Context Navigation

← Previous Changeset
Next Changeset →

Changeset 161054 in webkit

Timestamp:

Dec 24, 2013 1:25:38 AM (10 years ago)

Author:

mihnea@adobe.com

Message:

[CSSRegions] Crash while repainting an invalid region
https://bugs.webkit.org/show_bug.cgi?id=126152

Reviewed by Daniel Bates.

Source/WebCore:

An invalid region, part of a dependency cycle, should not attempt to repaint content from
its associated named flow, otherwise there may be the case of an infinite repaint cycle,
resulting in a crash due to a stack overflow.

Test: fast/regions/repaint/invalid-region-repaint-crash.html

rendering/RenderLayer.cpp:

(WebCore::RenderLayer::repaintIncludingDescendants):

LayoutTests:

fast/regions/repaint/invalid-region-repaint-crash-expected.txt: Added.
fast/regions/repaint/invalid-region-repaint-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/regions/repaint/invalid-region-repaint-crash-expected.txt (added)
LayoutTests/fast/regions/repaint/invalid-region-repaint-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/rendering/RenderLayer.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r161052
+                      r161054
+-12-24  Mihnea Ovidenie  <mihnea@adobe.com>
+        [CSSRegions] Crash while repainting an invalid region
+        https://bugs.webkit.org/show_bug.cgi?id=126152
+        Reviewed by Daniel Bates.
+        * fast/regions/repaint/invalid-region-repaint-crash-expected.txt: Added.
+        * fast/regions/repaint/invalid-region-repaint-crash.html: Added.
 -12-24  Ryosuke Niwa  <rniwa@webkit.org>

trunk/Source/WebCore/ChangeLog

-                      r161051
+                      r161054
+-12-24  Mihnea Ovidenie  <mihnea@adobe.com>
+        [CSSRegions] Crash while repainting an invalid region
+        https://bugs.webkit.org/show_bug.cgi?id=126152
+        Reviewed by Daniel Bates.
+        An invalid region, part of a dependency cycle, should not attempt to repaint content from
+        its associated named flow, otherwise there may be the case of an infinite repaint cycle,
+        resulting in a crash due to a stack overflow.
+        Test: fast/regions/repaint/invalid-region-repaint-crash.html
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::repaintIncludingDescendants):
 -12-23  Ryosuke Niwa  <rniwa@webkit.org>

trunk/Source/WebCore/rendering/RenderLayer.cpp

-                      r161028
+                      r161054
     // If this is a region, we must also repaint the flow thread's layer since it is the one
+    // doing the actual painting of the flowed content.
+    if (renderer().isRenderNamedFlowFragmentContainer())
+        toRenderBlockFlow(&renderer())->renderNamedFlowFragment()->flowThread()->layer()->repaintIncludingDescendants();
+    // doing the actual painting of the flowed content, but only if the region is valid.
+    if (renderer().isRenderNamedFlowFragmentContainer()) {
+        RenderNamedFlowFragment* region = toRenderBlockFlow(renderer()).renderNamedFlowFragment();
+        if (region->isValid())
+            region->flowThread()->layer()->repaintIncludingDescendants();
+    }
+}

Note: See TracChangeset for help on using the changeset viewer.