Title: [250224] releases/WebKitGTK/webkit-2.26
- Revision
- 250224
- Author
- carlo...@webkit.org
- Date
- 2019-09-23 03:14:41 -0700 (Mon, 23 Sep 2019)
Log Message
Merge r249954 - [First-letter] Use WeakPtr for the first-letter insertion point.
https://bugs.webkit.org/show_bug.cgi?id=201842
<rdar://problem/51373788>
Reviewed by Antti Koivisto.
Source/WebCore:
The about-to-be-removed first letter renderer's sibling could potentially be destroyed too as the result of the anonymous subtree collapsing logic (when the next sibling is a generated anonymous block and it is not needed anymore.)
Test: fast/text/first-letter-with-columns-crash.html
* rendering/updating/RenderTreeBuilderFirstLetter.cpp:
(WebCore::RenderTreeBuilder::FirstLetter::updateStyle):
LayoutTests:
* fast/text/first-letter-with-columns-crash-expected.txt: Added.
* fast/text/first-letter-with-columns-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.26/LayoutTests/ChangeLog (250223 => 250224)
--- releases/WebKitGTK/webkit-2.26/LayoutTests/ChangeLog 2019-09-23 10:14:36 UTC (rev 250223)
+++ releases/WebKitGTK/webkit-2.26/LayoutTests/ChangeLog 2019-09-23 10:14:41 UTC (rev 250224)
@@ -1,3 +1,14 @@
+2019-09-17 Zalan Bujtas <za...@apple.com>
+
+ [First-letter] Use WeakPtr for the first-letter insertion point.
+ https://bugs.webkit.org/show_bug.cgi?id=201842
+ <rdar://problem/51373788>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/text/first-letter-with-columns-crash-expected.txt: Added.
+ * fast/text/first-letter-with-columns-crash.html: Added.
+
2019-09-03 Devin Rousso <drou...@apple.com>
REGRESSION (r249078): Flaky crash in com.apple._javascript_Core: Inspector::InjectedScriptModule::ensureInjected
Added: releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash-expected.txt (0 => 250224)
--- releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash-expected.txt 2019-09-23 10:14:41 UTC (rev 250224)
@@ -0,0 +1 @@
+First letter -PASS if no crash.
Added: releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash.html (0 => 250224)
--- releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.26/LayoutTests/fast/text/first-letter-with-columns-crash.html 2019-09-23 10:14:41 UTC (rev 250224)
@@ -0,0 +1,23 @@
+<style>
+:first-letter {
+ float: right;
+ content: url()
+}
+
+body {
+ columns: 2;
+}
+</style>
+<body>First letter -PASS if no crash.<span id=outer><span id=inner>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+outer.addEventListener("DOMSubtreeModified", function() {
+ document.execCommand(false);
+ document.body.style.setProperty("-webkit-columns","initial");
+ inner.setAttribute("foobar","");
+ document.body.style.setProperty("-webkit-writing-mode","vertical-lr");
+
+});
+outer.setAttribute("foobar","");
+</script>
Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog (250223 => 250224)
--- releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog 2019-09-23 10:14:36 UTC (rev 250223)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog 2019-09-23 10:14:41 UTC (rev 250224)
@@ -1,3 +1,18 @@
+2019-09-17 Zalan Bujtas <za...@apple.com>
+
+ [First-letter] Use WeakPtr for the first-letter insertion point.
+ https://bugs.webkit.org/show_bug.cgi?id=201842
+ <rdar://problem/51373788>
+
+ Reviewed by Antti Koivisto.
+
+ The about-to-be-removed first letter renderer's sibling could potentially be destroyed too as the result of the anonymous subtree collapsing logic (when the next sibling is a generated anonymous block and it is not needed anymore.)
+
+ Test: fast/text/first-letter-with-columns-crash.html
+
+ * rendering/updating/RenderTreeBuilderFirstLetter.cpp:
+ (WebCore::RenderTreeBuilder::FirstLetter::updateStyle):
+
2019-09-13 Chris Dumez <cdu...@apple.com>
Crash under WebCore::firstPositionInNode()
Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp (250223 => 250224)
--- releases/WebKitGTK/webkit-2.26/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp 2019-09-23 10:14:36 UTC (rev 250223)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp 2019-09-23 10:14:41 UTC (rev 250224)
@@ -185,7 +185,6 @@
m_builder.attach(*newFirstLetter, WTFMove(toMove));
}
- RenderObject* nextSibling = firstLetter->nextSibling();
if (RenderTextFragment* remainingText = downcast<RenderBoxModelObject>(*firstLetter).firstLetterRemainingText()) {
ASSERT(remainingText->isAnonymous() || remainingText->textNode()->renderer() == remainingText);
// Replace the old renderer with the new one.
@@ -192,8 +191,9 @@
remainingText->setFirstLetter(*newFirstLetter);
newFirstLetter->setFirstLetterRemainingText(*remainingText);
}
+ WeakPtr<RenderObject> nextSibling = makeWeakPtr(firstLetter->nextSibling());
m_builder.destroy(*firstLetter);
- m_builder.attach(*firstLetterContainer, WTFMove(newFirstLetter), nextSibling);
+ m_builder.attach(*firstLetterContainer, WTFMove(newFirstLetter), nextSibling.get());
return;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes