Bug 126152

Summary: [CSSRegions] Crash while repainting an invalid region
Product: WebKit Reporter: Mihnea Ovidenie <mihnea>
Component: CSSAssignee: Mihnea Ovidenie <mihnea>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbates, esprehn+autocc, glenn, hyatt, kondapallykalyan, simon.fraser, WebkitBugTracker
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 57312    
Attachments:
Description Flags
Patch
none
Patch for landing none

Mihnea Ovidenie
Reported 2013-12-23 01:00:21 PST
A invalid region, part of a dependency cycle, should not attempt to repaint the content from the associated named flow.
Attachments
Patch (5.62 KB, patch)
2013-12-23 01:05 PST, Mihnea Ovidenie 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.95 KB, patch)
2013-12-24 00:32 PST, Mihnea Ovidenie 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mihnea Ovidenie
Comment 1 2013-12-23 01:05:46 PST
Created attachment 219900 [details] Patch
Daniel Bates
Comment 2 2013-12-23 13:06:51 PST
Comment on attachment 219900 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=219900&action=review This looks sane to me. Feel free to have a domain expert look over this patch. > LayoutTests/fast/regions/repaint/invalid-region-repaint-crash.html:4 > + <script src="../../repaint/resources/text-based-repaint.js" type="text/javascript"></script> Please remove the HTML attribute type as it's unnecessary given that this document is an HTML5 document. > Source/WebCore/rendering/RenderLayer.cpp:6278 > + RenderNamedFlowFragment* region = toRenderBlockFlow(&renderer())->renderNamedFlowFragment(); Notice that we generate a toRenderBlockFlow()-variant that takes and returns a reference. For you consideration, I suggest we use this variant to remove the address-of operator and to document the "non-nullness" of the return value of toRenderBlockFlow() since renderer() is guaranteed to be non-null. RenderNamedFlowFragment* region = toRenderBlockFlow(renderer()).renderNamedFlowFragment();
Mihnea Ovidenie
Comment 3 2013-12-24 00:32:53 PST
Created attachment 219958 [details] Patch for landing
WebKit Commit Bot
Comment 4 2013-12-24 01:22:11 PST
Comment on attachment 219958 [details] Patch for landing Clearing flags on attachment: 219958 Committed r161054: <http://trac.webkit.org/changeset/161054>
WebKit Commit Bot
Comment 5 2013-12-24 01:22:13 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.