[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

darin at apple.com darin at apple.com
Wed Apr 7 23:20:04 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit ecb5332c1b76d33aa25d5851120eeb83e71c1c97
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Nov 3 18:23:53 2009 +0000

    Crash due to double-destroy related to CSS run-in property
    https://bugs.webkit.org/show_bug.cgi?id=31034
    rdar://problem/7328458
    
    Patch by Darin Adler <darin at apple.com> on 2009-11-02
    Reviewed by Dan Bernstein.
    
    WebCore:
    
    Test: fast/css/run-in-crash.html
    
    * rendering/RenderBlock.cpp:
    (WebCore::RenderBlock::destroy): Reorder destruction so the
    continuation is destroyed after anonymous children. See comment
    in the code for more details of why this is right.
    * rendering/RenderInline.cpp:
    (WebCore::RenderInline::destroy): Ditto.
    
    LayoutTests:
    
    * fast/css/run-in-crash-expected.txt: Added.
    * fast/css/run-in-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50466 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b4ae70e..79ea018 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-11-02  Darin Adler  <darin at apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Crash due to double-destroy related to CSS run-in property
+        https://bugs.webkit.org/show_bug.cgi?id=31034
+        rdar://problem/7328458
+
+        * fast/css/run-in-crash-expected.txt: Added.
+        * fast/css/run-in-crash.html: Added.
+
 2009-11-03  Victor Wang  <victorw at chromium.org>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/fast/css/run-in-crash-expected.txt b/LayoutTests/fast/css/run-in-crash-expected.txt
new file mode 100644
index 0000000..7e6ea97
--- /dev/null
+++ b/LayoutTests/fast/css/run-in-crash-expected.txt
@@ -0,0 +1,3 @@
+This tests a case where a particular DOM tree involving the run-in style causes multiple continuations to be created in the render tree in a configuration where the same render tree node would be destroyed twice. If there is no crash, the test passes.
+
+If you can see this the test almost certainly passed.
diff --git a/LayoutTests/fast/css/run-in-crash.html b/LayoutTests/fast/css/run-in-crash.html
new file mode 100644
index 0000000..4a7fe43
--- /dev/null
+++ b/LayoutTests/fast/css/run-in-crash.html
@@ -0,0 +1,22 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+
+<p>This tests a case where a particular DOM tree involving the run-in style
+causes multiple continuations to be created in the render tree in a configuration where
+the same render tree node would be destroyed twice. If there is no crash, the test passes.</p>
+
+<span style="display: run-in">
+    <span></span>
+    <marquee>
+        <span>
+            <span>
+                <div></div>
+            </span>
+        </span>
+    </marquee>
+</span>
+<div></div>
+
+<p>If you can see this the test almost certainly passed.</p>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index d03fa53..7e55c13 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-11-02  Darin Adler  <darin at apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Crash due to double-destroy related to CSS run-in property
+        https://bugs.webkit.org/show_bug.cgi?id=31034
+        rdar://problem/7328458
+
+        Test: fast/css/run-in-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::destroy): Reorder destruction so the
+        continuation is destroyed after anonymous children. See comment
+        in the code for more details of why this is right.
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::destroy): Ditto.
+
 2009-11-03  Alexander Pavlov  <apavlov at chromium.org>
 
         Reviewed by Pavel Feldman.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index c9bd922..2e31c1e 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -157,15 +157,18 @@ RenderBlock::~RenderBlock()
 
 void RenderBlock::destroy()
 {
-    // Detach our continuation first.
-    if (m_inlineContinuation)
-        m_inlineContinuation->destroy();
-    m_inlineContinuation = 0;
-    
     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
-    // properly dirty line boxes that they are removed from.  Effects that do :before/:after only on hover could crash otherwise.
+    // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
     children()->destroyLeftoverChildren();
 
+    // Destroy our continuation before anything other than anonymous children.
+    // The reason we don't destroy it before anonymous children is that they may
+    // have continuations of their own that are anonymous children of our continuation.
+    if (m_inlineContinuation) {
+        m_inlineContinuation->destroy();
+        m_inlineContinuation = 0;
+    }
+    
     if (!documentBeingDestroyed()) {
         if (firstLineBox()) {
             // We can't wait for RenderBox::destroy to clear the selection,
diff --git a/WebCore/rendering/RenderInline.cpp b/WebCore/rendering/RenderInline.cpp
index 0302113..2f9a247 100644
--- a/WebCore/rendering/RenderInline.cpp
+++ b/WebCore/rendering/RenderInline.cpp
@@ -52,15 +52,18 @@ RenderInline::RenderInline(Node* node)
 
 void RenderInline::destroy()
 {
-    // Detach our continuation first.
-    if (m_continuation)
-        m_continuation->destroy();
-    m_continuation = 0;
-    
     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
     // properly dirty line boxes that they are removed from.  Effects that do :before/:after only on hover could crash otherwise.
     children()->destroyLeftoverChildren();
 
+    // Destroy our continuation before anything other than anonymous children.
+    // The reason we don't destroy it before anonymous children is that they may
+    // have continuations of their own that are anonymous children of our continuation.
+    if (m_continuation) {
+        m_continuation->destroy();
+        m_continuation = 0;
+    }
+    
     if (!documentBeingDestroyed()) {
         if (firstLineBox()) {
             // We can't wait for RenderBoxModelObject::destroy to clear the selection,

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list