Crash in WebCore::RenderObject::repaint
https://bugs.webkit.org/show_bug.cgi?id=86162 Patch by Takashi Sakamoto <tasak@google.com> on 2012-05-14 Reviewed by Abhishek Arya. Source/WebCore: As RenderScrollbarPart has no parent renderer, we crash in WebCore::RenderBoxModelObject::paddingLeft when paddingLeft has percent value, e.g. 5%. However if we set the scrollbar's parent renderer to a renderer owning the scrollbar by using setParent method, RenderScrollbarPart::styleWillChange will invoke parent renderer's repaint. This causes crash in WebCore::RenderObject::repaint if the owning renderer is already destroyed. To fix the first crash without the second crash, modify RenderObject::containingBlock() to check isRenderScrollbarPart or not, if parent() is 0. If so, use scrollbar's owningRenderer from RenderScrollbarPart. Test: scrollbars/scrollbar-percent-padding-crash.html scrollbars/scrollbar-scrollbarparts-repaint-crash.html * rendering/RenderObject.cpp: (WebCore::RenderObject::containingBlock): Modifying containingBlock. If parent() is 0 and isRenderScrollbarPart() is true, use RenderScrollbarPart's m_scrollbar->owningRenderer() instead of parent(). * rendering/RenderObject.h: (WebCore::RenderObject::isRenderScrollbarPart): (RenderObject): Adding a new method, isRenderScrollbarPart. * rendering/RenderScrollbarPart.cpp: (WebCore::RenderScrollbarPart::rendererOwningScrollbar): (WebCore): Adding a new method, scrollbarOwningRenderer to obtain m_scrollar's owningRenderer. * rendering/RenderScrollbarPart.h: (RenderScrollbarPart): Removing "friend class RenderScrollbar". (WebCore::RenderScrollbarPart::isRenderScrollbarPart): (WebCore::toRenderScrollbarPart): (WebCore): Implementing isRenderScrollbarPart and toRenderScrollbarPart. LayoutTests: * scrollbars/scrollbar-scrollbarparts-repaint-crash-expected.txt: Added. * scrollbars/scrollbar-scrollbarparts-repaint-crash.html: Added. * scrollbars/scrollbar-percent-padding-crash-expected.txt: Added. * scrollbars/scrollbar-percent-padding-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117007 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Loading
Please register or sign in to comment