[Webkit-unassigned] [Bug 57897] Crash in WebCore::RenderMathMLSubSup::baselinePosition()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 5 16:50:25 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=57897





--- Comment #5 from Kulanthaivel Palanichamy <kulanthaivel at codeaurora.org>  2011-05-05 16:50:25 PST ---
(In reply to comment #3)
> (From update of attachment 91738 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=91738&action=review
> 
> I don't feel like I have enough information to judge the correctness of this change.  More background/explaination would be helpful first.
> 
> > Source/WebCore/ChangeLog:11
> > +        RenderMathMLBlock objects which are created as container objects
> > +        are not removed from the render tree even after all of its
> > +        children are removed due to the deletion of their corresponding
> > +        DOM node.
> 
> Why aren't they removed?

In the existing implementation, whenever a new child render object is added to the MathML renderers (RenderMathMLSubSup, RenderMathMLUnderOver, RenderMathMLFraction, etc...) a RenderMathMLBlock is created as container block for the new child irrespective of the type of child render object. In many places, these children objects are accessed by firstChild()->firstChild() assuming that the container block should have at least one child, but when a child node of above said elements are removed by JS, then only the renderers corresponding to those elements are removed and not their containers.

> 
> > Source/WebCore/ChangeLog:15
> > +        This patch creates all the container RenderMathMLBlock objects
> > +        as anonymous render objects and makes sure that they are removed
> > +        from the render tree when all of their children renderers are removed.
> 
> Anonymous renderers generally mean you have no associated DOM node, and are used most often for when you need many renderers to a single DOM node to hold synthetic style, or to box inline children (when you have other box children), etc. Why should RenderMathMLBlocks be anonymous?
>
These RenderMathMLBlocks are created exactly for the same purpose and they shouldn't be associated with any DOM node. Currently they are associated with parent renderer's DOM node which is wrong I guess.

> > Source/WebCore/ChangeLog:19
> > +        In connection to the changes for the issue mentioned above, I have
> > +        added null check in few places to avoid potential crashes while
> > +        accessing grandchild renderer objects.
> 
> Can we test those?
Well, the newly added test cases are meant for testing those changes initially. But after introducing the anonymous block change, the container MathML blocks are always getting removed. So, they are no longer covered by the test. But I kept them to handle the any empty MathML container blocks (just in-case)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list