Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(35)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 828163002: Don't check for layout in a canvas if it it's already needed (Closed)

Created:
5 years, 11 months ago by rhogan
Modified:
5 years, 11 months ago
CC:
blink-reviews, blink-reviews-rendering, Dominik Röttsches, eae+blinkwatch, jchaffraix+rendering, leviw+renderwatch, pdr+renderingwatchlist_chromium.org, zoltan1
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

Don't check for layout in a canvas if it it's already needed In this clusterfuzz test case a float is deleted but its entry in the floating objects list of a sibling renderer is accessed before layout has had time to remove reference to it. The read attempt pre-empts layout because the change in zoom factor prompts the canvas renderer to recompute its width/height to check if layout is required. If layout is already required this isn't necessary and, what's more, if layout is already required it may be because renderer(s) in its floating object list have been deleted and aren't safe to access while computing offset as part of the width calculations. So return early when the check for layout is unnecessary and may even crash. BUG=445285 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187935

Patch Set 1 #

Patch Set 2 : Updated #

Total comments: 3

Patch Set 3 : Updated #

Unified diffs Side-by-side diffs Delta from patch set Stats (+33 lines, -2 lines) Patch
A LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html View 1 2 1 chunk +24 lines, -0 lines 0 comments Download
A LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects-expected.txt View 1 2 1 chunk +5 lines, -0 lines 0 comments Download
M Source/core/rendering/RenderHTMLCanvas.cpp View 1 1 chunk +4 lines, -2 lines 0 comments Download

Messages

Total messages: 11 (4 generated)
rhogan
5 years, 11 months ago (2015-01-01 14:04:24 UTC) #2
inferno
I don't know this code well enough to review. added more reviewers.
5 years, 11 months ago (2015-01-05 06:34:47 UTC) #4
dsinclair
https://codereview.chromium.org/828163002/diff/20001/LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html File LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html (right): https://codereview.chromium.org/828163002/diff/20001/LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html#newcode14 LayoutTests/fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html:14: styleSheet0.insertRule('.container,.container,.container,.container{background-size:50; float:right; }',styleSheet0.cssRules.length); Do these need to be inserted, ...
5 years, 11 months ago (2015-01-05 14:58:18 UTC) #6
Julien - ping for review
lgtm. I would advise to shorten the description's width (it fits the 80 characters limit ...
5 years, 11 months ago (2015-01-06 11:36:13 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/828163002/40001
5 years, 11 months ago (2015-01-06 20:47:33 UTC) #9
commit-bot: I haz the power
Committed patchset #3 (id:40001) as https://src.chromium.org/viewvc/blink?view=rev&revision=187935
5 years, 11 months ago (2015-01-06 21:33:34 UTC) #10
Justin Novosad
5 years, 11 months ago (2015-01-07 17:08:44 UTC) #11
Message was sent while issue was closed. 
A revert of this CL (patchset #3 id:40001) has been created in
https://codereview.chromium.org/810943003/ by junov@chromium.org.

The reason for reverting is: Speculative revert for crashes on WinXP bots. See
crbug.com/446834
I will re-land if this does not fix the crashes..

Powered by Google App Engine
This is Rietveld 408576698