Commit 69fdfe2e authored by enrica@apple.com's avatar enrica@apple.com

WebCore: REGRESSION (r59385) crash destroying inline renderers

https://bugs.webkit.org/show_bug.cgi?id=39143
<rdar://problem/8003662>
        
Reviewed by Dave Hyatt.

The goal of r59385 was to make sure that the layout of block after all its children had been removed produced the identical result
as the one of a newly created empty block. In order to do so, we had to make sure that the m_inlineChildren flag was reset to true when
the block had no children (as it is upon creation).
I discovered that, by doing that for anonymous blocks it leads removeChild to conclude that the anonymous children can be removed,
without considering that the anonymous block could be part of a continuation chain. For this reason, when RenderInline::destroy()
tries to remove the continuations we are effectively deleting a renderer that had been deleted already.
        
Test: fast/inline-block/anonymous-block-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::layoutBlock): resetting the flag m_inlineChildren only for non anonymous blocks otherwise we incurr in
a double deletion of the renderer that causes the crash.

LayoutTests: REGRESSION (r59385) crash destroying inline renderers
https://bugs.webkit.org/show_bug.cgi?id=39143
<rdar://problem/8003662>

Reviewed by Dave Hyatt.

* fast/inline-block/anonymous-block-crash-expected.txt: Added.
* fast/inline-block/anonymous-block-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59786 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 01955d5c
2010-05-19 Enrica Casucci <enrica@apple.com>
Reviewed by Dave Hyatt.
REGRESSION (r59385) crash destroying inline renderers
https://bugs.webkit.org/show_bug.cgi?id=39143
<rdar://problem/8003662>
* fast/inline-block/anonymous-block-crash-expected.txt: Added.
* fast/inline-block/anonymous-block-crash.html: Added.
2010-05-19 Sheriff Bot <webkit.review.bot@gmail.com>
Unreviewed, rolling out r59782.
This test verifies that no crash occurs.
PASS
<!DOCTYPE html>
<html>
<body>
This test verifies that no crash occurs.
<font>
<div>
<table>
<tbody>
<tr>
<td>
<b>
<font>
<p>
</font>
</b>
</td>
</tr>
</tbody>
</table>
<script>
var i = document.body.offsetTop; // this forces a layout
</script>
</font>
<div id="console"></div>
</body>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
document.getElementById("console").appendChild(document.createTextNode("PASS"));;
</script>
</html>
2010-05-19 Enrica Casucci <enrica@apple.com>
Reviewed by Dave Hyatt.
REGRESSION (r59385) crash destroying inline renderers
https://bugs.webkit.org/show_bug.cgi?id=39143
<rdar://problem/8003662>
The goal of r59385 was to make sure that the layout of block after all its children had been removed produced the identical result
as the one of a newly created empty block. In order to do so, we had to make sure that the m_inlineChildren flag was reset to true when
the block had no children (as it is upon creation).
I discovered that, by doing that for anonymous blocks it leads removeChild to conclude that the anonymous children can be removed,
without considering that the anonymous block could be part of a continuation chain. For this reason, when RenderInline::destroy()
tries to remove the continuations we are effectively deleting a renderer that had been deleted already.
Test: fast/inline-block/anonymous-block-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::layoutBlock): resetting the flag m_inlineChildren only for non anonymous blocks otherwise we incurr in
a double deletion of the renderer that causes the crash.
2010-05-19 Sheriff Bot <webkit.review.bot@gmail.com>
Unreviewed, rolling out r59782.
......@@ -740,7 +740,7 @@ void RenderBlock::layoutBlock(bool relayoutChildren)
int repaintTop = 0;
int repaintBottom = 0;
int maxFloatBottom = 0;
if (!firstChild())
if (!firstChild() && !isAnonymousBlock())
setChildrenInline(true);
if (childrenInline())
layoutInlineChildren(relayoutChildren, repaintTop, repaintBottom);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment