- Revision
- 126459
- Author
- [email protected]
- Date
- 2012-08-23 11:45:47 -0700 (Thu, 23 Aug 2012)
Log Message
[CSSRegions]Crash when moving anonymous block children inside a named flow
https://bugs.webkit.org/show_bug.cgi?id=90865
Patch by Andrei Onea <[email protected]> on 2012-08-23
Reviewed by Abhishek Arya.
Source/WebCore:
When an anonymous block's children are detached in RenderBlock::collapseAnonymousBoxChild, the reference
to their enclosingRenderFlowThread is lost and causes a crash in RenderObject::willBeRemovedFromTree.
Because of this, we now maintain the enclosingRenderFlowThread during the whole lifetime of the
RenderBlock::collapseAnonymousBoxChild function, using a CurrentRenderFlowThreadMaintainer local.
Test: fast/regions/move-anonymous-block-inside-named-flow-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::collapseAnonymousBoxChild):
* rendering/RenderFlowThread.cpp:
(WebCore::CurrentRenderFlowThreadMaintainer::CurrentRenderFlowThreadMaintainer):
(WebCore):
(WebCore::CurrentRenderFlowThreadMaintainer::~CurrentRenderFlowThreadMaintainer):
Moved CurrentRenderFlowThreadMaintaner declaration from .cpp to .h, so that we can access it from
RenderBlock::collapseAnonymousBoxChild.
* rendering/RenderFlowThread.h:
(CurrentRenderFlowThreadMaintainer):
(WebCore):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeRemovedFromTree):
LayoutTests:
Added test for crash which happens when the children of an anonymous block
inside a flow thread are moved.
* fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt:
* fast/regions/move-anonymous-block-inside-named-flow-crash.html:
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (126458 => 126459)
--- trunk/LayoutTests/ChangeLog 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/LayoutTests/ChangeLog 2012-08-23 18:45:47 UTC (rev 126459)
@@ -1,3 +1,16 @@
+2012-08-23 Andrei Onea <[email protected]>
+
+ [CSSRegions]Crash when moving anonymous block children inside a named flow
+ https://bugs.webkit.org/show_bug.cgi?id=90865
+
+ Reviewed by Abhishek Arya.
+
+ Added test for crash which happens when the children of an anonymous block
+ inside a flow thread are moved.
+
+ * fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt:
+ * fast/regions/move-anonymous-block-inside-named-flow-crash.html:
+
2012-08-23 Li Yin <[email protected]>
Add test for decodeAudioData
Added: trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt (0 => 126459)
--- trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt 2012-08-23 18:45:47 UTC (rev 126459)
@@ -0,0 +1,2 @@
+Bug 90865:[CSSRegions]Crash when moving anonymous block children inside a named flow. Test passes if it does not CRASH or ASSERT.
+
Added: trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash.html (0 => 126459)
--- trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash.html (rev 0)
+++ trunk/LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash.html 2012-08-23 18:45:47 UTC (rev 126459)
@@ -0,0 +1,27 @@
+<!doctype html>
+<html>
+<head>
+<style>
+.container { -webkit-column-count: 1; -webkit-flow-into: flow; }
+.columnSpan { -webkit-column-span: all; }
+.flow { -webkit-flow-from: flow; width: 100px; height: 100px; }
+</style>
+</head>
+<body>
+<div class="container">
+ <div id="test">
+ <div class="columnSpan"></div>
+ </div>
+</div>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ var test = document.getElementById("test");
+ test.innerHTML = "Bug 90865:[CSSRegions]Crash when moving anonymous block children inside a named flow.\
+ Test passes if it does not CRASH or ASSERT.";
+ var article = document.createElement("div");
+ article.setAttribute("class", "flow");
+ document.body.appendChild(article);
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (126458 => 126459)
--- trunk/Source/WebCore/ChangeLog 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/Source/WebCore/ChangeLog 2012-08-23 18:45:47 UTC (rev 126459)
@@ -1,3 +1,32 @@
+2012-08-23 Andrei Onea <[email protected]>
+
+ [CSSRegions]Crash when moving anonymous block children inside a named flow
+ https://bugs.webkit.org/show_bug.cgi?id=90865
+
+ Reviewed by Abhishek Arya.
+
+ When an anonymous block's children are detached in RenderBlock::collapseAnonymousBoxChild, the reference
+ to their enclosingRenderFlowThread is lost and causes a crash in RenderObject::willBeRemovedFromTree.
+ Because of this, we now maintain the enclosingRenderFlowThread during the whole lifetime of the
+ RenderBlock::collapseAnonymousBoxChild function, using a CurrentRenderFlowThreadMaintainer local.
+
+
+ Test: fast/regions/move-anonymous-block-inside-named-flow-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::collapseAnonymousBoxChild):
+ * rendering/RenderFlowThread.cpp:
+ (WebCore::CurrentRenderFlowThreadMaintainer::CurrentRenderFlowThreadMaintainer):
+ (WebCore):
+ (WebCore::CurrentRenderFlowThreadMaintainer::~CurrentRenderFlowThreadMaintainer):
+ Moved CurrentRenderFlowThreadMaintaner declaration from .cpp to .h, so that we can access it from
+ RenderBlock::collapseAnonymousBoxChild.
