[webkit-changes] [207683] trunk

Fri, 21 Oct 2016 10:38:40 -0700

Title: [207683] trunk
Revision
207683
Author
za...@apple.com
Date
2016-10-21 10:39:17 -0700 (Fri, 21 Oct 2016)

Log Message

Do not mutate the render tree while collecting selection repaint rects.
https://bugs.webkit.org/show_bug.cgi?id=163800
<rdar://problem/28806886>

Reviewed by David Hyatt.

Source/WebCore:

RenderListItem not only mutates the tree while in layout but it also uses
the old descendant context to find the insertion point.
This patch strictly ensures that we only do it while in layout and never
in other cases such as collecting repaint rects.
This gets redundant when webkit.org/b/163789 is fixed.

Test: fast/lists/crash-when-list-marker-is-moved-during-selection.html

* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):

LayoutTests:

* fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt: Added.
* fast/lists/crash-when-list-marker-is-moved-during-selection.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (207682 => 207683)


--- trunk/LayoutTests/ChangeLog	2016-10-21 17:23:57 UTC (rev 207682)
+++ trunk/LayoutTests/ChangeLog	2016-10-21 17:39:17 UTC (rev 207683)
@@ -1,3 +1,14 @@
+2016-10-21  Zalan Bujtas  <za...@apple.com>
+
+        Do not mutate the render tree while collecting selection repaint rects.
+        https://bugs.webkit.org/show_bug.cgi?id=163800
+        <rdar://problem/28806886>
+
+        Reviewed by David Hyatt.
+
+        * fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt: Added.
+        * fast/lists/crash-when-list-marker-is-moved-during-selection.html: Added.
+
 2016-10-21  Miguel Gomez  <mago...@igalia.com>
 
         [GTK] Unreviewed gardening: update expectations after r207664

Added: trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt (0 => 207683)


--- trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt	2016-10-21 17:39:17 UTC (rev 207683)
@@ -0,0 +1,2 @@
+Pass if no crash or assert.
+

Added: trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html (0 => 207683)


--- trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html	2016-10-21 17:39:17 UTC (rev 207683)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't mutate the render tree during selection.</title>
+<style>
+  body {
+    column-count: 2;
+  }
+</style>
+<script>
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+  }
+  
+  function runTest() {
+    setTimeout(function() {
+      li.style.webkitWritingMode = "horizontal-tb";
+      innerSpan.style.display = "list-item";
+      mostInnerSpan.style.display = "list-item";
+      document.getSelection().setBaseAndExtent(container, 0, document.body, document.body.childNodes.length);
+      if (window.testRunner)
+        testRunner.notifyDone();
+    }, 0);
+  }
+</script>
+</head>
+<body _onload_=runTest()>
+Pass if no crash or assert.
+<div id="container" style="-webkit-writing-mode: vertical-rl"><table><tr><td><li id="li"><span id="innerSpan"><span id="mostInnerSpan"></span></span></li></tr></td></table>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (207682 => 207683)


--- trunk/Source/WebCore/ChangeLog	2016-10-21 17:23:57 UTC (rev 207682)
+++ trunk/Source/WebCore/ChangeLog	2016-10-21 17:39:17 UTC (rev 207683)
@@ -1,3 +1,22 @@
+2016-10-21  Zalan Bujtas  <za...@apple.com>
+
+        Do not mutate the render tree while collecting selection repaint rects.
+        https://bugs.webkit.org/show_bug.cgi?id=163800
+        <rdar://problem/28806886>
+
+        Reviewed by David Hyatt.
+
+        RenderListItem not only mutates the tree while in layout but it also uses
+        the old descendant context to find the insertion point.
+        This patch strictly ensures that we only do it while in layout and never
+        in other cases such as collecting repaint rects.
+        This gets redundant when webkit.org/b/163789 is fixed.
+
+        Test: fast/lists/crash-when-list-marker-is-moved-during-selection.html
+
+        * rendering/RenderListItem.cpp:
+        (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
+
 2016-10-21  Dave Hyatt  <hy...@apple.com>
 
         [CSS Parser] Support horizontal-bt writing mode

Modified: trunk/Source/WebCore/rendering/RenderListItem.cpp (207682 => 207683)


--- trunk/Source/WebCore/rendering/RenderListItem.cpp	2016-10-21 17:23:57 UTC (rev 207682)
+++ trunk/Source/WebCore/rendering/RenderListItem.cpp	2016-10-21 17:39:17 UTC (rev 207683)
@@ -268,6 +268,11 @@
     if (!m_marker)
         return;
 
+    // FIXME: Do not even try reposition the marker when we are not in layout
+    // until after we fixed webkit.org/b/163789.
+    if (!view().frameView().isInRenderTreeLayout())
+        return;
+
     RenderElement* currentParent = m_marker->parent();
     RenderBlock* newParent = getParentOfFirstLineBox(*this, *m_marker);
     if (!newParent) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to