Changeset 129955 in webkit


Ignore:
Timestamp:
Sep 28, 2012 3:42:57 PM (12 years ago)
Author:
jchaffraix@webkit.org
Message:

REGRESSION(r124168): Null crash in RenderLayer::createScrollbar
https://bugs.webkit.org/show_bug.cgi?id=96863

Reviewed by Abhishek Arya.

Source/WebCore:

After r124168, we synchronously create any overflow:scroll scrollbar on the first style change - we used to wait
until layout was called. The issue is that the logic in RenderLayer assumes that our node is completely attached
when the style change is dispatched. The crash occured because the 'content' image code path in
RenderObject::createObject triggered a style change too early.

Test: scrollbars/scrollbar-content-crash.html

  • rendering/RenderObject.cpp:

(WebCore::RenderObject::createObject):
We need a style associated with the new RenderImage to call setImageResource but we don't need to trigger a
style change.

LayoutTests:

  • scrollbars/scrollbar-content-crash-expected.txt: Added.
  • scrollbars/scrollbar-content-crash.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r129954 r129955  
     12012-09-28  Julien Chaffraix  <jchaffraix@webkit.org>
     2
     3        REGRESSION(r124168): Null crash in RenderLayer::createScrollbar
     4        https://bugs.webkit.org/show_bug.cgi?id=96863
     5
     6        Reviewed by Abhishek Arya.
     7
     8        * scrollbars/scrollbar-content-crash-expected.txt: Added.
     9        * scrollbars/scrollbar-content-crash.html: Added.
     10
    1112012-09-28  Ojan Vafai  <ojan@chromium.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r129945 r129955  
     12012-09-28  Julien Chaffraix  <jchaffraix@webkit.org>
     2
     3        REGRESSION(r124168): Null crash in RenderLayer::createScrollbar
     4        https://bugs.webkit.org/show_bug.cgi?id=96863
     5
     6        Reviewed by Abhishek Arya.
     7
     8        After r124168, we synchronously create any overflow:scroll scrollbar on the first style change - we used to wait
     9        until layout was called. The issue is that the logic in RenderLayer assumes that our node is completely attached
     10        when the style change is dispatched. The crash occured because the 'content' image code path in
     11        RenderObject::createObject triggered a style change too early.
     12
     13        Test: scrollbars/scrollbar-content-crash.html
     14
     15        * rendering/RenderObject.cpp:
     16        (WebCore::RenderObject::createObject):
     17        We need a style associated with the new RenderImage to call setImageResource but we don't need to trigger a
     18        style change.
     19
    1202012-09-28  Ben Wagner  <bungeman@chromium.org>
    221
  • trunk/Source/WebCore/rendering/RenderObject.cpp

    r129934 r129955  
    133133    if (contentData && !contentData->next() && contentData->isImage() && doc != node) {
    134134        RenderImage* image = new (arena) RenderImage(node);
    135         image->setStyle(style);
     135        // RenderImageResourceStyleImage requires a style being present on the image but we don't want to
     136        // trigger a style change now as the node is not fully attached. Moving this code to style change
     137        // doesn't make sense as it should be run once at renderer creation.
     138        image->m_style = style;
    136139        if (const StyleImage* styleImage = static_cast<const ImageContentData*>(contentData)->image()) {
    137140            image->setImageResource(RenderImageResourceStyleImage::create(const_cast<StyleImage*>(styleImage)));
     
    139142        } else
    140143            image->setImageResource(RenderImageResource::create());
     144        image->m_style = 0;
    141145        return image;
    142146    }
Note: See TracChangeset for help on using the changeset viewer.