Question on line box tree, relevant to a crash on gmail (#162564)
Germain Garand
germain at ebooksfrance.org
Wed Jul 16 02:25:22 BST 2008
Le samedi 28 juin 2008, Maksim Orlovich a écrit :
> Hi... I've looked a bit at #162564, and I can see why it crashes, but I am
> a bit at loss about how it's intended to work/how to fix it. The
> redundancy between the two trees is quite confusing.
I have problem reproducing the gmail testcase... is that with the full
interface/ua spoofing?
>
> The crash scenario here is this:
> (1) RenderBlock::layoutInlineChildren is called with fullLayout set.
> (2) It calls dirtyInlineBoxes(fullLayout) on a RenderText kid, which in
> turn calls deleteInlineBoxes (since fullLayout is true)
> (3) that deletes all the box kids of the object, and sets the
> m_firstTextBox/m_lastTextBox of the RenderText to 0. However, the parent
> inline box is not touched at all.
> (4) Later on, layoutInlineChildren calls determineStartPosition. Since
> fullLayout is true, it walks over all the child rootboxes, and ask them to
> cleanup. One of these has the kids of the RenderText, which are already
> deleted. Boom.
RenderBlock::layoutInlineChildren's cleanup is a fast cleanup : it doesn't try
to carefully remove the line boxes, or to climb to the parents, because it is
happening from the block level, so the inline boxes are supposed to be
parent-less (root). This should even be asserted somewhere.
Careful removal with consistency checks, is for dom manipulations.
So, AFAICS, this crash indicates some inline rendering elements have been
moved directly to the root of a block without using the dom, and forgoting to
cleanup the lineboxes before. e.g. anonymous block cleanups, or other
pseudo-elements surgery.
I'll have a look as soon as I can reproduce this,
Germain
More information about the kfm-devel
mailing list