[webkit-changes] [214159] branches/safari-603-branch

Sun, 19 Mar 2017 18:33:05 -0700

Title: [214159] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (214158 => 214159)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-03-20 01:32:24 UTC (rev 214158)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-03-20 01:32:27 UTC (rev 214159)
@@ -1,5 +1,20 @@
 2017-03-16  Jason Marcell  <jmarc...@apple.com>
 
+        Merge r214059. rdar://problem/31099341
+
+    2017-03-16  Zalan Bujtas  <za...@apple.com>
+
+            Stay inside the continuation while searching for a candidate ancestor for insertion.
+            https://bugs.webkit.org/show_bug.cgi?id=169768
+            <rdar://problem/30959936>
+
+            Reviewed by David Hyatt.
+
+            * fast/inline/continuation-crash-with-anon-ancestors-expected.txt: Added.
+            * fast/inline/continuation-crash-with-anon-ancestors.html: Added.
+
+2017-03-16  Jason Marcell  <jmarc...@apple.com>
+
         Merge r214023. rdar://problem/31091039
 
     2017-03-15  Zalan Bujtas  <za...@apple.com>

Added: branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors-expected.txt (0 => 214159)


--- branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors-expected.txt	2017-03-20 01:32:27 UTC (rev 214159)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+

Added: branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors.html (0 => 214159)


--- branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/inline/continuation-crash-with-anon-ancestors.html	2017-03-20 01:32:27 UTC (rev 214159)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests </title>
+<script>
+function swapElements(element1, element2) {
+    var parent1 = element1.parentElement;
+    var previousSibling1 = element1.previousSibling;
+    element2.parentElement.insertBefore(element1, element2);
+    parent1.insertBefore(element2, previousSibling1);
+}
+
+function runTest() {
+    var tr = document.createElement("tr");
+    div2.parentElement.insertBefore(tr, div2);
+    document.body.offsetHeight;
+    div1.style.display = "inline";
+    document.body.offsetHeight;
+    swapElements(div2, span1);
+    swapElements(tr, span2);
+    document.body.offsetHeight;
+}
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body _onload_="runTest()">
+PASS if no crash or assert.
+<span id=span1></span><span id=span2></span><span><body style="display: inline-table"><div id=div1></div><div id=div2></div>
+<body>
+</html>

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (214158 => 214159)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-03-20 01:32:24 UTC (rev 214158)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-03-20 01:32:27 UTC (rev 214159)
@@ -1,5 +1,22 @@
 2017-03-16  Jason Marcell  <jmarc...@apple.com>
 
+        Merge r214059. rdar://problem/31099341
+
+    2017-03-16  Zalan Bujtas  <za...@apple.com>
+
+            Stay inside the continuation while searching for a candidate ancestor for insertion.
+            https://bugs.webkit.org/show_bug.cgi?id=169768
+            <rdar://problem/30959936>
+
+            Reviewed by David Hyatt.
+
+            Test: fast/inline/continuation-crash-with-anon-ancestors.html
+
+            * rendering/RenderInline.cpp:
+            (WebCore::RenderInline::addChildToContinuation):
+
+2017-03-16  Jason Marcell  <jmarc...@apple.com>
+
         Merge r214023. rdar://problem/31091039
 
     2017-03-15  Zalan Bujtas  <za...@apple.com>

Modified: branches/safari-603-branch/Source/WebCore/rendering/RenderInline.cpp (214158 => 214159)


--- branches/safari-603-branch/Source/WebCore/rendering/RenderInline.cpp	2017-03-20 01:32:24 UTC (rev 214158)
+++ branches/safari-603-branch/Source/WebCore/rendering/RenderInline.cpp	2017-03-20 01:32:27 UTC (rev 214159)
@@ -622,7 +622,6 @@
     auto* flow = continuationBefore(beforeChild);
     // It may or may not be the direct parent of the beforeChild.
     RenderBoxModelObject* beforeChildAncestor = nullptr;
-    // In case of anonymous wrappers, the parent of the beforeChild is mostly irrelevant. What we need is the topmost wrapper.
     if (!beforeChild) {
         auto* continuation = nextContinuation(flow);
         beforeChildAncestor = continuation ? continuation : flow;
@@ -629,9 +628,14 @@
     } else if (canUseAsParentForContinuation(beforeChild->parent()))
         beforeChildAncestor = downcast<RenderBoxModelObject>(beforeChild->parent());
     else if (beforeChild->parent()) {
+        // In case of anonymous wrappers, the parent of the beforeChild is mostly irrelevant. What we need is the topmost wrapper.
         auto* parent = beforeChild->parent();
-        while (parent && parent->parent() && parent->parent()->isAnonymous())
+        while (parent && parent->parent() && parent->parent()->isAnonymous()) {
+            // The ancestor candidate needs to be inside the continuation.
+            if (parent->hasContinuation())
+                break;
             parent = parent->parent();
+        }
         ASSERT(parent && parent->parent());
         beforeChildAncestor = downcast<RenderBoxModelObject>(parent->parent());
     } else

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to