[Webkit-unassigned] [Bug 64286] REGRESSION (r85964): Relayout causes crash with some nested elements (input)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 20 11:24:56 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=64286





--- Comment #5 from Daniel Bates <dbates at webkit.org>  2011-07-20 11:24:55 PST ---
Here are some additional remarks from debugging:

Consider the following variant of the test case (attachment #100308):
<body onmousedown="document.getElementById('hideMe').style.setProperty('display', 'none');">
    <div id="firstDiv" style="position:absolute">
        <span style="position:relative">
            this_is_text
            <div id="secondDiv" style="position:absolute">
                <input id="hideMe"/>
            </div>
        </span>
    </div>
</body>

On mouse down eventually RenderObject::markContainingBlocksForLayout(scheduleRelayout = True, newRoot = 0) is called for <input id="hideMe"/>. At the start of the while-loop, last = <input id="hideMe"/>, o = <div id="secondDiv">, and container = <span>. At the end of first iteration, last = <div id="secondDiv">, o = <span> and container = <div id="firstDiv">.

With <http://trac.webkit.org/changeset/85964> (bug #60390) we continue as follows:

On the next iteration, (*) "last->isText() && (last->style()->position() == FixedPosition || last->style()->position() == AbsolutePosition)" (http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderObject.h?rev=91178#L1020) evaluates to true since <div id="secondDiv"> isn't text and is absolutely positioned. Because o = <span> and !o->isRenderBlock() evaluates to true we skip this inline and ultimately set o to point to its enclosing containing block, <div id="firstDiv">. We then set the m_posChildNeedsLayout bit on <div id="firstDiv"> (**) among other things. Notice, we didn't update variable container. We then finish the iteration of this while loop with setting last = o = <div id="firstDiv"> and o = container = <div id="firstDiv">. On the next iteration, container = RenderView, and (*) evaluates to true. Because of (**) we return from the function.

Without <http://trac.webkit.org/changeset/85964> we continue as follows:

Because of (*) we set the m_posChildNeedsLayout bit on <span> among other things. At the start of the next iteration we have:

last = <span>, o = <div id="firstDiv">, container = RenderView

And at the start of the next iteration we have:

last = <div id="firstDiv", o = RenderView, container = 0

At the end of this iteration we have:

last = RenderView, o = 0 (zero)

So we exit the while-loop at the start of the next iteration since the while-loop condition isn't satisfied.
Because scheduleRelayout = true, we call RenderObject::scheduleRelayout() on last = RenderView.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list