Changeset 126304 in webkit


Ignore:
Timestamp:
Aug 22, 2012, 8:34:57 AM (13 years ago)
Author:
commit-queue@webkit.org
Message:

Crash in WebCore::RenderBlock::removeChild
https://bugs.webkit.org/show_bug.cgi?id=93879

Patch by Raul Hudea <rhudea@adobe.com> on 2012-08-22
Reviewed by Abhishek Arya.

Source/WebCore:

By adding the lifetime state to the RenderNamedFlowThread (r122556), it become possible for the a RenderRegion object to delete its sibling,
the RenderNamedFlowThread. This is unexpected in the rendering world and cause problems in RenderBlock::removeChild where we retain previous
and next sibling pointers.
So, all the RenderNamedFlowThread are created under a RenderFlowThreadContainer object insted of the RenderView. The new object is created only
when the first named flow is created.

Test: fast/regions/remove-flow-thread-crash.html

  • CMakeLists.txt:
  • GNUmakefile.list.am:
  • Target.pri:
  • WebCore.gypi:
  • WebCore.vcproj/WebCore.vcproj:
  • WebCore.xcodeproj/project.pbxproj:
  • rendering/FlowThreadController.cpp:

(WebCore::FlowThreadController::FlowThreadController): Added initialization for the new RenderFlowThreadContainer member
(WebCore::FlowThreadController::ensureRenderFlowThreadWithName): Added the creation of the RenderFlowThreadContainer object and use it as a parent for all RenderNamedFlowThreads
(WebCore::FlowThreadController::styleDidChange): Inform all the RenderNamedFlowThreads that the style changed in regions (initially this code was in RenderView, but now all RenderNamedFlowThreads are children of RenderFlowThreadContainer)
(WebCore):

  • rendering/FlowThreadController.h:

(WebCore):
(FlowThreadController):

  • rendering/RenderFlowThreadContainer.cpp: Added.

(WebCore):
(WebCore::RenderFlowThreadContainer::RenderFlowThreadContainer):
(WebCore::RenderFlowThreadContainer::layout):

  • rendering/RenderFlowThreadContainer.h: Added.
  • rendering/RenderObject.cpp:

(WebCore::RenderObject::markContainingBlocksForLayout): Skip to RenderView if the current object is an RenderFlowThreadContainer.

  • rendering/RenderObject.h:

(WebCore::RenderObject::isRenderFlowThreadContainer):

  • rendering/RenderView.cpp:

(WebCore::RenderView::styleDidChange): Moved the code associated to RenderNamedFlowThreads to FlowThreadController:styleDidChange and call it instead.

LayoutTests:

Test the region-flow_thread sibling case

  • fast/regions/remove-flow-thread-crash-expected.txt: Added.
  • fast/regions/remove-flow-thread-crash.html: Added.
Location:
trunk
Files:
4 added
13 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r126301 r126304  
     12012-08-22  Raul Hudea  <rhudea@adobe.com>
     2
     3        Crash in WebCore::RenderBlock::removeChild
     4        https://bugs.webkit.org/show_bug.cgi?id=93879
     5
     6        Reviewed by Abhishek Arya.
     7
     8        Test the region-flow_thread sibling case
     9
     10        * fast/regions/remove-flow-thread-crash-expected.txt: Added.
     11        * fast/regions/remove-flow-thread-crash.html: Added.
     12
    1132012-08-22  Sheriff Bot  <webkit.review.bot@gmail.com>
    214

  • trunk/Source/WebCore/CMakeLists.txt

    r126258 r126304  
    20282028    rendering/RenderGrid.cpp
    20292029    rendering/RenderFlowThread.cpp
     2030    rendering/RenderFlowThreadContainer.cpp
    20302031    rendering/RenderFrame.cpp
    20312032    rendering/RenderFrameBase.cpp

