Title: [226413] trunk
- Revision
- 226413
- Author
- [email protected]
- Date
- 2018-01-04 12:14:54 -0800 (Thu, 04 Jan 2018)
Log Message
WebContent process crashes while loading https://www.classicspecs.com
https://bugs.webkit.org/show_bug.cgi?id=181290
<rdar://problem/36225906>
Reviewed by Simon Fraser.
Source/WebCore:
Floats can overhang multiple blocks (they are called intruding floats).
Each block keeps track of such intruding floats. When an overhanging float box is destroyed,
we need to deregister it from all those blocks. We do it by walking up the ancestor block chain
and check if the parent (grandparent etc) block still contains this float. Once we find the topmost block,
we start deregistering it by traversing back on the descendant blocks.
Normally we do it in RenderElement::takeChildInternal right before the box is getting detached.
However in certain cases (like when the float's parent happens to be an anonymous wrapper)
by the time we get to ::takeChildInternal the subtree is already detached and we can't access all the
ancestors.
This patch ensure that the floating box is still attached during de-registration.
Test: fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html
* rendering/RenderObject.cpp:
(WebCore::RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers):
LayoutTests:
* fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach-expected.txt: Added.
* fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (226412 => 226413)
--- trunk/LayoutTests/ChangeLog 2018-01-04 20:12:27 UTC (rev 226412)
+++ trunk/LayoutTests/ChangeLog 2018-01-04 20:14:54 UTC (rev 226413)
@@ -1,3 +1,14 @@
+2018-01-04 Zalan Bujtas <[email protected]>
+
+ WebContent process crashes while loading https://www.classicspecs.com
+ https://bugs.webkit.org/show_bug.cgi?id=181290
+ <rdar://problem/36225906>
+
+ Reviewed by Simon Fraser.
+
+ * fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach-expected.txt: Added.
+ * fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html: Added.
+
2018-01-04 Eric Carlson <[email protected]>
[MediaStream] Add Mock screen capture source
Added: trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach-expected.txt (0 => 226413)
--- trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach-expected.txt 2018-01-04 20:14:54 UTC (rev 226413)
@@ -0,0 +1,2 @@
+PASS if no crash.
+
Added: trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html (0 => 226413)
--- trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html 2018-01-04 20:14:54 UTC (rev 226413)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<div id=pparent><div id=cchild><span></span><div style="float: left; width: 10px; height: 10px;"></div><div></div></div><div></div></div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.offsetHeight;
+pparent.removeChild(cchild);
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (226412 => 226413)
--- trunk/Source/WebCore/ChangeLog 2018-01-04 20:12:27 UTC (rev 226412)
+++ trunk/Source/WebCore/ChangeLog 2018-01-04 20:14:54 UTC (rev 226413)
@@ -1,3 +1,27 @@
+2018-01-04 Zalan Bujtas <[email protected]>
+
+ WebContent process crashes while loading https://www.classicspecs.com
+ https://bugs.webkit.org/show_bug.cgi?id=181290
+ <rdar://problem/36225906>
+
+ Reviewed by Simon Fraser.
+
+ Floats can overhang multiple blocks (they are called intruding floats).
+ Each block keeps track of such intruding floats. When an overhanging float box is destroyed,
+ we need to deregister it from all those blocks. We do it by walking up the ancestor block chain
+ and check if the parent (grandparent etc) block still contains this float. Once we find the topmost block,
+ we start deregistering it by traversing back on the descendant blocks.
+ Normally we do it in RenderElement::takeChildInternal right before the box is getting detached.
+ However in certain cases (like when the float's parent happens to be an anonymous wrapper)
+ by the time we get to ::takeChildInternal the subtree is already detached and we can't access all the
+ ancestors.
+ This patch ensure that the floating box is still attached during de-registration.
+
+ Test: fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers):
+
2018-01-04 Eric Carlson <[email protected]>
[MediaStream] Add Mock screen capture source
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (226412 => 226413)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2018-01-04 20:12:27 UTC (rev 226412)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2018-01-04 20:14:54 UTC (rev 226413)
@@ -1496,8 +1496,10 @@
return;
}
+ // Remove intruding floats from sibling blocks before detaching.
+ if (is<RenderBox>(*this) && isFloatingOrOutOfFlowPositioned())
+ downcast<RenderBox>(*this).removeFloatingOrPositionedChildFromBlockLists();
auto& destroyRoot = findDestroyRootIncludingAnonymous(*this);
-
if (is<RenderTableRow>(destroyRoot))
downcast<RenderTableRow>(destroyRoot).collapseAndDestroyAnonymousSiblingRows();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
