[Webkit-unassigned] [Bug 23024] Crash beneath addOverhangingFloats() at trazi.appspot.com
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 5 21:52:20 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=23024
------- Comment #6 from hclam at google.com 2009-01-05 21:52 PDT -------
Tracking the stack trace shows that RenderBlock::m_floatingObjects contains a
FloatingObject referencing a deleted RenderObject in
FloatingObject::m_renderer.
RenderObject::removeFromObjectList() should remove itself from referencing
RenderBlock, the correct (trimmed) stack trace should be:
WebCore::RenderBlock::removeFloatingObject(WebCore::RenderObject *
o=0x06cc5c94)
WebCore::RenderBlock::markAllDescendantsWithFloatsForLayout(WebCore::RenderObject
* floatToRemove=0x06cc5c94)
WebCore::RenderObject::removeFromObjectLists()
However RenderBlock::removeFloatingObject didn't get called from
RenderBlock::markAllDescendantsWithFloatsForLayout, the reason being that
child->isFloatingOrPositioned() is true for a child actually containing
floatToRemove, child->isPositioned() is true while floatToRemove is referenced
as a floating object in one of its descendants.
Tracing into how the RenderObject is referenced as a floating object in
RenderBlock shows the following (trimmed) stack trace:
WebCore::RenderBlock::addIntrudingFloats(WebCore::RenderBlock *
prev=0x06fa3fec, int xoff=0, int yoff=0)
WebCore::RenderBlock::clearFloats()
WebCore::RenderBlock::layoutBlock(bool relayoutChildren=true)
WebCore::RenderBlock::layout()
Looking into RenderBlock::clearFloats shows that inserting into
m_floatingObjects is guarded when isFloatingOrPositioned() returns true. So
this is what happened:
1. RenderBlock::addIntrudingFloats adds the RenderObject to
RenderBlock::m_floatingObjects while isPositioned() = false
2. A javascript callback is invoked by WebCore::XMLHttpRequest that sets
position to absolute, i.e. isPositioned() = true for that particular object
3. Pressing the button triggers RenderObject::removeFromObjectList() but didn't
get removed because the isPositioned() for a RenderBlock that contains it is
true
4. References a deleted floating object and it crashes
A feasible solution would be changing child->isFloatingOrPositioned() to
child->isFloating() inside RenderBlock::markAllDescendantsWithFloatsForLayout.
The change fixed the crash and didn't break layout tests, don't know the
performance impact though.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list