Changeset 75810 in webkit

Timestamp:

Jan 14, 2011 12:35:01 PM (13 years ago)

Author:

inferno@chromium.org

Message:

2011-01-14 Abhishek Arya <​inferno@chromium.org>

Reviewed by David Hyatt.

Prevent merging of anonymous blocks if one of them is already getting
destroyed.
​https://bugs.webkit.org/show_bug.cgi?id=52402

Test: fast/block/merge-anonymous-block-remove-child-crash2.html

• rendering/RenderBlock.cpp: (WebCore::RenderBlock::RenderBlock): initialize m_beingDestroyed to false. (WebCore::RenderBlock::destroy): set m_beingDestroyed to true. (WebCore::canMergeContiguousAnonymousBlocks): do not merge if any or prev or next is being destroyed. (WebCore::RenderBlock::removeChild): remove the hack previously done for preventing oldChild merging with nextBlock's next sibling.
• rendering/RenderBlock.h: (WebCore::RenderBlock::beingDestroyed): public function for m_beingDestroyed.

2011-01-14 Abhishek Arya <​inferno@chromium.org>

Reviewed by David Hyatt.

Tests that we do not crash when trying to merge anonymous blocks, one of which
is already getting destroyed.
​https://bugs.webkit.org/show_bug.cgi?id=52402

• fast/block/merge-anonymous-block-remove-child-crash2-expected.txt: Added.
• fast/block/merge-anonymous-block-remove-child-crash2.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2-expected.txt (added)
• LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (5 diffs)
• Source/WebCore/rendering/RenderBlock.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-01-14  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Tests that we do not crash when trying to merge anonymous blocks, one of which
+        is already getting destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=52402
+
+        * fast/block/merge-anonymous-block-remove-child-crash2-expected.txt: Added.
+        * fast/block/merge-anonymous-block-remove-child-crash2.html: Added.
+
 2011-01-14  Tony Chang  <tony@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-01-14  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Prevent merging of anonymous blocks if one of them is already getting
+        destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=52402
+
+        Test: fast/block/merge-anonymous-block-remove-child-crash2.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::RenderBlock): initialize m_beingDestroyed to false.
+        (WebCore::RenderBlock::destroy): set m_beingDestroyed to true.
+        (WebCore::canMergeContiguousAnonymousBlocks): do not merge if any or prev or next is being destroyed.
+        (WebCore::RenderBlock::removeChild): remove the hack previously done for preventing oldChild merging with nextBlock's next sibling.
+        * rendering/RenderBlock.h:
+        (WebCore::RenderBlock::beingDestroyed): public function for m_beingDestroyed.
+
 2011-01-14  Pavel Feldman  <pfeldman@chromium.org>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -113 +113 @@
       , m_rareData(0)
       , m_lineHeight(-1)
+      , m_beingDestroyed(false)
 {
     setChildrenInline(true);
@@ -147 +148 @@
 void RenderBlock::destroy()
 {
+    // Mark as being destroyed to avoid trouble with merges in removeChild().
+    m_beingDestroyed = true;
+
     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
     // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
@@ -927 +931 @@
         return false;
 
-    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation()))
-        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation())))
+    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation() || toRenderBlock(prev)->beingDestroyed()))
+        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation() || toRenderBlock(next)->beingDestroyed())))
         return false;
 
@@ -988 +992 @@
             // Take all the children out of the |next| block and put them in
             // the |prev| block.
-            nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());
-
-            // FIXME: When we destroy nextBlock, it might happen that nextBlock's next sibling block and
-            // oldChild can get merged. Since oldChild is getting removed, we do not want to move
-            // nextBlock's next sibling block's children into it. By setting a fake continuation,
-            // we prevent this from happening. This is not the best approach, we should replace this
-            // something better later to automatically detect that oldChild is getting removed.
-            RenderBlock* oldChildBlock = 0;
-            if (oldChild->isAnonymous() && oldChild->isRenderBlock() && !toRenderBlock(oldChild)->continuation()) {
-                oldChildBlock = toRenderBlock(oldChild);
-                oldChildBlock->setContinuation(oldChildBlock);                
-            }          
+            nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());        
             
             // Delete the now-empty block's lines and nuke it.
@@ -1005 +998 @@
             nextBlock->destroy();
             next = 0;
-
-            // FIXME: Revert the continuation change done above.
-            if (oldChildBlock)
-                oldChildBlock->setContinuation(0);
         }
     }

trunk/Source/WebCore/rendering/RenderBlock.h

@@ -56 +56 @@
 
     virtual void destroy();
+    bool beingDestroyed() const { return m_beingDestroyed; }
 
     // These two functions are overridden for inline-block.
@@ -713 +714 @@
     RenderLineBoxList m_lineBoxes;   // All of the root line boxes created for this block flow.  For example, <div>Hello<br>world.</div> will have two total lines for the <div>.
 
-    mutable int m_lineHeight;
+    mutable int m_lineHeight : 31;
+    bool m_beingDestroyed : 1;
 
     // RenderRubyBase objects need to be able to split and merge, moving their children around