[webkit-changes] [WebKit/WebKit] 2536ef: [RenderTreeBuilder] Crash in WebCore::RenderLayer:...

Fri, 12 Jul 2024 08:09:10 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2536ef8fa811eab723e31eb524a4840f742c1f3e
      
https://github.com/WebKit/WebKit/commit/2536ef8fa811eab723e31eb524a4840f742c1f3e
  Author: Alan Baradlay <[email protected]>
  Date:   2024-07-12 (Fri, 12 Jul 2024)

  Changed paths:
    A LayoutTests/fast/multicol/continuation-inside-multicol-crash-expected.txt
    A LayoutTests/fast/multicol/continuation-inside-multicol-crash.html
    M Source/WebCore/rendering/updating/RenderTreeBuilder.cpp
    M Source/WebCore/rendering/updating/RenderTreeBuilder.h
    M Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp

  Log Message:
  -----------
  [RenderTreeBuilder] Crash in WebCore::RenderLayer::removeChild when 
continuation is present
https://bugs.webkit.org/show_bug.cgi?id=276523
<rdar://131405878>

Reviewed by Antti Koivisto.

When the to-be-destroyed renderer has an anonymous parent, 
destroyAndCleanUpAnonymousWrappers starts destroying the subtree from the 
parent instead.

e.g.
  RenderBlock (anonymous block container) <- destroy root
    RenderObject                          <- renderer to be destroyed

Now if the renderer is also part of a continuation

  RenderBlock (anonymous block container - PRE)    <- destroy root
    RenderObject                                   <- renderer to be destroyed
  RenderBlock (anonymous block container - MIDDLE)
  RenderBlock (anonymous block container - POST)
    ...
    RenderObject (unrelated sibling renderers in POST)

after destroying "renderer to be destroyed", we may decide to collapse the now 
empty PRE, MIDDLE and move the leftover renderers from POST to PRE.

  RenderBlock (anonymous block container - PRE)         <- destroy root
    RenderObject (unrelated sibling renderers in POST)

and since PRE is the destroy root, we eventually destroy it too now with the 
freshly added, unrelated renderers.

This patch adds anonymous destroy root context so that we can figure out when 
not to collapse sibling empty anonymous renderers.

* LayoutTests/fast/multicol/continuation-inside-multicol-crash-expected.txt: 
Added.
* LayoutTests/fast/multicol/continuation-inside-multicol-crash.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers):
* Source/WebCore/rendering/updating/RenderTreeBuilder.h:
* Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:
(WebCore::canMergeContiguousAnonymousBlocks):
(WebCore::RenderTreeBuilder::Block::detach):

Canonical link: https://commits.webkit.org/280907@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to