<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre, #msg p { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[28299] trunk</title>
</head>
<body>

<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/28299">28299</a></dd>
<dt>Author</dt> <dd>mitz@apple.com</dd>
<dt>Date</dt> <dd>2007-12-01 08:33:40 -0800 (Sat, 01 Dec 2007)</dd>
</dl>

<h3>Log Message</h3>
<pre>WebCore:

        Reviewed by Darin Adler.

        - fix &lt;rdar://problem/5619240&gt; REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)

        Test: fast/dynamic/subtree-common-root.html

        * page/FrameView.cpp:
        (WebCore::FrameView::layoutRoot): Added a parameter to let this method
        return the layout root for a pending layout as well.
        (WebCore::FrameView::scheduleRelayoutOfSubtree): Pass the new root
        to markContainingBlocksForLayout(). Otherwise,
        markContainingBlocksForLayout() could mark past the new root, if it had
        previously been marked as having a normal child needing layout and then
        was reached via a positioned child.
        * page/FrameView.h:
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::calcWidth):
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::~RenderObject): Fixed the ASSERT so that
        it would really catch deletion of the layout root.
        (WebCore::RenderObject::markContainingBlocksForLayout): Added the
        newRoot parameter, which tells this method where to stop marking.
        * rendering/RenderObject.h:

LayoutTests:

        Reviewed by Darin Adler.

        - test for &lt;rdar://problem/5619240&gt; REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)

