Context Navigation

Changeset 28299 in webkit

Timestamp:

Dec 1, 2007, 8:33:40 AM (17 years ago)

Author:

mitz@apple.com

Message:

WebCore:

Reviewed by Darin Adler.

fix <rdar://problem/5619240> REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)

Test: fast/dynamic/subtree-common-root.html

page/FrameView.cpp: (WebCore::FrameView::layoutRoot): Added a parameter to let this method return the layout root for a pending layout as well. (WebCore::FrameView::scheduleRelayoutOfSubtree): Pass the new root to markContainingBlocksForLayout(). Otherwise, markContainingBlocksForLayout() could mark past the new root, if it had previously been marked as having a normal child needing layout and then was reached via a positioned child.
page/FrameView.h:
rendering/RenderBox.cpp: (WebCore::RenderBox::calcWidth):
rendering/RenderObject.cpp: (WebCore::RenderObject::~RenderObject): Fixed the ASSERT so that it would really catch deletion of the layout root. (WebCore::RenderObject::markContainingBlocksForLayout): Added the newRoot parameter, which tells this method where to stop marking.
rendering/RenderObject.h:

LayoutTests:

Reviewed by Darin Adler.

test for <rdar://problem/5619240> REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)

Location:

trunk

Files:

-              r28260
+              r28299
+-12-01  Dan Bernstein  <mitz@apple.com>
+        Reviewed by Darin Adler.
+        - test for <rdar://problem/5619240> REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)
+        * fast/dynamic/subtree-common-root-expected.txt: Added.
+        * fast/dynamic/subtree-common-root.html: Added.
 -11-30  Eric Seidel  <eric@webkit.org>

-              r28298
+              r28299
+-12-01  Dan Bernstein  <mitz@apple.com>
+        Reviewed by Darin Adler.
+        - fix <rdar://problem/5619240> REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)
+        Test: fast/dynamic/subtree-common-root.html
+        * page/FrameView.cpp:
+        (WebCore::FrameView::layoutRoot): Added a parameter to let this method
+        return the layout root for a pending layout as well.
+        (WebCore::FrameView::scheduleRelayoutOfSubtree): Pass the new root
+        to markContainingBlocksForLayout(). Otherwise,
+        markContainingBlocksForLayout() could mark past the new root, if it had
+        previously been marked as having a normal child needing layout and then
+        was reached via a positioned child.
+        * page/FrameView.h:
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::calcWidth):
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::~RenderObject): Fixed the ASSERT so that
+        it would really catch deletion of the layout root.
+        (WebCore::RenderObject::markContainingBlocksForLayout): Added the
+        newRoot parameter, which tells this method where to stop marking.
+        * rendering/RenderObject.h:
 -12-01  Dan Bernstein  <mitz@apple.com>

-              r27952
+              r28299
+}
 RenderObject* FrameView::layoutRoot() const
+{
     return layoutPending() ? 0 : d->layoutRoot;
+RenderObject* FrameView::layoutRoot(bool onlyDuringLayout) const
+{
+    return onlyDuringLayout && layoutPending() ? 0 : d->layoutRoot;
+}
 …
             if (isObjectAncestorContainerOf(d->layoutRoot, o)) {
                 // Keep the current root
                 o->markContainingBlocksForLayout(false);
+                o->markContainingBlocksForLayout(false, d->layoutRoot);
             } else if (d->layoutRoot && isObjectAncestorContainerOf(o, d->layoutRoot)) {
                 // Re-root at o
                 d->layoutRoot->markContainingBlocksForLayout(false);
+                d->layoutRoot->markContainingBlocksForLayout(false, o);
                 d->layoutRoot = o;
             } else {

r27952	r28299
77	77	bool layoutPending() const;
78	78
79		RenderObject* layoutRoot() const;
	79	RenderObject* layoutRoot(bool onlyDuringLayout = false) const;
80	80	int layoutCount() const;
81	81

r28226	r28299
1082	1082
1083	1083	// If layout is limited to a subtree, the subtree root's width does not change.
1084		if (node() && view()->frameView() && view()->frameView()->layoutRoot() == this)
	1084	if (node() && view()->frameView() && view()->frameView()->layoutRoot(true) == this)
1085	1085	return;
1086	1086

-              r28084
+              r28299
 RenderObject::~RenderObject()
+{
     ASSERT(!node() || !document()->frame()->view() || document()->frame()->view()->layoutRoot() != this);
+    ASSERT(!node() || documentBeingDestroyed() || !document()->frame()->view() || document()->frame()->view()->layoutRoot() != this);
 #ifndef NDEBUG
     --RenderObjectCounter::count;
 …
+}
+void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout)
+{
+void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout, RenderObject* newRoot)
+{
+    ASSERT(!scheduleRelayout || !newRoot);
     RenderObject* o = container();
     RenderObject* last = this;
 …
             o->m_normalChildNeedsLayout = true;
+        }
+        if (o == newRoot)
+            return;
         last = o;

r28127	r28299
378	378
379	379	virtual void markAllDescendantsWithFloatsForLayout(RenderObject* floatToRemove = 0);
380		void markContainingBlocksForLayout(bool scheduleRelayout = true);
	380	void markContainingBlocksForLayout(bool scheduleRelayout = true, RenderObject* newRoot = 0);
381	381	void setNeedsLayout(bool b, bool markParents = true);
382	382	void setChildNeedsLayout(bool b, bool markParents = true);

Note: See TracChangeset for help on using the changeset viewer.