Title: [116441] branches/chromium/1084
- Revision
- 116441
- Author
- [email protected]
- Date
- 2012-05-08 11:51:18 -0700 (Tue, 08 May 2012)
Log Message
Merge 115458 - NULL-deref in RenderBox::clippedOverflowRectForRepaint
https://bugs.webkit.org/show_bug.cgi?id=84774
Reviewed by Tony Chang.
Source/WebCore:
Test: fast/inline/crash-new-continuation-with-outline.html
The bug comes from trying to repaint the :after content as part of updateBeforeAfterContent.
The repainting logic would query the yet-to-be-inserted continuation(). Then we would crash in
RenderBox::clippedOverflowRectForRepaint as we didn't have an enclosingLayer() (which any
RenderObject in the tree will have).
The fix is to check in RenderInline::clippedOverflowRectForRepaint that our continuation()
is properly inserted in the tree. We could check that it isRooted() but it's an overkill here.
* rendering/RenderInline.cpp:
(WebCore::RenderInline::clippedOverflowRectForRepaint):
LayoutTests:
* fast/inline/crash-new-continuation-with-outline-expected.txt: Added.
* fast/inline/crash-new-continuation-with-outline.html: Added.
[email protected]
Review URL: https://chromiumcodereview.appspot.com/10375053
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt (from rev 115458, trunk/LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt) (0 => 116441)
--- branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt (rev 0)
+++ branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt 2012-05-08 18:51:18 UTC (rev 116441)
@@ -0,0 +1,3 @@
+Test case for bug 84774: NULL-deref in RenderBox::clippedOverflowRectForRepaint
+
+PASSED, this test did not crashed.
Copied: branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline.html (from rev 115458, trunk/LayoutTests/fast/inline/crash-new-continuation-with-outline.html) (0 => 116441)
--- branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline.html (rev 0)
+++ branches/chromium/1084/LayoutTests/fast/inline/crash-new-continuation-with-outline.html 2012-05-08 18:51:18 UTC (rev 116441)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+ object:after {
+ content: "ipsum";
+ }
+ object {
+ opacity: 0.6039658321533352;
+ visibility: hidden;
+ outline-style: dotted;
+ }
+</style>
+</head>
+<body>
+<p>Test case for bug <a href="" NULL-deref in RenderBox::clippedOverflowRectForRepaint</p>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var objectElement = document.createElement("object");
+ newContent = document.createTextNode("Lorem");
+ objectElement.appendChild(newContent);
+ document.body.appendChild(objectElement);
+
+ var olElement = document.createElement("ol");
+ objectElement.appendChild(olElement);
+
+ document.body.appendChild(document.createTextNode("PASSED, this test did not crashed."));
+</script>
+</body>
+</html>
Modified: branches/chromium/1084/Source/WebCore/rendering/RenderInline.cpp (116440 => 116441)
--- branches/chromium/1084/Source/WebCore/rendering/RenderInline.cpp 2012-05-08 18:45:13 UTC (rev 116440)
+++ branches/chromium/1084/Source/WebCore/rendering/RenderInline.cpp 2012-05-08 18:51:18 UTC (rev 116441)
@@ -1058,7 +1058,7 @@
}
}
- if (continuation() && !continuation()->isInline()) {
+ if (continuation() && !continuation()->isInline() && continuation()->parent()) {
LayoutRect contRect = continuation()->rectWithOutlineForRepaint(repaintContainer, ow);
r.unite(contRect);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
