2011-05-02 Simon Fraser <simon.fraser@apple.com>

        Reviewed by Dan Bernstein.

        Possible crash when removing elements with reflections
        https://bugs.webkit.org/show_bug.cgi?id=60009

        RenderLayer's destructor deleted its z-order list Vector pointers
        before removing the reflection layer. However, the reflection cleanup
        code could call back into the RenderLayer to dirty z-order lists,
        so move reflection cleanup to before z-order vector deletion.

        The test crashes when run manually a few times with MallocScribble enabled,
        but I was not able to create a test that crashed reliably.

        Test: fast/reflections/remove-reflection-crash.html

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::~RenderLayer):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@85586 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent eb592cb1
2011-05-02 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
Possible crash when removing elements with reflections
https://bugs.webkit.org/show_bug.cgi?id=60009
Testcase that sometimes crashes if run with MallocScribble enabled.
* fast/reflections/remove-reflection-crash-expected.txt: Added.
* fast/reflections/remove-reflection-crash.html: Added.
2011-05-02 Ian Henderson <ianh@apple.com>
Reviewed by Dan Bernstein.
This test should not crash when run with MallocScribble enabled.
<!DOCTYPE html>
<html>
<head>
<style>
.box {
width: 100px;
height: 100px;
background-color: blue;
}
#reflected {
position: relative;
z-index: 0;
-webkit-box-reflect: below 10px;
}
.child {
position: absolute;
z-index: 1;
}
</style>
<script>
if (window.layoutTestController) {
layoutTestController.waitUntilDone();
layoutTestController.dumpAsText();
}
function doTest()
{
window.setTimeout(function() {
var reflection = document.getElementById('reflected');
var targetContainer = document.getElementById('container');
targetContainer.appendChild(reflection);
if (window.layoutTestController)
layoutTestController.notifyDone();
}, 0);
}
window.addEventListener('load', doTest, false);
</script>
</head>
<body>
<p>This test should not crash when run with MallocScribble enabled.</p>
<div id="reflected" class="box">
<div class="child box"></div>
</div>
<div id="container"></div>
</body>
</html>
2011-05-02 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
Possible crash when removing elements with reflections
https://bugs.webkit.org/show_bug.cgi?id=60009
RenderLayer's destructor deleted its z-order list Vector pointers
before removing the reflection layer. However, the reflection cleanup
code could call back into the RenderLayer to dirty z-order lists,
so move reflection cleanup to before z-order vector deletion.
The test crashes when run manually a few times with MallocScribble enabled,
but I was not able to create a test that crashed reliably.
Test: fast/reflections/remove-reflection-crash.html
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::~RenderLayer):
2011-05-02 Ian Henderson <ianh@apple.com>
Reviewed by Dan Bernstein.
......@@ -211,6 +211,9 @@ RenderLayer::~RenderLayer()
destroyScrollbar(HorizontalScrollbar);
destroyScrollbar(VerticalScrollbar);
if (m_reflection)
removeReflection();
// Child layers will be deleted by their corresponding render objects, so
// we don't need to delete them ourselves.
......@@ -226,9 +229,6 @@ RenderLayer::~RenderLayer()
// Make sure we have no lingering clip rects.
ASSERT(!m_clipRects);
if (m_reflection)
removeReflection();
if (m_scrollCorner)
m_scrollCorner->destroy();
if (m_resizer)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment