RESOLVED FIXED 51270
A corrupted counter tree is created when renderers are added to the tree bypassing RenderObject::addChild 
https://bugs.webkit.org/show_bug.cgi?id=51270
Summary A corrupted counter tree is created when renderers are added to the tree bypa...
Carol Szabo
Reported 2010-12-17 12:12:51 PST
This is a followup for bug 43812. The patch provided for fixing 43812 did not address the real problem in that bug, which is described in the summary of this one: sometimes renderers that can potentially have counters attached are put in the renderer tree by using RenderObjectChildren::insert/appendChild, bypassing RenderObject::addChild. In this case the current code does not update those counters' position in the counter forrest appropriately resulting in a corrupt counter forrest. This corrupt forrest leads to wrong counter values, crashes, etc.
Attachments
Proposed Patch (4.23 KB, patch)
2010-12-17 12:48 PST, Carol Szabo 		no flags
DetailsFormatted DiffDiff
Proposed Patch (6.54 KB, patch)
2011-01-05 14:14 PST, Carol Szabo 		no flags
DetailsFormatted DiffDiff
Proposed patch. Fixed contributor name/e-mail in ChangeLog (6.51 KB, patch)
2011-01-06 14:38 PST, Carol Szabo 		no flags
DetailsFormatted DiffDiff
Proposed Patch - Updated to reflect recent WebCore code restructuring. (6.61 KB, patch)
2011-01-17 16:59 PST, Carol Szabo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Carol Szabo
Comment 1 2010-12-17 12:48:34 PST
Created attachment 76903 [details] Proposed Patch
WebKit Commit Bot
Comment 2 2010-12-17 13:39:43 PST
Comment on attachment 76903 [details] Proposed Patch Clearing flags on attachment: 76903 Committed r74292: <http://trac.webkit.org/changeset/74292>
WebKit Commit Bot
Comment 3 2010-12-17 13:39:48 PST
All reviewed patches have been landed. Closing bug.
Carol Szabo
Comment 4 2011-01-05 13:32:16 PST
My previous fix was reverted as it exposed other counter related problems such as the fact that sometimes renderers are moved around in the tree during removal of a renderer, causing a previously deleted counter to be recreated during the remove process. Thus I am reopening this bug in order to provide a more comprehensive fix.
Carol Szabo
Comment 5 2011-01-05 14:14:51 PST
Created attachment 78042 [details] Proposed Patch This patch restores changes in my previous patch and takes care of the additional case when Renderers are moved in the Render tree from one place to another, especially when this happens inside the RenderObject::remove() call.
Carol Szabo
Comment 6 2011-01-06 14:38:49 PST
Created attachment 78164 [details] Proposed patch. Fixed contributor name/e-mail in ChangeLog Fixed contributor name/e-mail in ChangeLog
Carol Szabo
Comment 7 2011-01-17 16:59:30 PST
Created attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring.
Dave Hyatt
Comment 8 2011-01-26 17:40:10 PST
Comment on attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring. r=me
WebKit Commit Bot
Comment 9 2011-01-27 16:14:34 PST
Comment on attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring. Clearing flags on attachment: 79230 Committed r76859: <http://trac.webkit.org/changeset/76859>
WebKit Commit Bot
Comment 10 2011-01-27 16:14:37 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.