  • trunk/Source/WebCore/ChangeLog

    r126303 r126304  
     12012-08-22  Raul Hudea  <rhudea@adobe.com>
     2
     3        Crash in WebCore::RenderBlock::removeChild
     4        https://bugs.webkit.org/show_bug.cgi?id=93879
     5
     6        Reviewed by Abhishek Arya.
     7
     8        By adding the lifetime state to the RenderNamedFlowThread (r122556), it become possible for the a RenderRegion object to delete its sibling,
     9        the RenderNamedFlowThread. This is unexpected in the rendering world and cause problems in RenderBlock::removeChild where we retain previous
     10        and next sibling pointers.
     11        So, all the RenderNamedFlowThread are created under a RenderFlowThreadContainer object insted of the RenderView. The new object is created only
     12        when the first named flow is created.
     13
     14        Test: fast/regions/remove-flow-thread-crash.html
     15
     16        * CMakeLists.txt:
     17        * GNUmakefile.list.am:
     18        * Target.pri:
     19        * WebCore.gypi:
     20        * WebCore.vcproj/WebCore.vcproj:
     21        * WebCore.xcodeproj/project.pbxproj:
     22        * rendering/FlowThreadController.cpp:
     23        (WebCore::FlowThreadController::FlowThreadController): Added initialization for the new RenderFlowThreadContainer member
     24        (WebCore::FlowThreadController::ensureRenderFlowThreadWithName): Added the creation of the RenderFlowThreadContainer object and use it as a parent for all RenderNamedFlowThreads
     25        (WebCore::FlowThreadController::styleDidChange): Inform all the RenderNamedFlowThreads that the style changed in regions (initially this code was in RenderView, but now all RenderNamedFlowThreads are children of RenderFlowThreadContainer)
     26        (WebCore):
     27        * rendering/FlowThreadController.h:
     28        (WebCore):
     29        (FlowThreadController):
     30        * rendering/RenderFlowThreadContainer.cpp: Added.
     31        (WebCore):
     32        (WebCore::RenderFlowThreadContainer::RenderFlowThreadContainer):
     33        (WebCore::RenderFlowThreadContainer::layout):
     34        * rendering/RenderFlowThreadContainer.h: Added.
     35        * rendering/RenderObject.cpp:
     36        (WebCore::RenderObject::markContainingBlocksForLayout): Skip to RenderView if the current object is an RenderFlowThreadContainer.
     37        * rendering/RenderObject.h:
     38        (WebCore::RenderObject::isRenderFlowThreadContainer):
     39        * rendering/RenderView.cpp:
     40        (WebCore::RenderView::styleDidChange): Moved the code associated to RenderNamedFlowThreads to FlowThreadController:styleDidChange and call it instead.
     41
    1422012-08-22  Rob Buis  <rbuis@rim.com>
    243

  • trunk/Source/WebCore/GNUmakefile.list.am

    r126258 r126304  
    48704870        Source/WebCore/rendering/RenderFlowThread.cpp \
    48714871        Source/WebCore/rendering/RenderFlowThread.h \
     4872        Source/WebCore/rendering/RenderFlowThreadContainer.cpp \
     4873        Source/WebCore/rendering/RenderFlowThreadContainer.h \
    48724874        Source/WebCore/rendering/RenderFrameBase.cpp \
    48734875        Source/WebCore/rendering/RenderFrameBase.h \

  • trunk/Source/WebCore/Target.pri

    r126291 r126304  
    11191119    rendering/RenderFlexibleBox.cpp \
    11201120    rendering/RenderFlowThread.cpp \
     1121    rendering/RenderFlowThreadContainer.cpp \
    11211122    rendering/RenderFrame.cpp \
    11221123    rendering/RenderFrameBase.cpp \

  • trunk/Source/WebCore/WebCore.gypi

    r126300 r126304  
    557557            'rendering/RenderEmbeddedObject.h',
    558558            'rendering/RenderFlowThread.h',
     559            'rendering/RenderFlowThreadContainer.h',
    559560            'rendering/RenderImage.h',
    560561            'rendering/RenderImageResource.h',
     
    47134714            'rendering/RenderFlowThread.cpp',
    47144715            'rendering/RenderFlowThread.h',
     4716            'rendering/RenderFlowThreadContainer.cpp',
     4717            'rendering/RenderFlowThreadContainer.h',
    47154718            'rendering/RenderFrame.cpp',
    47164719            'rendering/RenderFrame.h',

  • trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj

    r126258 r126304  
    3969639696                        </File>
    3969739697                        <File
     39698                                RelativePath="..\rendering\RenderFlowThreadContainer.cpp"
     39699                                >
     39700                        </File>
     39701                        <File
     39702                                RelativePath="..\rendering\RenderFlowThreadContainer.h"
     39703                                >
     39704                        </File>
     39705                        <File
    3969839706                                RelativePath="..\rendering\svg\RenderForeignObject.cpp"
    3969939707                                >

  • trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

    r126258 r126304  
    17011701                5DFE8F570D16477C0076E937 /* ScheduledAction.h in Headers */ = {isa = PBXBuildFile; fileRef = BCA378BB0D15F64200B793D6 /* ScheduledAction.h */; };
    17021702                5FC7DC26CFE2563200B85AE4 /* JSEventTarget.h in Headers */ = {isa = PBXBuildFile; fileRef = 5FC7DC26CFE2563200B85AE5 /* JSEventTarget.h */; };
     1703                603EA36015DD1D7000E150E6 /* RenderFlowThreadContainer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 603EA35E15DD1D7000E150E6 /* RenderFlowThreadContainer.cpp */; };
     1704                603EA36115DD1D7000E150E6 /* RenderFlowThreadContainer.h in Headers */ = {isa = PBXBuildFile; fileRef = 603EA35F15DD1D7000E150E6 /* RenderFlowThreadContainer.h */; };
    17031705                626CDE0E1140424C001E5A68 /* SpatialNavigation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 626CDE0C1140424C001E5A68 /* SpatialNavigation.cpp */; };
    17041706                626CDE0F1140424C001E5A68 /* SpatialNavigation.h in Headers */ = {isa = PBXBuildFile; fileRef = 626CDE0D1140424C001E5A68 /* SpatialNavigation.h */; settings = {ATTRIBUTES = (Private, ); }; };
     
    88458847                5DC87EEF11716DF2001C0E6D /* EmptyProtocolDefinitions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EmptyProtocolDefinitions.h; sourceTree = "<group>"; };
    88468848                5FC7DC26CFE2563200B85AE5 /* JSEventTarget.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = JSEventTarget.h; sourceTree = "<group>"; };
     8849                603EA35E15DD1D7000E150E6 /* RenderFlowThreadContainer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RenderFlowThreadContainer.cpp; sourceTree = "<group>"; };
     8850                603EA35F15DD1D7000E150E6 /* RenderFlowThreadContainer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RenderFlowThreadContainer.h; sourceTree = "<group>"; };
    88478851                626CDE0C1140424C001E5A68 /* SpatialNavigation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SpatialNavigation.cpp; sourceTree = "<group>"; };
    88488852                626CDE0D1140424C001E5A68 /* SpatialNavigation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SpatialNavigation.h; sourceTree = "<group>"; };
     
    2130321307                                508CCA4E13CF106B003151F3 /* RenderFlowThread.cpp */,
    2130421308                                508CCA4D13CF106B003151F3 /* RenderFlowThread.h */,
     21309                                603EA35E15DD1D7000E150E6 /* RenderFlowThreadContainer.cpp */,
     21310                                603EA35F15DD1D7000E150E6 /* RenderFlowThreadContainer.h */,
    2130521311                                A871DECC0A1530C700B12A68 /* RenderFrame.cpp */,
    2130621312                                A871DECB0A1530C700B12A68 /* RenderFrame.h */,
     
    2456224568                                53C8298E13D8D92700DE2DEB /* RenderFlexibleBox.h in Headers */,
    2456324569                                508CCA4F13CF106B003151F3 /* RenderFlowThread.h in Headers */,
     24570                                603EA36115DD1D7000E150E6 /* RenderFlowThreadContainer.h in Headers */,
    2456424571                                A871DED30A1530C700B12A68 /* RenderFrame.h in Headers */,
    2456524572                                0FD3080F117CF7E700A791F7 /* RenderFrameBase.h in Headers */,
     
    2779827805                                53C8298D13D8D92700DE2DEB /* RenderFlexibleBox.cpp in Sources */,
    2779927806                                508CCA5013CF106B003151F3 /* RenderFlowThread.cpp in Sources */,
     27807                                603EA36015DD1D7000E150E6 /* RenderFlowThreadContainer.cpp in Sources */,
    2780027808                                A871DED40A1530C700B12A68 /* RenderFrame.cpp in Sources */,
    2780127809                                0FD3080E117CF7E700A791F7 /* RenderFrameBase.cpp in Sources */,

  • trunk/Source/WebCore/rendering/FlowThreadController.cpp

    r122556 r126304  
    3333
    3434#include "RenderFlowThread.h"
     35#include "RenderFlowThreadContainer.h"
    3536#include "RenderNamedFlowThread.h"
    3637#include "WebKitNamedFlow.h"
     
    4849    : m_view(view)
    4950    , m_currentRenderFlowThread(0)
     51    , m_flowThreadContainer(0)
    5052    , m_isRenderNamedFlowThreadOrderDirty(false)
    5153{
     
