Bug 133155

Summary: REGRESSION(r167870): Crash in simple line layout code with :after
Product: WebKit Reporter: Antti Koivisto <koivisto>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dbates, esprehn+autocc, glenn, kondapallykalyan
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
darin: review+
patch 2 darin: review+

Antti Koivisto
Reported 2014-05-21 11:04:32 PDT
<style> a { display: none; } a:after { content: "bar"; } div:hover a { display: inline-block } </style> <div>foo<a></a></div>
Attachments
patch (5.77 KB, patch)
2014-05-21 11:20 PDT, Antti Koivisto 		darin: review+
DetailsFormatted DiffDiff
patch 2 (9.13 KB, patch)
2014-05-21 13:40 PDT, Antti Koivisto 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2014-05-21 11:05:14 PDT
<rdar://problem/16977696>
Antti Koivisto
Comment 2 2014-05-21 11:20:56 PDT
Created attachment 231834 [details] patch
Darin Adler
Comment 3 2014-05-21 11:29:15 PDT
Comment on attachment 231834 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=231834&action=review Looks great. > Source/WebCore/rendering/RenderBlockFlow.cpp:3423 > const SimpleLineLayout::Layout* RenderBlockFlow::simpleLineLayout() const > { > - if (m_lineLayoutPath == UndeterminedPath) > - const_cast<RenderBlockFlow&>(*this).m_lineLayoutPath = SimpleLineLayout::canUseFor(*this) ? SimpleLinesPath : LineBoxesPath; > - > - if (m_lineLayoutPath == SimpleLinesPath) > - return m_simpleLineLayout.get(); > - > - const_cast<RenderBlockFlow&>(*this).createLineBoxes(); > - return nullptr; > + ASSERT(m_lineLayoutPath <= SimpleLinesPath || !m_simpleLineLayout); > + return m_simpleLineLayout.get(); > } Maybe we should move this back to the header file and make it an inline function again. I don’t think the assertion is strong enough. It’s seems like it’s not OK to get a non-nullptr value if m_lineLayoutPath is UndeterminedPath. But maybe we can’t put the stronger assertion in because we still need to get at m_simpleLineLayout in the time window before we determine whether to use it or not.
Antti Koivisto
Comment 4 2014-05-21 13:40:17 PDT
Created attachment 231839 [details] patch 2
Antti Koivisto
Comment 5 2014-05-21 13:41:12 PDT
> I don’t think the assertion is strong enough. It’s seems like it’s not OK to get a non-nullptr value if m_lineLayoutPath is UndeterminedPath. But maybe we can’t put the stronger assertion in because we still need to get at m_simpleLineLayout in the time window before we determine whether to use it or not. You are right. I tightened the assert and now drop the simple line layout on path invalidation.
Antti Koivisto
Comment 6 2014-05-21 23:14:50 PDT
https://trac.webkit.org/r169189
Note You need to log in before you can comment on or make changes to this bug.