Bug 145942

Summary: Be more defensive at renderer type checking when initializing flow segments.
Product: WebKit Reporter: alan <zalan>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ddkilzer, esprehn+autocc, glenn, koivisto, kondapallykalyan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

alan
Reported 2015-06-12 15:00:36 PDT
If we miss invalidating simple line layout path properly, we could end up in FlowContents->initializeSegments with a renderer that we don't support yet.
Attachments
Patch (2.67 KB, patch)
2015-06-12 15:25 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (2.82 KB, patch)
2015-06-12 19:00 PDT, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2015-06-12 15:25:17 PDT
Created attachment 254824 [details] Patch
alan
Comment 2 2015-06-12 15:25:48 PDT
It results in broken rendering (missing pieces) vs. crash.
Antti Koivisto
Comment 3 2015-06-12 15:52:07 PDT
Comment on attachment 254824 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254824&action=review > Source/WebCore/rendering/SimpleLineLayoutFlowContents.cpp:50 > continue; > - } > - ASSERT(is<RenderText>(child)); > - const auto& textChild = downcast<RenderText>(child); > - unsigned textLength = textChild.text()->length(); > - segments.append(FlowContents::Segment { startPosition, startPosition + textLength, textChild.text(), textChild }); > - startPosition += textLength; > + } else if (is<RenderText>(child)) { No need to say 'else' after 'continue'.
Antti Koivisto
Comment 4 2015-06-12 15:55:06 PDT
Comment on attachment 254824 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254824&action=review > Source/WebCore/rendering/SimpleLineLayoutFlowContents.cpp:56 > + startPosition += textLength; > + } else > + ASSERT_NOT_REACHED(); This too could do continue without else.
alan
Comment 5 2015-06-12 19:00:52 PDT
Created attachment 254846 [details] Patch
WebKit Commit Bot
Comment 6 2015-06-12 20:25:36 PDT
Comment on attachment 254846 [details] Patch Clearing flags on attachment: 254846 Committed r185531: <http://trac.webkit.org/changeset/185531>
WebKit Commit Bot
Comment 7 2015-06-12 20:25:41 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.