Regression(r131539): Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed
authorAllan Sandfeld Jensen <allan.jensen@digia.com>
Thu, 28 Feb 2013 12:36:26 +0000 (13:36 +0100)
committerThe Qt Project <gerrit-noreply@qt-project.org>
Thu, 28 Feb 2013 14:16:43 +0000 (15:16 +0100)
commitf9a60fb1ee03cb58339b8184ee78a8d14b436ae7
tree7e8c90082083df7a52ca1f736bce49787d3cd468
parente1db432cd29971e7ae83e840558aab4eaf7a4442
Regression(r131539): Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed

https://bugs.webkit.org/show_bug.cgi?id=107189

Reviewed by Abhishek Arya.

Source/WebCore:

Test: fast/dynamic/continuation-detach-crash.html

This patch reverts r131539 and the following changes (r132591 and r139664).
This means we redo detaching from the bottom-up which solves the regression.
It fixes the attached test case as we re-attach child nodes before detaching
the parent. It seems wrong to do but this avoid a stale continuation.

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::detach): Detach the children first, then ourself.
* dom/Node.cpp:
(WebCore::Node::detach): Clear the renderer instead of ASSERT'ing.
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeDestroyed): Removed the code to clear the associated node's renderer.
(WebCore::RenderObject::destroyAndCleanupAnonymousWrappers):
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::removeChildNode):
Moved the repainting logic back into removeChildNode from destroyAndCleanupAnonymousWrappers.
(WebCore::RenderObjectChildList::destroyLeftoverChildren): Re-added the code to clear the associated node's
renderer.
* rendering/RenderTextFragment.cpp:
(WebCore::RenderTextFragment::setText): Re-added the code to set the associated node's renderer.

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::detach):
* dom/Node.cpp:
(WebCore::Node::detach):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeDestroyed):
(WebCore::RenderObject::destroyAndCleanupAnonymousWrappers):
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::destroyLeftoverChildren):
(WebCore::RenderObjectChildList::removeChildNode):
* rendering/RenderTextFragment.cpp:
(WebCore::RenderTextFragment::setText):

Change-Id: I5c4df1881f041ecd80180cb1638cd811d0972189
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142500 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Source/WebCore/dom/ContainerNode.cpp
Source/WebCore/dom/Node.cpp
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderObjectChildList.cpp
Source/WebCore/rendering/RenderTextFragment.cpp