    5860RenderNamedFlowThread* FlowThreadController::ensureRenderFlowThreadWithName(const AtomicString& name)
    5961{
     62    if (!m_flowThreadContainer) {
     63        m_flowThreadContainer = new (m_view->renderArena()) RenderFlowThreadContainer(m_view->document());
     64        m_flowThreadContainer->setStyle(RenderFlowThread::createFlowThreadStyle(m_view->style()));
     65        m_view->addChild(m_flowThreadContainer);
     66    }
    6067    if (!m_renderNamedFlowThreadList)
    6168        m_renderNamedFlowThreadList = adoptPtr(new RenderNamedFlowThreadList());
     
    7784    m_renderNamedFlowThreadList->add(flowRenderer);
    7885
    79     // Keep the flow renderer as a child of RenderView.
    80     m_view->addChild(flowRenderer);
     86    // Keep the flow renderer as a child of RenderFlowThreadContainer.
     87    m_flowThreadContainer->addChild(flowRenderer);
    8188
    8289    setIsRenderNamedFlowThreadOrderDirty(true);
    8390
    8491    return flowRenderer;
     92}
     93
     94void FlowThreadController::styleDidChange()
     95{
     96    RenderStyle* viewStyle = m_view->style();
     97    for (RenderNamedFlowThreadList::iterator iter = m_renderNamedFlowThreadList->begin(); iter != m_renderNamedFlowThreadList->end(); ++iter) {
     98        RenderNamedFlowThread* flowRenderer = *iter;
     99        flowRenderer->setStyle(RenderFlowThread::createFlowThreadStyle(viewStyle));
     100    }
    85101}
    86102

  • trunk/Source/WebCore/rendering/FlowThreadController.h

    r122556 r126304  
    3838
    3939class RenderFlowThread;
     40class RenderFlowThreadContainer;
    4041class RenderNamedFlowThread;
    4142
     
    6263    bool hasRenderNamedFlowThreads() const { return m_renderNamedFlowThreadList && !m_renderNamedFlowThreadList->isEmpty(); }
    6364    void layoutRenderNamedFlowThreads();
     65    void styleDidChange();
    6466
    6567    void registerNamedFlowContentNode(Node*, RenderNamedFlowThread*);
    6668    void unregisterNamedFlowContentNode(Node*);
    67    
    6869    void removeFlowThread(RenderNamedFlowThread*);
    6970
     
    7475    RenderView* m_view;
    7576    RenderFlowThread* m_currentRenderFlowThread;
     77    RenderFlowThreadContainer* m_flowThreadContainer;
    7678    bool m_isRenderNamedFlowThreadOrderDirty;
    7779    OwnPtr<RenderNamedFlowThreadList> m_renderNamedFlowThreadList;

  • trunk/Source/WebCore/rendering/RenderObject.cpp

    r126074 r126304  
    641641            return;
    642642        if (!last->isText() && last->style()->isOutOfFlowPositioned()) {
    643             bool willSkipRelativelyPositionedInlines = !object->isRenderBlock() || object->isAnonymousBlock();
    644             // Skip relatively positioned inlines and anonymous blocks to get to the enclosing RenderBlock.
    645             while (object && (!object->isRenderBlock() || object->isAnonymousBlock()))
     643            bool willSkipRelativelyPositionedInlines = !object->isRenderBlock() || object->isAnonymousBlock() || object->isRenderFlowThreadContainer();
     644            // Skip relatively positioned inlines and anonymous blocks (and the flow threads container) to get to the enclosing RenderBlock.
     645            while (object && (!object->isRenderBlock() || object->isAnonymousBlock() || object->isRenderFlowThreadContainer()))
    646646                object = object->container();
    647647            if (!object || object->posChildNeedsLayout())

  • trunk/Source/WebCore/rendering/RenderObject.h

    r126074 r126304  
    370370
    371371    virtual bool isRenderFlowThread() const { return false; }
     372    virtual bool isRenderFlowThreadContainer() const { return false; }
    372373    virtual bool isRenderNamedFlowThread() const { return false; }
    373374   

  • trunk/Source/WebCore/rendering/RenderView.cpp

    r125351 r126304  
    929929{
    930930    RenderBlock::styleDidChange(diff, oldStyle);
    931    
    932     for (RenderObject* renderer = firstChild(); renderer; renderer = renderer->nextSibling()) {
    933         if (renderer->isRenderNamedFlowThread()) {
    934             RenderNamedFlowThread* flowRenderer = toRenderNamedFlowThread(renderer);
    935             flowRenderer->setStyle(RenderFlowThread::createFlowThreadStyle(style()));
    936         }
    937     }
     931    if (hasRenderNamedFlowThreads())
     932        flowThreadController()->styleDidChange();
    938933}
    939934
Note: See TracChangeset for help on using the changeset viewer.