Skip to site navigation (Press enter)

[webkit-changes] [105818] branches/chromium/963

inferno Tue, 24 Jan 2012 15:07:51 -0800

Title: [105818] branches/chromium/963

Revision: 105818
Author: [email protected]
Date: 2012-01-24 15:07:34 -0800 (Tue, 24 Jan 2012)

Log Message

Merge 104121 - Source/WebCore: Crash in RenderRegion::getRegionRangeForBox.
clearRenderRegionRangeMap breakage fixed by replacing statements from https://trac.webkit.org/changeset/102234
BUG=107758
Review URL: https://chromiumcodereview.appspot.com/9113038


Modified Paths

branches/chromium/963/Source/WebCore/rendering/RenderBlock.cpp
branches/chromium/963/Source/WebCore/rendering/RenderBox.cpp
branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.cpp
branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.h


Added Paths

branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash-expected.txt
branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash.html

Diff

Copied: branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash-expected.txt (from rev 104121, trunk/LayoutTests/fast/regions/region-range-for-box-crash-expected.txt) (0 => 105818)


--- branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash-expected.txt	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash-expected.txt	2012-01-24 23:07:34 UTC (rev 105818)
@@ -0,0 +1,5 @@
+Bug 74781: Crash in RenderFlowThread::getRegionRangeForBox
+
+This test PASSES if it does not CRASH or ASSERT.
+
+A

Copied: branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash.html (from rev 104121, trunk/LayoutTests/fast/regions/region-range-for-box-crash.html) (0 => 105818)


--- branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash.html	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/regions/region-range-for-box-crash.html	2012-01-24 23:07:34 UTC (rev 105818)
@@ -0,0 +1,42 @@
+<!doctype html>
+<html>
+    <head>
+        <style>
+            #el0 {
+                -webkit-flow-from: a;
+                content: counter(c);
+            }
+            #el2 {
+                -webkit-flow-into: a;
+            }
+        </style>
+        <script>
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+
+            function crash() {
+                el0 = document.createElement('div');
+                el0.setAttribute('id', 'el0');
+                document.body.appendChild(el0);
+                el1 = document.createElement('div');
+                document.body.appendChild(el1);
+                el2 = document.createElement('div');
+                el2.setAttribute('id', 'el2');
+                el1.appendChild(el2);
+                el2.appendChild(document.createTextNode('A'));
+                el3 = document.createElement('input');
+                el3.setAttribute('id', 'el3');
+                el2.appendChild(el3);
+                document.body.style.zoom=2;
+                document.execCommand('selectall');
+                el2.style.display='table-header-group';
+                document.body.style.zoom=1;
+            }
+            window._onload_=crash
+        </script>
+    </head>
+    <body>
+        <p> Bug <a href="" Crash in RenderFlowThread::getRegionRangeForBox</p>
+        <p> This test PASSES if it does not CRASH or ASSERT.</p>
+    </body>
+</html>

Modified: branches/chromium/963/Source/WebCore/rendering/RenderBlock.cpp (105817 => 105818)


--- branches/chromium/963/Source/WebCore/rendering/RenderBlock.cpp	2012-01-24 23:00:43 UTC (rev 105817)
+++ branches/chromium/963/Source/WebCore/rendering/RenderBlock.cpp	2012-01-24 23:07:34 UTC (rev 105818)
@@ -6618,7 +6618,7 @@
         return 0;
 
     RenderFlowThread* flowThread = enclosingRenderFlowThread();
-    if (!flowThread || !flowThread->hasValidRegions())
+    if (!flowThread || !flowThread->hasValidRegionInfo())
         return 0;
 
     return flowThread->renderRegionForLine(offsetFromLogicalTopOfFirstPage() + blockOffset, true);
@@ -6639,7 +6639,7 @@
         return false;
     
     RenderFlowThread* flowThread = enclosingRenderFlowThread();
-    if (!flowThread || !flowThread->hasValidRegions())
+    if (!flowThread || !flowThread->hasValidRegionInfo())
         return 0;
     
     return flowThread->logicalWidthChangedInRegions(this, offsetFromLogicalTopOfFirstPage());

Modified: branches/chromium/963/Source/WebCore/rendering/RenderBox.cpp (105817 => 105818)


