After Bug 15135 (this was my change, sorry), the following HTML causes crash or assertion failure. <style> .test { overflow-x: overlay; width: 50; display: -webkit-box; } </style> <script> if (window.layoutTestController) layoutTestController.dumpAsText(); </script> <body> <div class="test"> <input type=file class="test"> </div> No crash means PASS </body> This is the stacktrace: (gdb) bt #0 0x0000000001dd7401 in WebCore::RenderBlock::startDelayUpdateScrollInfo () at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:605 #1 0x0000000001e1fdf9 in WebCore::RenderFlexibleBox::layoutHorizontalBox ( this=0x7fffe8062f08, relayoutChildren=false) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:336 #2 0x0000000001e2131c in WebCore::RenderFlexibleBox::layoutBlock ( this=0x7fffe8062f08, relayoutChildren=false) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:242 #3 0x0000000001de0f25 in WebCore::RenderBlock::layout (this=0x7fffe8062f08) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:648 #4 0x0000000001de4c4f in WebCore::RenderObject::layoutIfNeeded ( this=0x7fffe8062f08) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderObject.h:496 #5 0x0000000001dfdf11 in WebCore::RenderBlock::layoutInlineChildren ( this=0x7fffe8062788, relayoutChildren=true, repaintTop=@0x438249cc, repaintBottom=@0x438249c8) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/---Type <return> to continue, or q <return> to quit--- RenderBlockLineLayout.cpp:865 #6 0x0000000001de15a9 in WebCore::RenderBlock::layoutBlock ( this=0x7fffe8062788, relayoutChildren=true) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:722 #7 0x0000000001e3b523 in WebCore::RenderLayer::updateScrollInfoAfterLayout ( this=0x7fffe80628c8) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderLayer.cpp:1872 #8 0x0000000001de1cd8 in WebCore::RenderBlock::finishDelayUpdateScrollInfo () at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderBlock.cpp:622 #9 0x0000000001e20cb4 in WebCore::RenderFlexibleBox::layoutHorizontalBox ( this=0x7fffe805f318, relayoutChildren=false) at /usr/local/google/chrome-webkit/src/third_party/WebKit/WebCore/rendering/RenderFlexibleBox.cpp:558 ... This crash happens because finishDelayUpdateScrollInfo() triggers layout of another flexible box and it calls startDelayUpdateScrollInfo(). This function modifies a global variable gDelayUpdateScrollInfoSet before finishDelayUpdateScrollInfo() finalize the global variable. This bug can be easily fixed by evacuating the global variable into local variable before we trigger other layouts. Chromium side: http://code.google.com/p/chromium/issues/detail?id=27085
Created attachment 44056 [details] Patch v1
style-queue ran check-webkit-style on attachment 44056 [details] without any errors.
Ping? I think this change is not so difficult to review because this is basically a fix for wrong ownership of obejcts, and not related to complex layout stuff. Thanks!
Comment on attachment 44056 [details] Patch v1 I suggest reducing the comment to one line: // updateScrollInfoAfterLayout() may modify gDelayedUpdateScrollInfoSet, so save a copy This idiom is common in WebKit so excessive explanation is not needed. Fix that and I'll gladly r+ this patch.
Thanks for the review. However, I've just noticed the almost identical change was done in Bug 32172... *** This bug has been marked as a duplicate of bug 32172 ***