REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThre...
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Feb 2015 20:27:40 +0000 (20:27 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Feb 2015 20:27:40 +0000 (20:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=133462

Reviewed by David Hyatt.

RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
we detach the inline tree first and destroy them after. The detached root boxes can't access
the flowthread containing block and we end up with dangling pointers in this map.
Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.

Source/WebCore:

Test: fast/multicol/newmulticol/crash-when-switching-to-floating.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::collapseAnonymousBoxChild):

LayoutTests:

* fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt: Added.
* fast/multicol/newmulticol/crash-when-switching-to-floating.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179877 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp

index 1415a9476f8a4bbd233cadf53dccc7a8d46a1feb..0147332a7d03488a3296144fa1b2d73474b133e0 100644 (file)
@@ -1,3 +1,19 @@
+2015-02-07  Zalan Bujtas  <zalan@apple.com>
+
+        REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency
+        https://bugs.webkit.org/show_bug.cgi?id=133462
+
+        Reviewed by David Hyatt.
+
+        RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
+        Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
+        we detach the inline tree first and destroy them after. The detached root boxes can't access
+        the flowthread containing block and we end up with dangling pointers in this map.
+        Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.
+
+        * fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt: Added.
+        * fast/multicol/newmulticol/crash-when-switching-to-floating.html: Added.
+
 2015-02-10  David Kilzer  <ddkilzer@apple.com>
 
         [iOS] Gardening: fast/loader/subframe-navigate-during-main-frame-load.html crashes running all tests
diff --git a/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt b/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt
new file mode 100644 (file)
index 0000000..c51ba7a
--- /dev/null
@@ -0,0 +1 @@
+Pass if no crash or assert in debug build.
diff --git a/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html b/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html
new file mode 100644 (file)
index 0000000..80716f3
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we clean up the inline content properly after introducing floating.</title> 
+<script>
+  if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<table><td></table>
+Pass if no crash or assert in debug build.
+<script>
+var head = document.getElementsByTagName("head")[0];
+style = document.createElement("style");
+style.innerHTML="* { \n\
+-webkit-animation-name: name9; \n\
+-webkit-animation-duration: 10s; \n\
+} \n\
+@-webkit-keyframes name9 { \n\
+  from { \n\
+  } \n\
+  to { \n\
+    -webkit-column-width: auto; \n\
+";
+head.appendChild(style);
+document.execCommand("SelectAll");
+style.innerHTML="* {float:left;}";
+</script>
+</body>
+</html>
index 9a28903258b09748787fbe3b4716ba51ce9594df..b7affa0c741a118750fb4d2277595cf05f18c1a1 100644 (file)
@@ -1,3 +1,21 @@
+2015-02-07  Zalan Bujtas  <zalan@apple.com>
+
+        REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency
+        https://bugs.webkit.org/show_bug.cgi?id=133462
+
+        Reviewed by David Hyatt.
+
+        RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
+        Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
+        we detach the inline tree first and destroy them after. The detached root boxes can't access
+        the flowthread containing block and we end up with dangling pointers in this map.
+        Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.
+
+        Test: fast/multicol/newmulticol/crash-when-switching-to-floating.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::collapseAnonymousBoxChild):
+
 2015-02-10  Julien Isorce  <j.isorce@samsung.com>
 
         Render: properly update body's background image
index a9fd291f4fed9e966082e827f50a8e36215dbbb2..ede343f9b259b7e94b1e608385b498dd51e959c7 100644 (file)
@@ -672,9 +672,8 @@ void RenderBlock::collapseAnonymousBoxChild(RenderBlock& parent, RenderBlock* ch
     parent.setChildrenInline(child->childrenInline());
     RenderObject* nextSibling = child->nextSibling();
 
-    RenderFlowThread* childFlowThread = child->flowThreadContainingBlock();
-    if (is<RenderNamedFlowThread>(childFlowThread))
-        downcast<RenderNamedFlowThread>(*childFlowThread).removeFlowChildInfo(child);
+    if (auto* childFlowThread = child->flowThreadContainingBlock())
+        childFlowThread->removeFlowChildInfo(child);
 
     parent.removeChildInternal(*child, child->hasLayer() ? NotifyChildren : DontNotifyChildren);
     child->moveAllChildrenTo(&parent, nextSibling, child->hasLayer());