Changeset 108547 in webkit

Timestamp:

Feb 22, 2012 1:33:33 PM (12 years ago)

Author:

inferno@chromium.org

Message:

Source/WebCore: Crash due to accessing removed parent lineboxes when clearing view selection.
​https://bugs.webkit.org/show_bug.cgi?id=79264

Reviewed by Eric Seidel.

When our block needed a full layout, we were deleting our own lineboxes
and letting descendant children (at any level in hierarchy and not just
immediate children) clear their own lineboxes as we keep laying them out.
This was problematic because those descendant children lineboxes were
pointing to removed parent lineboxes in the meantime. An example scenario
where this would go wrong is first-letter object removal, which can cause
clearing view selection, leading to accessing parent lineboxes. The patch
modifies clearing the entire linebox tree upfront. It shouldn't introduce
performance issues since it will eventually happen as we are laying out
those children.

Test: fast/css-generated-content/first-letter-textbox-parent-crash.html

• rendering/RenderBlockLineLayout.cpp:

(WebCore::RenderBlock::layoutInlineChildren):

LayoutTests: Crash due to accessing removed parent lineboxes when clearing view selection.
​https://bugs.webkit.org/show_bug.cgi?id=79264

Reviewed by Eric Seidel.

• fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added.
• fast/css-generated-content/first-letter-textbox-parent-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt (added)
• LayoutTests/fast/css-generated-content/first-letter-textbox-parent-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlockLineLayout.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-22  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed parent lineboxes when clearing view selection.
+        https://bugs.webkit.org/show_bug.cgi?id=79264
+ 
+        Reviewed by Eric Seidel.
+
+        * fast/css-generated-content/first-letter-textbox-parent-crash-expected.txt: Added.
+        * fast/css-generated-content/first-letter-textbox-parent-crash.html: Added.
+
 2012-02-22  Abhishek Arya  <inferno@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-22  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed parent lineboxes when clearing view selection.
+        https://bugs.webkit.org/show_bug.cgi?id=79264
+
+        Reviewed by Eric Seidel.
+
+        When our block needed a full layout, we were deleting our own lineboxes
+        and letting descendant children (at any level in hierarchy and not just 
+        immediate children) clear their own lineboxes as we keep laying them out.
+        This was problematic because those descendant children lineboxes were
+        pointing to removed parent lineboxes in the meantime. An example scenario
+        where this would go wrong is first-letter object removal, which can cause
+        clearing view selection, leading to accessing parent lineboxes. The patch
+        modifies clearing the entire linebox tree upfront. It shouldn't introduce
+        performance issues since it will eventually happen as we are laying out
+        those children.
+ 
+        Test: fast/css-generated-content/first-letter-textbox-parent-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlock::layoutInlineChildren):
+
 2012-02-22  Abhishek Arya  <inferno@chromium.org>
 

trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

@@ -1463 +1463 @@
 
     if (isFullLayout)
-        lineBoxes()->deleteLineBoxes(renderArena());
+        deleteLineBoxTree();
 
     // Text truncation only kicks in if your overflow isn't visible and your text-overflow-mode isn't