteLineBoxes(renderArena());
 
+    if (UNLIKELY(gDelayedUpdateScrollInfoSet != 0))
+        gDelayedUpdateScrollInfoSet->remove(this);
+
     RenderBox::willBeDestroyed();
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to