Title: [133489] branches/safari-536.28-branch/Source/WebCore
- Revision
- 133489
- Author
- [email protected]
- Date
- 2012-11-05 09:37:13 -0800 (Mon, 05 Nov 2012)
Log Message
Merged r125315. <rdar://problem/12536439>
Modified Paths
Diff
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133488 => 133489)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-05 17:33:27 UTC (rev 133488)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-05 17:37:13 UTC (rev 133489)
@@ -1,5 +1,27 @@
2012-11-05 Lucas Forschler <[email protected]>
+ Merge r125315
+
+ 2012-08-10 Abhishek Arya <[email protected]>
+
+ Crash on accessing a removed layout root in FrameView::scheduleRelayout.
+ https://bugs.webkit.org/show_bug.cgi?id=91368
+
+ Reviewed by Levi Weintraub.
+
+ We were calling setNeedsLayoutAndPrefWidthsRecalc() in RenderBlock::collapseAnonymousBoxChild
+ even when documentBeingDestroyed() was true. This ends up accessing stale layout root and bypasses
+ mitigation added in r109406. There is no need to waste time merging up anonymous blocks in
+ RenderBlock::removeChild when documentBeingDestroyed() is true.
+
+ No new tests. The test is time sensitive, requires a bunch of reloads, and only reproduces on chromium linux.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::collapseAnonymousBoxChild):
+ (WebCore::RenderBlock::removeChild):
+
+2012-11-05 Lucas Forschler <[email protected]>
+
Merge r125237
2012-08-09 MORITA Hajime <[email protected]>
@@ -206548,3 +206570,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp (133488 => 133489)
--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-11-05 17:33:27 UTC (rev 133488)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-11-05 17:37:13 UTC (rev 133489)
@@ -1150,15 +1150,21 @@
RenderBlock* anonBlock = toRenderBlock(parent->children()->removeChildNode(parent, child, child->hasLayer()));
anonBlock->moveAllChildrenTo(parent, nextSibling, child->hasLayer());
// Delete the now-empty block's lines and nuke it.
- if (!parent->documentBeingDestroyed())
- anonBlock->deleteLineBoxTree();
- if (!parent->documentBeingDestroyed() && childFlowThread && childFlowThread->isRenderNamedFlowThread())
+ anonBlock->deleteLineBoxTree();
+ if (childFlowThread && childFlowThread->isRenderNamedFlowThread())
toRenderNamedFlowThread(childFlowThread)->removeFlowChildInfo(anonBlock);
anonBlock->destroy();
}
void RenderBlock::removeChild(RenderObject* oldChild)
{
+ // No need to waste time in merging or removing empty anonymous blocks.
+ // We can just bail out if our document is getting destroyed.
+ if (documentBeingDestroyed()) {
+ RenderBox::removeChild(oldChild);
+ return;
+ }
+
// If this child is a block, and if our previous and next siblings are
// both anonymous blocks with inline content, then we can go ahead and
// fold the inline content back together.
@@ -1228,7 +1234,7 @@
}
}
- if (!firstChild() && !documentBeingDestroyed()) {
+ if (!firstChild()) {
// If this was our last child be sure to clear out our line boxes.
if (childrenInline())
deleteLineBoxTree();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