--- branches/chromium/963/Source/WebCore/rendering/RenderBox.cpp	2012-01-24 23:00:43 UTC (rev 105817)
+++ branches/chromium/963/Source/WebCore/rendering/RenderBox.cpp	2012-01-24 23:07:34 UTC (rev 105818)
@@ -241,9 +241,6 @@
         return;
 
     RenderFlowThread* flowThread = enclosingRenderFlowThread();
-    if (!flowThread->hasValidRegions())
-        return;
-
     flowThread->removeRenderBoxRegionInfo(this);
 }

Modified: branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.cpp (105817 => 105818)


--- branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.cpp	2012-01-24 23:00:43 UTC (rev 105817)
+++ branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.cpp	2012-01-24 23:07:34 UTC (rev 105818)
@@ -209,7 +209,10 @@
 void RenderFlowThread::removeRegionFromThread(RenderRegion* renderRegion)
 {
     ASSERT(renderRegion);
+    deleteAllValues(m_regionRangeMap);
+    m_regionRangeMap.clear();
     m_regionList.remove(renderRegion);
+
     if (renderRegion->parentFlowThread()) {
         if (!renderRegion->isValid()) {
             renderRegion->parentFlowThread()->m_observerThreadsSet.remove(this);
@@ -499,7 +502,7 @@
 
 void RenderFlowThread::repaintRectangleInRegions(const LayoutRect& repaintRect, bool immediate)
 {
-    if (!shouldRepaint(repaintRect))
+    if (!shouldRepaint(repaintRect) || !hasValidRegionInfo())
         return;
 
     for (RenderRegionList::iterator iter = m_regionList.begin(); iter != m_regionList.end(); ++iter) {
@@ -593,7 +596,7 @@
 
 RenderRegion* RenderFlowThread::mapFromFlowToRegion(TransformState& transformState) const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
 
     LayoutRect boxRect = transformState.mappedQuad().enclosingBoundingBox();
@@ -674,7 +677,7 @@
 
 LayoutUnit RenderFlowThread::contentLogicalWidthOfFirstRegion() const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
     for (RenderRegionList::const_iterator iter = m_regionList.begin(); iter != m_regionList.end(); ++iter) {
         RenderRegion* region = *iter;
@@ -688,7 +691,7 @@
 
 LayoutUnit RenderFlowThread::contentLogicalHeightOfFirstRegion() const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
     for (RenderRegionList::const_iterator iter = m_regionList.begin(); iter != m_regionList.end(); ++iter) {
         RenderRegion* region = *iter;
@@ -702,7 +705,7 @@
  
 LayoutUnit RenderFlowThread::contentLogicalLeftOfFirstRegion() const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
     for (RenderRegionList::const_iterator iter = m_regionList.begin(); iter != m_regionList.end(); ++iter) {
         RenderRegion* region = *iter;
@@ -716,7 +719,7 @@
 
 RenderRegion* RenderFlowThread::firstRegion() const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
     for (RenderRegionList::const_iterator iter = m_regionList.begin(); iter != m_regionList.end(); ++iter) {
         RenderRegion* region = *iter;
@@ -729,7 +732,7 @@
 
 RenderRegion* RenderFlowThread::lastRegion() const
 {
-    if (!hasValidRegions())
+    if (!hasValidRegionInfo())
         return 0;
     for (RenderRegionList::const_reverse_iterator iter = m_regionList.rbegin(); iter != m_regionList.rend(); ++iter) {
         RenderRegion* region = *iter;
@@ -779,8 +782,10 @@
     RenderRegionRange* range = m_regionRangeMap.get(box);
     if (!range)
         return;
+
     startRegion = range->startRegion();
     endRegion = range->endRegion();
+    ASSERT(m_regionList.contains(startRegion) && m_regionList.contains(endRegion));
 }
     
 } // namespace WebCore

Modified: branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.h (105817 => 105818)


--- branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.h	2012-01-24 23:00:43 UTC (rev 105817)
+++ branches/chromium/963/Source/WebCore/rendering/RenderFlowThread.h	2012-01-24 23:07:34 UTC (rev 105818)
@@ -89,6 +89,7 @@
     bool hasValidRegions() const { ASSERT(!m_regionsInvalidated); return m_hasValidRegions; }
 
     void invalidateRegions() { m_regionsInvalidated = true; setNeedsLayout(true); }
+    bool hasValidRegionInfo() const { return !m_regionsInvalidated && hasValidRegions(); }
 
     static PassRefPtr<RenderStyle> createFlowThreadStyle(RenderStyle* parentStyle);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes