Issue 2150933002: Fix crash when removing contents from a document having multiple bodies

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 2150933002: Fix crash when removing contents from a document having multiple bodies (Closed)

Created:
4 years, 5 months ago by Xianzhu

Modified:
4 years, 5 months ago

Reviewers:

CC:
chromium-reviews, krit, szager+layoutwatch_chromium.org, drott+blinkwatch_chromium.org, Rik, zoltan1, blink-reviews-platform-graphics_chromium.org, ajuma+watch_chromium.org, blink-reviews-layout_chromium.org, pdr+renderingwatchlist_chromium.org, eae+blinkwatch, leviw+renderwatch, Justin Novosad, jbroman, pdr+graphicswatchlist_chromium.org, f(malita), jchaffraix+rendering, blink-reviews, Stephen Chennney, dshwang, danakj+watch_chromium.org, rwlbuis

Base URL:
https://chromium.googlesource.com/chromium/src.git@2785

Target Ref:
refs/pending/branch-heads/2785

Project:
chromium

Visibility:
Public.

More Reviews

Description

Fix crash when removing contents from a document having multiple bodies Removed the early return under condition 'isBody()' from LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the painting layer and body object are invalidated. BTW fixed issues of DisplayItemClient aliveness checking which made it not actually work for subsequences. (If we didn't have the issues, we should have caught this bug through aliveness-checking.) Still not sure if we could have more reduced test. For the test, removing anything from the test would make the test not reproducing the bug. A normal removal of <body> couldn't reproduce the bug because we will invalidate the painting layer in other paths (e.g. layout triggered invalidation, etc.). BUG=626182 Review-Url: https://codereview.chromium.org/2133603002 Cr-Commit-Position: refs/heads/master@{#404552}

Patch Set 1 #

Created: 4 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+34 lines, -8 lines)			Patch
A	third_party/WebKit/LayoutTests/paint/invalidation/multiple-body-remove-selection-crash.html	View	1 chunk	+27 lines, -0 lines	0 comments	Download
A +	third_party/WebKit/LayoutTests/paint/invalidation/multiple-body-remove-selection-crash-expected.txt	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/FrameView.cpp	View	1 chunk	+0 lines, -4 lines	0 comments	Download
M	third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp	View	1 chunk	+1 line, -3 lines	0 comments	Download
M	third_party/WebKit/Source/core/layout/LayoutScrollbarPart.cpp	View	1 chunk	+5 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/platform/graphics/paint/DisplayItemClient.cpp	View	2 chunks	+2 lines, -2 lines	0 comments	Download

Messages

Total messages: 1 (0 generated)

Expand Messages | Collapse Messages

Xianzhu

4 years, 5 months ago (2016-07-14 16:36:30 UTC) #1

Message was sent while issue was closed.

Committed patchset #1 (id:1) to pending queue manually as
0cc71100558e3ab2a888ac1361b83689ecc9ac9d.

Expand Messages | Collapse Messages