Bug 90289

Summary: [CSSRegions]Crash when flowing a region into itself
Product: WebKit Reporter: Mihnea Ovidenie <mihnea>
Component: CSSAssignee: Mihnea Ovidenie <mihnea>
Status: RESOLVED FIXED    
Severity: Normal CC: achicu, eric, inferno, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Mihnea Ovidenie
Reported 2012-06-29 09:26:09 PDT
Assume the following use case: <div id="parent" style="-webkit-flow-into:flow"> <div id="region" style="-webkit-flow-from:flow"></div> </div> In this case, the content of "parent" element is collected into a named flow that if later displayed into "region". Since the "region" element is a child of "parent" element, this would lead to a circular dependency which is resolved in the code by not allowing the "region" to receive content from the named flow. However, in RenderRegion::styleDidChange we use the region associated flow thread without checking whether the region actually has a valid flow thread, which leads to a crash. Patch coming.
Attachments
Patch (4.11 KB, patch)
2012-06-29 10:20 PDT, Mihnea Ovidenie 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.79 KB, patch)
2012-07-20 01:03 PDT, Mihnea Ovidenie 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mihnea Ovidenie
Comment 1 2012-06-29 10:20:17 PDT
Created attachment 150211 [details] Patch
Andreas Kling
Comment 2 2012-07-19 07:16:44 PDT
Comment on attachment 150211 [details] Patch r=me
Mihnea Ovidenie
Comment 3 2012-07-20 01:03:12 PDT
Created attachment 153440 [details] Patch for landing
WebKit Review Bot
Comment 4 2012-07-20 02:24:14 PDT
Comment on attachment 153440 [details] Patch for landing Clearing flags on attachment: 153440 Committed r123196: <http://trac.webkit.org/changeset/123196>
WebKit Review Bot
Comment 5 2012-07-20 02:24:18 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.