[webkit-reviews] review requested: [Bug 31574] Crashing bug when removing <ruby> in JavaScript : [Attachment 43341] patch - fix crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 16 21:01:05 PST 2009
Roland Steiner <rolandsteiner at google.com> has asked for review:
Bug 31574: Crashing bug when removing <ruby> in JavaScript
https://bugs.webkit.org/show_bug.cgi?id=31574
Attachment 43341: patch - fix crash
https://bugs.webkit.org/attachment.cgi?id=43341&action=review
------- Additional Comments from Roland Steiner <rolandsteiner at google.com>
Cause of the bug:
1.) RenderBlock::destroy() of the RenderRubyRun called
destroyLeftoverChildren()
2.) that called destroy() of the RenderRubyBase(), which in
RenderObject::destroy() calls remove()
3.) remove() is being redirected as parent()->removeChild() in RenderObject.h
4.) this triggers the special handling of child removal in RenderRubyRun that
causes it to destroy itself
5.) On returning from all this the renderer crashes when accessing a member
or virtual function on this now illegal object.
I therefore added a flag that tracks if the ruby run is being destroyed. If so,
avoid doing the special handling in removeChild that caused this. It's not the
most elegant solution, but the easiest to implement without touching unrelated
code. Also, it's self-documenting.
More information about the webkit-reviews
mailing list