Changeset 179750 in webkit


Ignore:
Timestamp:
Feb 6, 2015 10:56:48 AM (9 years ago)
Author:
mjs@apple.com
Message:

REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
https://bugs.webkit.org/show_bug.cgi?id=141324

Reviewed by Alexey Proskuryakov.

No new tests. This is caught by existing tests under ASAN, and I don't know how to reproduce
it without ASAN.

  • rendering/RenderLineBoxList.cpp:

(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Give up
and just always invalidate the next line. It's too hard to come up
with the condition that catches all needed cases, doesn't itself
cause a crash, and isn't overzealous. And we do this for the
previous line anyway. Also clean up the code a bit since it
confusingly reuses a variable, and declares it uninitialized, for
no good reason.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r179739 r179750  
     12015-02-06  Maciej Stachowiak  <mjs@apple.com>
     2
     3        REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
     4        https://bugs.webkit.org/show_bug.cgi?id=141324
     5
     6        Reviewed by Alexey Proskuryakov.
     7
     8        No new tests. This is caught by existing tests under ASAN, and I don't know how to reproduce
     9        it without ASAN.
     10
     11        * rendering/RenderLineBoxList.cpp:
     12        (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Give up
     13        and just always invalidate the next line. It's too hard to come up
     14        with the condition that catches all needed cases, doesn't itself
     15        cause a crash, and isn't overzealous. And we do this for the
     16        previous line anyway.  Also clean up the code a bit since it
     17        confusingly reuses a variable, and declares it uninitialized, for
     18        no good reason.
     19
    1202015-02-05  Dhi Aurrahman  <diorahman@rockybars.com>
    221
  • trunk/Source/WebCore/rendering/RenderLineBoxList.cpp

    r179706 r179750  
    379379    // If we found a line box, then dirty it.
    380380    if (box) {
    381         RootInlineBox* adjacentBox;
    382381        box->markDirty();
    383382
     
    389388        // despite the name, actually returns the first RenderObject after the BR.
    390389        // <rdar://problem/3849947> "Typing after pasting line does not appear until after window resize."
    391         adjacentBox = box->prevRootBox();
    392         if (adjacentBox)
    393             adjacentBox->markDirty();
    394         adjacentBox = box->nextRootBox();
    395         // If |child| has been inserted before the first element in the linebox, but after collapsed leading
    396         // space, the search for |child|'s linebox will go past the leading space to the previous linebox and select that
    397         // one as |box|. If we hit that situation here, dirty the |box| actually containing the child too.
    398         bool insertedAfterLeadingSpace = box->lineBreakObj() == child.previousSibling();
    399         if (adjacentBox && (adjacentBox->lineBreakObj()->isDescendantOf(&child) || child.isBR() || (current && current->isBR())
    400             || insertedAfterLeadingSpace || isIsolated(container.style().unicodeBidi())))
    401             adjacentBox->markDirty();
     390        if (RootInlineBox* prevBox = box->prevRootBox())
     391            prevBox->markDirty();
     392
     393        // FIXME: We shouldn't need to always dirty the next line. This is only strictly
     394        // necessary some of the time, in situations involving BRs.
     395        if (RootInlineBox* nextBox = box->nextRootBox())
     396            nextBox->markDirty();
    402397    }
    403398}
Note: See TracChangeset for help on using the changeset viewer.