[Webkit-unassigned] [Bug 57897] Crash in WebCore::RenderMathMLSubSup::baselinePosition()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 5 16:53:22 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=57897





--- Comment #6 from Eric Seidel <eric at webkit.org>  2011-05-05 16:53:22 PST ---
(In reply to comment #5)
> (In reply to comment #3)
> > (From update of attachment 91738 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=91738&action=review
> > 
> > I don't feel like I have enough information to judge the correctness of this change.  More background/explaination would be helpful first.
> > 
> > > Source/WebCore/ChangeLog:11
> > > +        RenderMathMLBlock objects which are created as container objects
> > > +        are not removed from the render tree even after all of its
> > > +        children are removed due to the deletion of their corresponding
> > > +        DOM node.
> > 
> > Why aren't they removed?
> 
> In the existing implementation, whenever a new child render object is added to the MathML renderers (RenderMathMLSubSup, RenderMathMLUnderOver, RenderMathMLFraction, etc...) a RenderMathMLBlock is created as container block for the new child irrespective of the type of child render object. In many places, these children objects are accessed by firstChild()->firstChild() assuming that the container block should have at least one child, but when a child node of above said elements are removed by JS, then only the renderers corresponding to those elements are removed and not their containers.

OK.  These sound like anonymous blocks then.  So there exists no such thing as a <mathml:block> element (or whatever DOM element would correspond to these things?)

> > 
> > > Source/WebCore/ChangeLog:15
> > > +        This patch creates all the container RenderMathMLBlock objects
> > > +        as anonymous render objects and makes sure that they are removed
> > > +        from the render tree when all of their children renderers are removed.
> > 
> > Anonymous renderers generally mean you have no associated DOM node, and are used most often for when you need many renderers to a single DOM node to hold synthetic style, or to box inline children (when you have other box children), etc. Why should RenderMathMLBlocks be anonymous?
> >
> These RenderMathMLBlocks are created exactly for the same purpose and they shouldn't be associated with any DOM node. Currently they are associated with parent renderer's DOM node which is wrong I guess.

Yes, when you create a synthetic rendering object, it's supposed to be anonymous.  There are very few cases where more than one renderer will point to the same DOM node, I don't believe this should be one. :)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list