WebCore: Bug 31574 - Crashing bug when removing <ruby> element
authorrolandsteiner@chromium.org <rolandsteiner@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2009 03:15:49 +0000 (03:15 +0000)
committerrolandsteiner@chromium.org <rolandsteiner@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2009 03:15:49 +0000 (03:15 +0000)
commite1ef01e94a313f0b9e96a6f8695d1b6fd9816aad
tree85815c77d50553dd1990dfb381450f58bed1beb5
parentd8645b8de4d70ca685192877ddd09e114a38e28d
WebCore: Bug 31574 -  Crashing bug when removing <ruby> element
(https://bugs.webkit.org/show_bug.cgi?id=31574)

Reviewed by Darin Adler.

Cause of the bug:
1.) RenderBlock::destroy() of the RenderRubyRun called destroyLeftoverChildren()
2.) that called destroy() of the RenderRubyBase(), which in RenderObject::destroy() calls remove()
3.) remove() is being redirected as parent()->removeChild() in RenderObject.h
4.) this triggers the special handling of child removal in RenderRubyRun that
    causes it to destroy itself
5.) On returning from all this the renderer crashes when accessing a member
    or virtual function on this now illegal object.

I therefore added a flag that tracks if the ruby run is being destroyed.
If so, avoid doing the special handling in removeChild that caused this.
It's not the most elegant solution, but the easiest to implement without
touching unrelated code. Also, it's self-documenting.

Test: fast/ruby/ruby-remove.html

* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::RenderRubyRun):
(WebCore::RenderRubyRun::destroy):
(WebCore::RenderRubyRun::removeChild):
* rendering/RenderRubyRun.h:

LayoutTests: Bug 31574 -  Crashing bug when removing <ruby> element
(https://bugs.webkit.org/show_bug.cgi?id=31574)

Reviewed by Darin Adler.

Layout test to verify it no longer crashes when the <ruby> element
is being removed.

* fast/ruby/ruby-remove-expected.txt: Added.
* fast/ruby/ruby-remove.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51169 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/ruby/ruby-remove-expected.txt [new file with mode: 0644]
LayoutTests/fast/ruby/ruby-remove.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderRubyRun.cpp
WebCore/rendering/RenderRubyRun.h