Skip to content

GitLab

T
tangled
Commit 5e701b76 authored by skobes@chromium.org's avatar skobes@chromium.org
Browse files
Options

Speculative fix for crash accessing a supercluster root. 

BUG=369485

Review URL: https://codereview.chromium.org/274463002

git-svn-id: svn://svn.chromium.org/blink/trunk@173584 bbb929c8-8fbe-4397-9dbb-9b2b20218538
parent 5353fa4c
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 5 deletions
third_party/WebKit/Source/core/rendering/FastTextAutosizer.cpp
View file @ 5e701b76
...@@ -320,9 +320,17 @@ void FastTextAutosizer::destroy(const RenderBlock* block) ...@@ -320,9 +320,17 @@ void FastTextAutosizer::destroy(const RenderBlock* block)
{ {
if (!m_pageInfo.m_settingEnabled) if (!m_pageInfo.m_settingEnabled)
return; return;
ASSERT(!m_blocksThatHaveBegunLayout.contains(block)); ASSERT(!m_blocksThatHaveBegunLayout.contains(block));
m_fingerprintMapper.remove(block); if (m_fingerprintMapper.remove(block) && m_firstBlockToBeginLayout) {
// RenderBlock with a fingerprint was destroyed during layout.
// Clear the cluster stack and the supercluster map to avoid stale pointers.
// Speculative fix for http://crbug.com/369485.
m_firstBlockToBeginLayout = 0;
m_clusterStack.clear();
m_superclusters.clear();
}
} }
FastTextAutosizer::BeginLayoutBehavior FastTextAutosizer::prepareForLayout(const RenderBlock* block) FastTextAutosizer::BeginLayoutBehavior FastTextAutosizer::prepareForLayout(const RenderBlock* block)
...@@ -1060,15 +1068,15 @@ void FastTextAutosizer::FingerprintMapper::addTentativeClusterRoot(const RenderB ...@@ -1060,15 +1068,15 @@ void FastTextAutosizer::FingerprintMapper::addTentativeClusterRoot(const RenderB
#endif #endif
} }
void FastTextAutosizer::FingerprintMapper::remove(const RenderObject* renderer) bool FastTextAutosizer::FingerprintMapper::remove(const RenderObject* renderer)
{ {
Fingerprint fingerprint = m_fingerprints.take(renderer); Fingerprint fingerprint = m_fingerprints.take(renderer);
if (!fingerprint || !renderer->isRenderBlock()) if (!fingerprint || !renderer->isRenderBlock())
return; return false;
ReverseFingerprintMap::iterator blocksIter = m_blocksForFingerprint.find(fingerprint); ReverseFingerprintMap::iterator blocksIter = m_blocksForFingerprint.find(fingerprint);
if (blocksIter == m_blocksForFingerprint.end()) if (blocksIter == m_blocksForFingerprint.end())
return; return false;
BlockSet& blocks = *blocksIter->value; BlockSet& blocks = *blocksIter->value;
blocks.remove(toRenderBlock(renderer)); blocks.remove(toRenderBlock(renderer));
...@@ -1077,6 +1085,7 @@ void FastTextAutosizer::FingerprintMapper::remove(const RenderObject* renderer) ...@@ -1077,6 +1085,7 @@ void FastTextAutosizer::FingerprintMapper::remove(const RenderObject* renderer)
#ifndef NDEBUG #ifndef NDEBUG
assertMapsAreConsistent(); assertMapsAreConsistent();
#endif #endif
return true;
} }
FastTextAutosizer::Fingerprint FastTextAutosizer::FingerprintMapper::get(const RenderObject* renderer) FastTextAutosizer::Fingerprint FastTextAutosizer::FingerprintMapper::get(const RenderObject* renderer)
......
third_party/WebKit/Source/core/rendering/FastTextAutosizer.h
View file @ 5e701b76
...@@ -201,7 +201,8 @@ private: ...@@ -201,7 +201,8 @@ private:
public: public:
void add(const RenderObject*, Fingerprint); void add(const RenderObject*, Fingerprint);
void addTentativeClusterRoot(const RenderBlock*, Fingerprint); void addTentativeClusterRoot(const RenderBlock*, Fingerprint);
void remove(const RenderObject*); // Returns true if any BlockSet was modified or freed by the removal.
bool remove(const RenderObject*);
Fingerprint get(const RenderObject*); Fingerprint get(const RenderObject*);
BlockSet& getTentativeClusterRoots(Fingerprint); BlockSet& getTentativeClusterRoots(Fingerprint);
private: private:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment