[webkit-changes] [WebKit/WebKit] 2536ef: [RenderTreeBuilder] Crash in WebCore::RenderLayer:...

Alan Baradlay noreply at github.com
Fri Jul 12 08:09:01 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2536ef8fa811eab723e31eb524a4840f742c1f3e
      https://github.com/WebKit/WebKit/commit/2536ef8fa811eab723e31eb524a4840f742c1f3e
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-07-12 (Fri, 12 Jul 2024)

  Changed paths:
    A LayoutTests/fast/multicol/continuation-inside-multicol-crash-expected.txt
    A LayoutTests/fast/multicol/continuation-inside-multicol-crash.html
    M Source/WebCore/rendering/updating/RenderTreeBuilder.cpp
    M Source/WebCore/rendering/updating/RenderTreeBuilder.h
    M Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp

  Log Message:
  -----------
  [RenderTreeBuilder] Crash in WebCore::RenderLayer::removeChild when continuation is present
https://bugs.webkit.org/show_bug.cgi?id=276523
<rdar://131405878>

Reviewed by Antti Koivisto.

When the to-be-destroyed renderer has an anonymous parent, destroyAndCleanUpAnonymousWrappers starts destroying the subtree from the parent instead.

e.g.
  RenderBlock (anonymous block container) <- destroy root
    RenderObject                          <- renderer to be destroyed

Now if the renderer is also part of a continuation

  RenderBlock (anonymous block container - PRE)    <- destroy root
    RenderObject                                   <- renderer to be destroyed
  RenderBlock (anonymous block container - MIDDLE)
  RenderBlock (anonymous block container - POST)
    ...
    RenderObject (unrelated sibling renderers in POST)

after destroying "renderer to be destroyed", we may decide to collapse the now empty PRE, MIDDLE and move the leftover renderers from POST to PRE.

  RenderBlock (anonymous block container - PRE)         <- destroy root
    RenderObject (unrelated sibling renderers in POST)

and since PRE is the destroy root, we eventually destroy it too now with the freshly added, unrelated renderers.

This patch adds anonymous destroy root context so that we can figure out when not to collapse sibling empty anonymous renderers.

* LayoutTests/fast/multicol/continuation-inside-multicol-crash-expected.txt: Added.
* LayoutTests/fast/multicol/continuation-inside-multicol-crash.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers):
* Source/WebCore/rendering/updating/RenderTreeBuilder.h:
* Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:
(WebCore::canMergeContiguousAnonymousBlocks):
(WebCore::RenderTreeBuilder::Block::detach):

Canonical link: https://commits.webkit.org/280907@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list