[webkit-changes] [284871] trunk

Tue, 26 Oct 2021 09:01:13 -0700

Title: [284871] trunk
Revision
284871
Author
commit-qu...@webkit.org
Date
2021-10-26 09:00:24 -0700 (Tue, 26 Oct 2021)

Log Message

ASSERT(parent->element()) triggered in Styleable::fromRenderer
https://bugs.webkit.org/show_bug.cgi?id=232185

Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-10-26
Reviewed by Tim Nguyen and Antti Koivisto.

Source/WebCore:

The marker renderer can be set as a child of RenderMultiColumnFlowThread
instead of RenderListItem in some instances. RenderMultiColumnFlowThread is
an anonymous box and doesn't have an associated element, so we instead should
loop through the parents until we find the RenderListItem which does have an
associated element.

Test: fast/animation/css-animation-marker-crash.html

* style/Styleable.cpp:
(WebCore::Styleable::fromRenderer):

LayoutTests:

* fast/animation/css-animation-marker-crash-expected.txt: Added.
* fast/animation/css-animation-marker-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (284870 => 284871)


--- trunk/LayoutTests/ChangeLog	2021-10-26 15:55:48 UTC (rev 284870)
+++ trunk/LayoutTests/ChangeLog	2021-10-26 16:00:24 UTC (rev 284871)
@@ -1,3 +1,13 @@
+2021-10-26  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        ASSERT(parent->element()) triggered in Styleable::fromRenderer
+        https://bugs.webkit.org/show_bug.cgi?id=232185
+
+        Reviewed by Tim Nguyen and Antti Koivisto.
+
+        * fast/animation/css-animation-marker-crash-expected.txt: Added.
+        * fast/animation/css-animation-marker-crash.html: Added.
+
 2021-10-26  Martin Robinson  <mrobin...@webkit.org>
 
         Update import of css/css-transform WPT tests

Added: trunk/LayoutTests/fast/animation/css-animation-marker-crash-expected.txt (0 => 284871)


--- trunk/LayoutTests/fast/animation/css-animation-marker-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/animation/css-animation-marker-crash-expected.txt	2021-10-26 16:00:24 UTC (rev 284871)
@@ -0,0 +1 @@
+PASS if this doesn't crash

Added: trunk/LayoutTests/fast/animation/css-animation-marker-crash.html (0 => 284871)


--- trunk/LayoutTests/fast/animation/css-animation-marker-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/animation/css-animation-marker-crash.html	2021-10-26 16:00:24 UTC (rev 284871)
@@ -0,0 +1,19 @@
+<style>
+  @keyframes a0 {
+    from {
+      opacity: 0;
+    }
+  }
+  ::marker {
+    animation-name: a0;
+    animation-duration: 1ms;
+  }
+  li {
+    columns: 3;
+  }
+</style>
+<li>PASS if this doesn't crash</li>
+<script>
+  if (window.testRunner)
+      testRunner.dumpAsText(); 
+</script>

Modified: trunk/Source/WebCore/ChangeLog (284870 => 284871)


--- trunk/Source/WebCore/ChangeLog	2021-10-26 15:55:48 UTC (rev 284870)
+++ trunk/Source/WebCore/ChangeLog	2021-10-26 16:00:24 UTC (rev 284871)
@@ -1,3 +1,21 @@
+2021-10-26  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        ASSERT(parent->element()) triggered in Styleable::fromRenderer
+        https://bugs.webkit.org/show_bug.cgi?id=232185
+
+        Reviewed by Tim Nguyen and Antti Koivisto.
+
+        The marker renderer can be set as a child of RenderMultiColumnFlowThread
+        instead of RenderListItem in some instances. RenderMultiColumnFlowThread is
+        an anonymous box and doesn't have an associated element, so we instead should
+        loop through the parents until we find the RenderListItem which does have an
+        associated element.
+
+        Test: fast/animation/css-animation-marker-crash.html
+
+        * style/Styleable.cpp:
+        (WebCore::Styleable::fromRenderer):
+
 2021-10-26  Philippe Normand  <pnorm...@igalia.com>
 
         REGRESSION(242280@main) fast/mediastream/captureStream/canvas3d.html is timing out

Modified: trunk/Source/WebCore/style/Styleable.cpp (284870 => 284871)


--- trunk/Source/WebCore/style/Styleable.cpp	2021-10-26 15:55:48 UTC (rev 284870)
+++ trunk/Source/WebCore/style/Styleable.cpp	2021-10-26 16:00:24 UTC (rev 284871)
@@ -61,11 +61,12 @@
         }
         break;
     case PseudoId::Marker:
-        if (auto* parent = renderer.parent()) {
-            ASSERT(parent->element());
-            ASSERT(is<RenderListItem>(parent));
-            ASSERT(downcast<RenderListItem>(*parent).markerRenderer() == &renderer);
-            return Styleable(*parent->element(), PseudoId::Marker);
+        if (auto* ancestor = renderer.parent()) {
+            while (ancestor && !ancestor->element())
+                ancestor = ancestor->parent();
+            ASSERT(is<RenderListItem>(ancestor));
+            ASSERT(downcast<RenderListItem>(ancestor)->markerRenderer() == &renderer);
+            return Styleable(*ancestor->element(), PseudoId::Marker);
         }
         break;
     case PseudoId::After:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to