From: inferno@chromium.org Date: Wed, 22 Feb 2012 21:33:33 +0000 (+0000) Subject: Source/WebCore: Crash due to accessing removed parent lineboxes when clearing view... X-Git-Tag: 070512121124~12119 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f201fabb467ab8d4c275f5d27792fe7ba721f13e;p=profile%2Fivi%2Fwebkit-efl.git Source/WebCore: Crash due to accessing removed parent lineboxes when clearing view selection. https://bugs.webkit.org/show_bug.cgi?id=79264 Reviewed by Eric Seidel. When our block needed a full layout, we were deleting our own lineboxes and letting descendant children (at any level in hierarchy and not just immediate children) clear their own lineboxes as we keep laying them out. This was problematic because those descendant children lineboxes were pointing to removed parent lineboxes in the meantime. An example scenario where this would go wrong is first-letter object removal, which can cause clearing view selection, leading to accessing parent lineboxes. The patch modifies clearing the entire linebox tree upfront. It shouldn't introduce performance issues since it will eventually happen as we are laying out those children. Test: fast/css-generated-content/first-letter-textbox-parent-crash.html * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlock::layoutInlineChildren): LayoutTests: Crash due to accessing removed parent lineboxes when clearing view selection. https://bugs.webkit.org/show_bug.cgi?id=79264 Reviewed by Eric Seidel. * fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added. * fast/css-generated-content/first-letter-textbox-parent-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108547 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 72f795a..1de78bb 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,5 +1,15 @@ 2012-02-22 Abhishek Arya + Crash due to accessing removed parent lineboxes when clearing view selection. + https://bugs.webkit.org/show_bug.cgi?id=79264 + + Reviewed by Eric Seidel. + + * fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added. + * fast/css-generated-content/first-letter-textbox-parent-crash.html: Added. + +2012-02-22 Abhishek Arya + Cloning and linebox issues in multi-column layout. https://bugs.webkit.org/show_bug.cgi?id=78273 diff --git a/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt b/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt new file mode 100644 index 0000000..7ef22e9 --- /dev/null +++ b/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt @@ -0,0 +1 @@ +PASS diff --git a/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html b/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html new file mode 100755 index 0000000..eb49908 --- /dev/null +++ b/LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html @@ -0,0 +1,30 @@ + + + + + + + + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index e56934a..c275cac 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,5 +1,28 @@ 2012-02-22 Abhishek Arya + Crash due to accessing removed parent lineboxes when clearing view selection. + https://bugs.webkit.org/show_bug.cgi?id=79264 + + Reviewed by Eric Seidel. + + When our block needed a full layout, we were deleting our own lineboxes + and letting descendant children (at any level in hierarchy and not just + immediate children) clear their own lineboxes as we keep laying them out. + This was problematic because those descendant children lineboxes were + pointing to removed parent lineboxes in the meantime. An example scenario + where this would go wrong is first-letter object removal, which can cause + clearing view selection, leading to accessing parent lineboxes. The patch + modifies clearing the entire linebox tree upfront. It shouldn't introduce + performance issues since it will eventually happen as we are laying out + those children. + + Test: fast/css-generated-content/first-letter-textbox-parent-crash.html + + * rendering/RenderBlockLineLayout.cpp: + (WebCore::RenderBlock::layoutInlineChildren): + +2012-02-22 Abhishek Arya + Cloning and linebox issues in multi-column layout. https://bugs.webkit.org/show_bug.cgi?id=78273 diff --git a/Source/WebCore/rendering/RenderBlockLineLayout.cpp b/Source/WebCore/rendering/RenderBlockLineLayout.cpp index 296cb06..47b6324 100755 --- a/Source/WebCore/rendering/RenderBlockLineLayout.cpp +++ b/Source/WebCore/rendering/RenderBlockLineLayout.cpp @@ -1462,7 +1462,7 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, LayoutUnit& repain LineLayoutState layoutState(isFullLayout, repaintLogicalTop, repaintLogicalBottom); if (isFullLayout) - lineBoxes()->deleteLineBoxes(renderArena()); + deleteLineBoxTree(); // Text truncation only kicks in if your overflow isn't visible and your text-overflow-mode isn't // clip.