Summary: | Descendant is being put into the wrong flow thread with nested columns and spans | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Dave Hyatt <hyatt> | ||||
Component: | Layout and Rendering | Assignee: | Dave Hyatt <hyatt> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | abucur, bdakin, commit-queue, darin, dbates, ddkilzer, esprehn+autocc, glenn, kling, koivisto, kondapallykalyan, mihnea, simon.fraser, webkit-bug-importer, zalan | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=141612 | ||||||
Attachments: |
|
Description
Dave Hyatt
2014-09-30 15:11:40 PDT
Created attachment 240986 [details]
Patch
Comment on attachment 240986 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=240986&action=review > Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:387 > + placeholder.parent()->removeChild(placeholder); I think you want a "// FIXME: placeholder is leaked" here. Comment on attachment 240986 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=240986&action=review > Source/WebCore/ChangeLog:20 > + The second fix was to stop destroying the placeholder. Since the placeholder can just have been inserted, you > + can't delete it, since otherwise code further up the stack will access the deleted object. For now, we just > + leak the placeholder. Would using a RenderPtr<> for the placeholder (née descendant) fix the leak/object lifetime? >> Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:387 >> - ancestorBlock.multiColumnFlowThread()->handleSpannerRemoval(spanner); >> - placeholder.destroy(); >> - >> + if (subtreeRoot == descendant) >> + subtreeRoot = spanner; >> + placeholder.parent()->removeChild(placeholder); > > I think you want a "// FIXME: placeholder is leaked" here. And a new bug number that tracks the leak please. *** Bug 137316 has been marked as a duplicate of this bug. *** |