[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

inferno at chromium.org inferno at chromium.org
Sun Feb 20 22:58:13 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit ef0f5542d66a05c4f90c44cad6dc7c2361e7c2b2
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Jan 14 20:35:01 2011 +0000

    2011-01-14  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by David Hyatt.
    
            Prevent merging of anonymous blocks if one of them is already getting
            destroyed.
            https://bugs.webkit.org/show_bug.cgi?id=52402
    
            Test: fast/block/merge-anonymous-block-remove-child-crash2.html
    
            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::RenderBlock): initialize m_beingDestroyed to false.
            (WebCore::RenderBlock::destroy): set m_beingDestroyed to true.
            (WebCore::canMergeContiguousAnonymousBlocks): do not merge if any or prev or next is being destroyed.
            (WebCore::RenderBlock::removeChild): remove the hack previously done for preventing oldChild merging with nextBlock's next sibling.
            * rendering/RenderBlock.h:
            (WebCore::RenderBlock::beingDestroyed): public function for m_beingDestroyed.
    2011-01-14  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by David Hyatt.
    
            Tests that we do not crash when trying to merge anonymous blocks, one of which
            is already getting destroyed.
            https://bugs.webkit.org/show_bug.cgi?id=52402
    
            * fast/block/merge-anonymous-block-remove-child-crash2-expected.txt: Added.
            * fast/block/merge-anonymous-block-remove-child-crash2.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75810 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6fc4e0c..8b507c2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2011-01-14  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Tests that we do not crash when trying to merge anonymous blocks, one of which
+        is already getting destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=52402
+
+        * fast/block/merge-anonymous-block-remove-child-crash2-expected.txt: Added.
+        * fast/block/merge-anonymous-block-remove-child-crash2.html: Added.
+
 2011-01-14  Tony Chang  <tony at chromium.org>
 
         Unreviewed, updating baselines.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2-expected.txt
diff --git a/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2.html b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2.html
new file mode 100644
index 0000000..dc0d911
--- /dev/null
+++ b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash2.html
@@ -0,0 +1,39 @@
+<html>
+<body onload="runTest();">
+<span style="display: run-in" id="runIn">
+</span>
+<span style="display: list-item" id="listItem">
+</span>
+<div id="result"></div>
+<script>
+if (window.layoutTestController)
+{
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+    document.body.offsetTop;
+    var runIn = document.getElementById('runIn');
+    var listItem = document.getElementById('listItem');
+
+    var layerChild = document.createElement('layer');
+    var noteChild = document.createElement('note');
+    var blockquoteChild = document.createElement('blockquote');
+    
+    runIn.appendChild(layerChild);
+    layerChild.appendChild(noteChild);
+    noteChild.appendChild(blockquoteChild);
+    
+    document.body.offsetTop;
+    
+    document.body.removeChild(listItem);
+
+    document.getElementById('result').innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 465fff9..dbe5b0a 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2011-01-14  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Prevent merging of anonymous blocks if one of them is already getting
+        destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=52402
+
+        Test: fast/block/merge-anonymous-block-remove-child-crash2.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::RenderBlock): initialize m_beingDestroyed to false.
+        (WebCore::RenderBlock::destroy): set m_beingDestroyed to true.
+        (WebCore::canMergeContiguousAnonymousBlocks): do not merge if any or prev or next is being destroyed.
+        (WebCore::RenderBlock::removeChild): remove the hack previously done for preventing oldChild merging with nextBlock's next sibling.
+        * rendering/RenderBlock.h:
+        (WebCore::RenderBlock::beingDestroyed): public function for m_beingDestroyed.
+
 2011-01-14  Pavel Feldman  <pfeldman at chromium.org>
 
         Not reviewed. Follow up to r75791: fix missing dispatch.
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
index e39223a..4d5e9f8 100644
--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp
@@ -112,6 +112,7 @@ RenderBlock::RenderBlock(Node* node)
       , m_positionedObjects(0)
       , m_rareData(0)
       , m_lineHeight(-1)
+      , m_beingDestroyed(false)
 {
     setChildrenInline(true);
 }
@@ -146,6 +147,9 @@ RenderBlock::~RenderBlock()
 
 void RenderBlock::destroy()
 {
+    // Mark as being destroyed to avoid trouble with merges in removeChild().
+    m_beingDestroyed = true;
+
     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
     // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise.
     children()->destroyLeftoverChildren();
@@ -926,8 +930,8 @@ static bool canMergeContiguousAnonymousBlocks(RenderObject* oldChild, RenderObje
     if (oldChild->documentBeingDestroyed() || oldChild->isInline() || oldChild->virtualContinuation())
         return false;
 
-    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation()))
-        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation())))
+    if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation() || toRenderBlock(prev)->beingDestroyed()))
+        || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation() || toRenderBlock(next)->beingDestroyed())))
         return false;
 
     // FIXME: This check isn't required when inline run-ins can't be split into continuations.
@@ -987,27 +991,12 @@ void RenderBlock::removeChild(RenderObject* oldChild)
         } else {
             // Take all the children out of the |next| block and put them in
             // the |prev| block.
-            nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());
-
-            // FIXME: When we destroy nextBlock, it might happen that nextBlock's next sibling block and
-            // oldChild can get merged. Since oldChild is getting removed, we do not want to move
-            // nextBlock's next sibling block's children into it. By setting a fake continuation,
-            // we prevent this from happening. This is not the best approach, we should replace this
-            // something better later to automatically detect that oldChild is getting removed.
-            RenderBlock* oldChildBlock = 0;
-            if (oldChild->isAnonymous() && oldChild->isRenderBlock() && !toRenderBlock(oldChild)->continuation()) {
-                oldChildBlock = toRenderBlock(oldChild);
-                oldChildBlock->setContinuation(oldChildBlock);                
-            }          
+            nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());        
             
             // Delete the now-empty block's lines and nuke it.
             nextBlock->deleteLineBoxTree();
             nextBlock->destroy();
             next = 0;
-
-            // FIXME: Revert the continuation change done above.
-            if (oldChildBlock)
-                oldChildBlock->setContinuation(0);
         }
     }
 
diff --git a/Source/WebCore/rendering/RenderBlock.h b/Source/WebCore/rendering/RenderBlock.h
index bd8be2c..d2820aa 100644
--- a/Source/WebCore/rendering/RenderBlock.h
+++ b/Source/WebCore/rendering/RenderBlock.h
@@ -55,6 +55,7 @@ public:
     RenderObjectChildList* children() { return &m_children; }
 
     virtual void destroy();
+    bool beingDestroyed() const { return m_beingDestroyed; }
 
     // These two functions are overridden for inline-block.
     virtual int lineHeight(bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;
@@ -712,7 +713,8 @@ private:
     RenderObjectChildList m_children;
     RenderLineBoxList m_lineBoxes;   // All of the root line boxes created for this block flow.  For example, <div>Hello<br>world.</div> will have two total lines for the <div>.
 
-    mutable int m_lineHeight;
+    mutable int m_lineHeight : 31;
+    bool m_beingDestroyed : 1;
 
     // RenderRubyBase objects need to be able to split and merge, moving their children around
     // (calling moveChildTo, moveAllChildrenTo, and makeChildrenNonInline).

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list