126152 – [CSSRegions] Crash while repainting an invalid region

Bug 126152 - [CSSRegions] Crash while repainting an invalid region

Summary: [CSSRegions] Crash while repainting an invalid region

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mihnea Ovidenie

URL:
Keywords:

Depends on:
Blocks:	57312
	Show dependency tree / graph

Reported:	2013-12-23 01:00 PST by Mihnea Ovidenie
Modified:	2013-12-24 01:22 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (5.62 KB, patch) 2013-12-23 01:05 PST, Mihnea Ovidenie	no flags	Details \| Formatted Diff \| Diff
Patch for landing (5.95 KB, patch) 2013-12-24 00:32 PST, Mihnea Ovidenie	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mihnea Ovidenie 2013-12-23 01:00:21 PST

A invalid region, part of a dependency cycle, should not attempt to repaint the content from the associated named flow.

Comment 1 Mihnea Ovidenie 2013-12-23 01:05:46 PST

Created attachment 219900 [details]
Patch

Comment 2 Daniel Bates 2013-12-23 13:06:51 PST

Comment on attachment 219900 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=219900&action=review

This looks sane to me. Feel free to have a domain expert look over this patch.

> LayoutTests/fast/regions/repaint/invalid-region-repaint-crash.html:4
> +        <script src="../../repaint/resources/text-based-repaint.js" type="text/javascript"></script>

Please remove the HTML attribute type as it's unnecessary given that this document is an HTML5 document.

> Source/WebCore/rendering/RenderLayer.cpp:6278
> +        RenderNamedFlowFragment* region = toRenderBlockFlow(&renderer())->renderNamedFlowFragment();

Notice that we generate a toRenderBlockFlow()-variant that takes and returns a reference. For you consideration, I suggest we use this variant to remove the address-of operator and to document the "non-nullness" of the return value of toRenderBlockFlow() since renderer() is guaranteed to be non-null.

RenderNamedFlowFragment* region = toRenderBlockFlow(renderer()).renderNamedFlowFragment();

Comment 3 Mihnea Ovidenie 2013-12-24 00:32:53 PST

Created attachment 219958 [details]
Patch for landing

Comment 4 WebKit Commit Bot 2013-12-24 01:22:11 PST

Comment on attachment 219958 [details]
Patch for landing

Clearing flags on attachment: 219958

Committed r161054: <http://trac.webkit.org/changeset/161054>

Comment 5 WebKit Commit Bot 2013-12-24 01:22:13 PST

All reviewed patches have been landed.  Closing bug.