        * fast/dynamic/subtree-common-root-expected.txt: Added.
        * fast/dynamic/subtree-common-root.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkWebCoreChangeLog">trunk/WebCore/ChangeLog</a></li>
<li><a href="#trunkWebCorepageFrameViewcpp">trunk/WebCore/page/FrameView.cpp</a></li>
<li><a href="#trunkWebCorepageFrameViewh">trunk/WebCore/page/FrameView.h</a></li>
<li><a href="#trunkWebCorerenderingRenderBoxcpp">trunk/WebCore/rendering/RenderBox.cpp</a></li>
<li><a href="#trunkWebCorerenderingRenderObjectcpp">trunk/WebCore/rendering/RenderObject.cpp</a></li>
<li><a href="#trunkWebCorerenderingRenderObjecth">trunk/WebCore/rendering/RenderObject.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastdynamicsubtreecommonrootexpectedtxt">trunk/LayoutTests/fast/dynamic/subtree-common-root-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastdynamicsubtreecommonroothtml">trunk/LayoutTests/fast/dynamic/subtree-common-root.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/LayoutTests/ChangeLog        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -1,3 +1,12 @@
</span><ins>+2007-12-01  Dan Bernstein  &lt;mitz@apple.com&gt;
+
+        Reviewed by Darin Adler.
+
+        - test for &lt;rdar://problem/5619240&gt; REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)
+
+        * fast/dynamic/subtree-common-root-expected.txt: Added.
+        * fast/dynamic/subtree-common-root.html: Added.
+
</ins><span class="cx"> 2007-11-30  Eric Seidel  &lt;eric@webkit.org&gt;
</span><span class="cx"> 
</span><span class="cx">         Reviewed by darin.
</span></span></pre></div>
<a id="trunkLayoutTestsfastdynamicsubtreecommonrootexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/dynamic/subtree-common-root-expected.txt (0 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dynamic/subtree-common-root-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/dynamic/subtree-common-root-expected.txt        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+Test for rdar://problem/5619240 REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout).
</ins></span></pre></div>
<a id="trunkLayoutTestsfastdynamicsubtreecommonroothtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/dynamic/subtree-common-root.html (0 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dynamic/subtree-common-root.html                                (rev 0)
+++ trunk/LayoutTests/fast/dynamic/subtree-common-root.html        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+&lt;p&gt;
+    Test for &lt;i&gt;&lt;a href=&quot;rdar://problem/5619240&quot;&gt;rdar://problem/5619240&lt;/a&gt; REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)&lt;/i&gt;.
+&lt;/p&gt;
+&lt;div id=&quot;target&quot;&gt;
+    &lt;div style=&quot;overflow: hidden; width: 400px; height: 400px; position: relative;&quot;&gt;
+        &lt;div&gt;&lt;/div&gt;
+        &lt;div style=&quot;position: absolute; overflow: hidden; top: 0; width: 50px; height: 50px;&quot;&gt;&lt;div&gt;&lt;/div&gt;&lt;/div&gt;
+    &lt;/div&gt;
+&lt;/div&gt;
+&lt;script&gt;
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    document.body.offsetTop;
+    document.getElementById(&quot;target&quot;).style.display = &quot;none&quot;;
+&lt;/script&gt;
</ins></span></pre></div>
<a id="trunkWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/ChangeLog (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/ChangeLog        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/ChangeLog        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -2,6 +2,32 @@
</span><span class="cx"> 
</span><span class="cx">         Reviewed by Darin Adler.
</span><span class="cx"> 
</span><ins>+        - fix &lt;rdar://problem/5619240&gt; REGRESSION (Leopard-r28069): Reproducible crash with a Mootools-based calendar picker (jump to null in FrameView::layout)
+
+        Test: fast/dynamic/subtree-common-root.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::layoutRoot): Added a parameter to let this method
+        return the layout root for a pending layout as well.
+        (WebCore::FrameView::scheduleRelayoutOfSubtree): Pass the new root
+        to markContainingBlocksForLayout(). Otherwise,
+        markContainingBlocksForLayout() could mark past the new root, if it had
+        previously been marked as having a normal child needing layout and then
+        was reached via a positioned child.
+        * page/FrameView.h:
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::calcWidth):
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::~RenderObject): Fixed the ASSERT so that
+        it would really catch deletion of the layout root.
+        (WebCore::RenderObject::markContainingBlocksForLayout): Added the
+        newRoot parameter, which tells this method where to stop marking.
+        * rendering/RenderObject.h:
+
+2007-12-01  Dan Bernstein  &lt;mitz@apple.com&gt;
+
+        Reviewed by Darin Adler.
+
</ins><span class="cx">         - fold FontStyle into TextRun
</span><span class="cx"> 
</span><span class="cx">         * WebCore.xcodeproj/project.pbxproj:
</span></span></pre></div>
<a id="trunkWebCorepageFrameViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/page/FrameView.cpp (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/page/FrameView.cpp        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/page/FrameView.cpp        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -284,9 +284,9 @@
</span><span class="cx">     d-&gt;repaintRects.append(RenderObject::RepaintInfo(o, r));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-RenderObject* FrameView::layoutRoot() const
</del><ins>+RenderObject* FrameView::layoutRoot(bool onlyDuringLayout) const
</ins><span class="cx"> {
</span><del>-    return layoutPending() ? 0 : d-&gt;layoutRoot;
