| Summary: | Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Jer Noble <jer.noble> | ||||
| Component: | New Bugs | Assignee: | Jer Noble <jer.noble> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | abucur, commit-queue, esprehn+autocc, glenn, hyatt, jonlee, kondapallykalyan, simon.fraser, WebkitBugTracker | ||||
| Priority: | P2 | ||||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=144973 | ||||||
| Attachments: |
|
||||||
|
Description
Jer Noble
2015-05-14 23:55:41 PDT
Created attachment 253180 [details]
Patch
I wonder why this never crashed before. Do you have a test that reproduces this situation? It sounds a bit strange to call layout twice for a renderer in the same stack. Andrei, see bug 144973. (In reply to comment #2) > It sounds a bit strange to call layout twice for a renderer in the same stack. That's true, but it's not necessarily a 1:1 mapping of layout()-to-push(). For example, in the case I mention in the ChangeLog, the FrameView is pushing it's `root` on the stack, the `root` is pushing itself on the stack, and root->layout() is only called once. Comment on attachment 253180 [details]
Patch
r=me
is it possible to add a test? (In reply to comment #6) > is it possible to add a test? Well, sort of. By adding the proposed changes in the bug you mentioned, we'll be testing this change implicitly in those failing tests (the ones that triggered the roll-out). Ok, that sounds great, thanks for the clarifications! Comment on attachment 253180 [details] Patch Clearing flags on attachment: 253180 Committed r184394: <http://trac.webkit.org/changeset/184394> All reviewed patches have been landed. Closing bug. Was this not testable? |