+ * rendering/RenderFlowThread.h:
+ (CurrentRenderFlowThreadMaintainer):
+ (WebCore):
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::willBeRemovedFromTree):
+
2012-08-23 Kevin Ollivier <[email protected]>
[wx] Unreviewed build fix. Add wx to the list of platforms that use CoreText
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (126458 => 126459)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-08-23 18:45:47 UTC (rev 126459)
@@ -1143,6 +1143,8 @@
RenderObject* nextSibling = child->nextSibling();
RenderFlowThread* childFlowThread = child->enclosingRenderFlowThread();
+ CurrentRenderFlowThreadMaintainer flowThreadMaintainer(childFlowThread);
+
RenderBlock* anonBlock = toRenderBlock(parent->children()->removeChildNode(parent, child, child->hasLayer()));
anonBlock->moveAllChildrenTo(parent, nextSibling, child->hasLayer());
// Delete the now-empty block's lines and nuke it.
Modified: trunk/Source/WebCore/rendering/RenderFlowThread.cpp (126458 => 126459)
--- trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2012-08-23 18:45:47 UTC (rev 126459)
@@ -107,26 +107,6 @@
checkRegionsWithStyling();
}
-class CurrentRenderFlowThreadMaintainer {
- WTF_MAKE_NONCOPYABLE(CurrentRenderFlowThreadMaintainer);
-public:
- CurrentRenderFlowThreadMaintainer(RenderFlowThread* renderFlowThread)
- : m_renderFlowThread(renderFlowThread)
- {
- RenderView* view = m_renderFlowThread->view();
- ASSERT(!view->flowThreadController()->currentRenderFlowThread());
- view->flowThreadController()->setCurrentRenderFlowThread(m_renderFlowThread);
- }
- ~CurrentRenderFlowThreadMaintainer()
- {
- RenderView* view = m_renderFlowThread->view();
- ASSERT(view->flowThreadController()->currentRenderFlowThread() == m_renderFlowThread);
- view->flowThreadController()->setCurrentRenderFlowThread(0);
- }
-private:
- RenderFlowThread* m_renderFlowThread;
-};
-
class CurrentRenderFlowThreadDisabler {
WTF_MAKE_NONCOPYABLE(CurrentRenderFlowThreadDisabler);
public:
@@ -793,4 +773,24 @@
return false;
}
+CurrentRenderFlowThreadMaintainer::CurrentRenderFlowThreadMaintainer(RenderFlowThread* renderFlowThread)
+ : m_renderFlowThread(renderFlowThread)
+{
+ if (!m_renderFlowThread)
+ return;
+ RenderView* view = m_renderFlowThread->view();
+ ASSERT(!view->flowThreadController()->currentRenderFlowThread());
+ view->flowThreadController()->setCurrentRenderFlowThread(m_renderFlowThread);
+}
+
+CurrentRenderFlowThreadMaintainer::~CurrentRenderFlowThreadMaintainer()
+{
+ if (!m_renderFlowThread)
+ return;
+ RenderView* view = m_renderFlowThread->view();
+ ASSERT(view->flowThreadController()->currentRenderFlowThread() == m_renderFlowThread);
+ view->flowThreadController()->setCurrentRenderFlowThread(0);
+}
+
+
} // namespace WebCore
Modified: trunk/Source/WebCore/rendering/RenderFlowThread.h (126458 => 126459)
--- trunk/Source/WebCore/rendering/RenderFlowThread.h 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.h 2012-08-23 18:45:47 UTC (rev 126459)
@@ -197,6 +197,15 @@
// This will catch anyone doing an unnecessary cast.
void toRenderFlowThread(const RenderFlowThread*);
+class CurrentRenderFlowThreadMaintainer {
+ WTF_MAKE_NONCOPYABLE(CurrentRenderFlowThreadMaintainer);
+public:
+ CurrentRenderFlowThreadMaintainer(RenderFlowThread*);
+ ~CurrentRenderFlowThreadMaintainer();
+private:
+ RenderFlowThread* m_renderFlowThread;
+};
+
} // namespace WebCore
#endif // RenderFlowThread_h
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (126458 => 126459)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2012-08-23 18:43:55 UTC (rev 126458)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2012-08-23 18:45:47 UTC (rev 126459)
@@ -2435,9 +2435,8 @@
parent()->dirtyLinesFromChangedChild(this);
if (inRenderFlowThread()) {
- if (isBox())
- enclosingRenderFlowThread()->removeRenderBoxRegionInfo(toRenderBox(this));
- enclosingRenderFlowThread()->clearRenderObjectCustomStyle(this);
+ ASSERT(enclosingRenderFlowThread());
+ enclosingRenderFlowThread()->removeFlowChildInfo(this);
}
if (RenderNamedFlowThread* containerFlowThread = parent()->enclosingRenderNamedFlowThread())