</del><ins>+    return onlyDuringLayout &amp;&amp; layoutPending() ? 0 : d-&gt;layoutRoot;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void FrameView::layout(bool allowSubtree)
</span><span class="lines">@@ -737,10 +737,10 @@
</span><span class="cx">         if (d-&gt;layoutRoot != o) {
</span><span class="cx">             if (isObjectAncestorContainerOf(d-&gt;layoutRoot, o)) {
</span><span class="cx">                 // Keep the current root
</span><del>-                o-&gt;markContainingBlocksForLayout(false);
</del><ins>+                o-&gt;markContainingBlocksForLayout(false, d-&gt;layoutRoot);
</ins><span class="cx">             } else if (d-&gt;layoutRoot &amp;&amp; isObjectAncestorContainerOf(o, d-&gt;layoutRoot)) {
</span><span class="cx">                 // Re-root at o
</span><del>-                d-&gt;layoutRoot-&gt;markContainingBlocksForLayout(false);
</del><ins>+                d-&gt;layoutRoot-&gt;markContainingBlocksForLayout(false, o);
</ins><span class="cx">                 d-&gt;layoutRoot = o;
</span><span class="cx">             } else {
</span><span class="cx">                 // Just do a full relayout
</span></span></pre></div>
<a id="trunkWebCorepageFrameViewh"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/page/FrameView.h (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/page/FrameView.h        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/page/FrameView.h        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -76,7 +76,7 @@
</span><span class="cx">     void unscheduleRelayout();
</span><span class="cx">     bool layoutPending() const;
</span><span class="cx"> 
</span><del>-    RenderObject* layoutRoot() const;
</del><ins>+    RenderObject* layoutRoot(bool onlyDuringLayout = false) const;
</ins><span class="cx">     int layoutCount() const;
</span><span class="cx"> 
</span><span class="cx">     // These two helper functions just pass through to the RenderView.
</span></span></pre></div>
<a id="trunkWebCorerenderingRenderBoxcpp"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/rendering/RenderBox.cpp (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/rendering/RenderBox.cpp        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/rendering/RenderBox.cpp        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -1081,7 +1081,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // If layout is limited to a subtree, the subtree root's width does not change.
</span><del>-    if (node() &amp;&amp; view()-&gt;frameView() &amp;&amp; view()-&gt;frameView()-&gt;layoutRoot() == this)
</del><ins>+    if (node() &amp;&amp; view()-&gt;frameView() &amp;&amp; view()-&gt;frameView()-&gt;layoutRoot(true) == this)
</ins><span class="cx">         return;
</span><span class="cx"> 
</span><span class="cx">     // The parent box is flexing us, so it has increased or decreased our
</span></span></pre></div>
<a id="trunkWebCorerenderingRenderObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/rendering/RenderObject.cpp (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/rendering/RenderObject.cpp        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/rendering/RenderObject.cpp        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -201,7 +201,7 @@
</span><span class="cx"> 
</span><span class="cx"> RenderObject::~RenderObject()
</span><span class="cx"> {
</span><del>-    ASSERT(!node() || !document()-&gt;frame()-&gt;view() || document()-&gt;frame()-&gt;view()-&gt;layoutRoot() != this);
</del><ins>+    ASSERT(!node() || documentBeingDestroyed() || !document()-&gt;frame()-&gt;view() || document()-&gt;frame()-&gt;view()-&gt;layoutRoot() != this);
</ins><span class="cx"> #ifndef NDEBUG
</span><span class="cx">     --RenderObjectCounter::count;
</span><span class="cx"> #endif
</span><span class="lines">@@ -718,8 +718,10 @@
</span><span class="cx">            ;
</span><span class="cx"> }
</span><span class="cx">     
</span><del>-void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout)
</del><ins>+void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout, RenderObject* newRoot)
</ins><span class="cx"> {
</span><ins>+    ASSERT(!scheduleRelayout || !newRoot);
+
</ins><span class="cx">     RenderObject* o = container();
</span><span class="cx">     RenderObject* last = this;
</span><span class="cx"> 
</span><span class="lines">@@ -736,6 +738,9 @@
</span><span class="cx">             o-&gt;m_normalChildNeedsLayout = true;
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+        if (o == newRoot)
+            return;
+
</ins><span class="cx">         last = o;
</span><span class="cx">         if (scheduleRelayout &amp;&amp; objectIsRelayoutBoundary(last))
</span><span class="cx">             break;
</span></span></pre></div>
<a id="trunkWebCorerenderingRenderObjecth"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/rendering/RenderObject.h (28298 => 28299)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/rendering/RenderObject.h        2007-12-01 16:28:57 UTC (rev 28298)
+++ trunk/WebCore/rendering/RenderObject.h        2007-12-01 16:33:40 UTC (rev 28299)
</span><span class="lines">@@ -377,7 +377,7 @@
</span><span class="cx">     RenderObject* hoverAncestor() const;
</span><span class="cx"> 
</span><span class="cx">     virtual void markAllDescendantsWithFloatsForLayout(RenderObject* floatToRemove = 0);
</span><del>-    void markContainingBlocksForLayout(bool scheduleRelayout = true);
</del><ins>+    void markContainingBlocksForLayout(bool scheduleRelayout = true, RenderObject* newRoot = 0);
</ins><span class="cx">     void setNeedsLayout(bool b, bool markParents = true);
</span><span class="cx">     void setChildNeedsLayout(bool b, bool markParents = true);
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>