[webkit-changes] [167718] trunk

Wed, 23 Apr 2014 11:56:46 -0700

Title: [167718] trunk
Revision
167718
Author
hy...@apple.com
Date
2014-04-23 11:55:43 -0700 (Wed, 23 Apr 2014)

Log Message

[New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout.
https://bugs.webkit.org/show_bug.cgi?id=132069

Reviewed by Dean Jackson.


Source/WebCore: 
This is imported from a patch Morten did for Blink, but I had to change it a fair
bit. deleteLines() is used to handle simple line box layout instead of just calling
deleteLineBoxTree.
        
I also had to disable the layout state to stop asserts on repaint when the children
get moved. Not sure why Blink didn't hit this, but it's simple enough to add a
LayoutStateDisabler to stop the assert.

Added fast/multicol/inline-children-crash.html

* rendering/RenderMultiColumnFlowThread.cpp:
(WebCore::RenderMultiColumnFlowThread::evacuateAndDestroy):

LayoutTests: 
* fast/multicol/inline-children-crash-expected.txt: Added.
* fast/multicol/inline-children-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (167717 => 167718)


--- trunk/LayoutTests/ChangeLog	2014-04-23 18:47:15 UTC (rev 167717)
+++ trunk/LayoutTests/ChangeLog	2014-04-23 18:55:43 UTC (rev 167718)
@@ -1,3 +1,13 @@
+2014-04-23  David Hyatt  <hy...@apple.com>
+
+        [New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout.
+        https://bugs.webkit.org/show_bug.cgi?id=132069
+
+        Reviewed by Dean Jackson.
+
+        * fast/multicol/inline-children-crash-expected.txt: Added.
+        * fast/multicol/inline-children-crash.html: Added.
+
 2014-04-23  Morten Stenshorne  <msten...@opera.com>
 
         REGRESSION (Safari 6 - ToT): Incorrectly assumes that RenderStyle data can be shared

Added: trunk/LayoutTests/fast/multicol/inline-children-crash-expected.txt (0 => 167718)


--- trunk/LayoutTests/fast/multicol/inline-children-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/inline-children-crash-expected.txt	2014-04-23 18:55:43 UTC (rev 167718)
@@ -0,0 +1,3 @@
+This test should not crash.
+
+PASS

Added: trunk/LayoutTests/fast/multicol/inline-children-crash.html (0 => 167718)


--- trunk/LayoutTests/fast/multicol/inline-children-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/inline-children-crash.html	2014-04-23 18:55:43 UTC (rev 167718)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<script>
+    if (window.internals)
+        internals.settings.setRegionBasedColumnsEnabled(true);
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    _onload_ = function() {
+        document.getElementById('mc').offsetTop; // trigger layout
+        document.getElementById('mc').style.webkitColumns = 'auto';
+        document.getElementById('mc').style.columns = 'auto';
+        document.getElementById('inline').style.color = 'green';
+    }
+</script>
+<p>This test should not crash.</p>
+<div id="mc" style="-webkit-columns:3; columns:3;">
+    <span id="inline">PASS</span>
+</div>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (167717 => 167718)


--- trunk/Source/WebCore/ChangeLog	2014-04-23 18:47:15 UTC (rev 167717)
+++ trunk/Source/WebCore/ChangeLog	2014-04-23 18:55:43 UTC (rev 167718)
@@ -1,3 +1,23 @@
+2014-04-23  David Hyatt  <hy...@apple.com>
+
+        [New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout.
+        https://bugs.webkit.org/show_bug.cgi?id=132069
+
+        Reviewed by Dean Jackson.
+
+        This is imported from a patch Morten did for Blink, but I had to change it a fair
+        bit. deleteLines() is used to handle simple line box layout instead of just calling
+        deleteLineBoxTree.
+        
+        I also had to disable the layout state to stop asserts on repaint when the children
+        get moved. Not sure why Blink didn't hit this, but it's simple enough to add a
+        LayoutStateDisabler to stop the assert.
+
+        Added fast/multicol/inline-children-crash.html
+
+        * rendering/RenderMultiColumnFlowThread.cpp:
+        (WebCore::RenderMultiColumnFlowThread::evacuateAndDestroy):
+
 2014-04-23  Andreas Kling  <akl...@apple.com>
 
         [iOS WebKit2] IOSurfacePool should force CA to actually garbage collect surfaces.

Modified: trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp (167717 => 167718)


--- trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp	2014-04-23 18:47:15 UTC (rev 167717)
+++ trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp	2014-04-23 18:55:43 UTC (rev 167718)
@@ -30,6 +30,7 @@
 #include "LayoutState.h"
 #include "RenderMultiColumnSet.h"
 #include "RenderMultiColumnSpannerPlaceholder.h"
+#include "RenderView.h"
 #include "TransformState.h"
 
 namespace WebCore {
@@ -161,6 +162,11 @@
 {
     RenderBlockFlow* multicolContainer = multiColumnBlockFlow();
     m_beingEvacuated = true;
+    
+    // Delete the line box tree.
+    deleteLines();
+    
+    LayoutStateDisabler layoutStateDisabler(&view());
 
     // First promote all children of the flow thread. Before we move them to the flow thread's
     // container, we need to unregister the flow thread, so that they aren't just re-added again to
@@ -183,7 +189,7 @@
     // Remove all sets.
     while (RenderMultiColumnSet* columnSet = firstMultiColumnSet())
         columnSet->destroy();
-
+    
     destroy();
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to