Title: [168280] releases/WebKitGTK/webkit-2.4
- Revision
- 168280
- Author
- carlo...@webkit.org
- Date
- 2014-05-05 05:23:02 -0700 (Mon, 05 May 2014)
Log Message
Merge r167092 - Assertion failure, !node || node->isElementNode(), in
WebCore::RenderBlock::clone()
<https://bugs.webkit.org/show_bug.cgi?id=110489>
<rdar://problem/13666425>
Reviewed by Antti Koivisto.
Source/WebCore:
We're ending up in RenderBlock::splitBlocks() with |this| ==
|fromBlock|. We then try to climb the ancestor block chain from
this->parent() to |fromBlock|, but this->parent() is already above
|fromBlock|, so we end up climbing up to the RenderView and trying to
clone it, causing the assertion failure.
Adopt Chromium's mitigation for this from
<https://codereview.chromium.org/13852041>. This is not intended as a
fix for the underlying issue.
Also, fix another issue that occurs with this fuzzed test case that's
not handled by the Chromium fix.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::splitBlocks):
Ensure while we're in the loop that |curr| is a descendant of
|fromBlock|. From the Chromium patch:
We need to check in every iteration of the loop because
moveChildrenTo could have moved |curr|. This is a mitigation and
not really a fix against a class of tree craziness.
Finally, before moving children from |fromBlock| to |toBlock|, ensure
that the children are children of |fromBlock|. If we never entered the
loop, they will be siblings of |fromBlock|, not children.
LayoutTests:
* fast/multicol/fuzzed-test-case-expected.txt: Added.
* fast/multicol/fuzzed-test-case.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (168279 => 168280)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:32:34 UTC (rev 168279)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 12:23:02 UTC (rev 168280)
@@ -1,3 +1,15 @@
+2014-04-07 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Assertion failure, !node || node->isElementNode(), in
+ WebCore::RenderBlock::clone()
+ <https://bugs.webkit.org/show_bug.cgi?id=110489>
+ <rdar://problem/13666425>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/multicol/fuzzed-test-case-expected.txt: Added.
+ * fast/multicol/fuzzed-test-case.html: Added.
+
2014-04-02 David Kilzer <ddkil...@apple.com>
Use outermost containing isolate when constructing bidi runs
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case-expected.txt (0 => 168280)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case-expected.txt 2014-05-05 12:23:02 UTC (rev 168280)
@@ -0,0 +1,3 @@
+
+PASS
+
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case.html (0 => 168280)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/multicol/fuzzed-test-case.html 2014-05-05 12:23:02 UTC (rev 168280)
@@ -0,0 +1,58 @@
+<style>
+.c0 { visibility: inherit; -webkit-column-span: all; }
+.c1 { visibility: hidden; float: right; }
+.c1 + .c14 { visibility: collapse; position: fixed; }
+.c4:nth-child(odd) { overflow: inherit; -webkit-column-count: 3; }
+.c4[class~="c4"] { float: none; }
+.c14 { display: compact; -webkit-column-span: all; }
+.c17:nth-of-type(-n+6) { visibility: collapse; -webkit-column-span: all;</style>
+<script>
+
+ /*
+ WebKit bug #110489, <https://bugs.webkit.org/show_bug.cgi?id=110489>. This test passes it if does not assert in a
+ debug build.
+ */
+
+ var nodes = Array();
+ var text = Array();
+ function loaded() {
+ if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ window.testRunner.waitUntilDone();
+ }
+
+ nodes[0] = document.createElement('caption');
+ document.documentElement.appendChild(nodes[0]);
+ nodes[7] = document.createElement('legend');
+ document.documentElement.appendChild(nodes[7]);
+ nodes[11] = document.createElement('aside');
+ document.documentElement.appendChild(nodes[11]);
+ nodes[16] = document.createElement('kbd');
+ document.documentElement.appendChild(nodes[16]);
+ nodes[17] = document.createElement('colgroup');
+ nodes[17].setAttribute('class', 'c1');
+ nodes[18] = document.createElement('bdo');
+ document.documentElement.appendChild(nodes[18]);
+ nodes[37] = document.createElement('header');
+ nodes[37].setAttribute('class', 'c4');
+ document.documentElement.appendChild(nodes[37]);
+ nodes[52] = document.createElement('nav');
+ nodes[52].setAttribute('class', 'c0');
+ nodes[54] = document.createElement('base');
+ nodes[54].setAttribute('class', 'c14');
+ text[13] = document.createTextNode('PASS');
+ nodes[37].appendChild(text[13]);
+ nodes[37].appendChild(nodes[17]);
+ nodes[37].appendChild(nodes[54]);
+ nodes[37].appendChild(nodes[52]);
+ setTimeout('nodes[17].appendChild(nodes[11]);', 0);
+ setTimeout("nodes[17].setAttribute('class', 'c17');", 1);
+
+
+ setTimeout(function() {
+ if (window.testRunner)
+ window.testRunner.notifyDone();
+ }, 2);
+ }
+ window._onload_ = loaded;
+</script>
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (168279 => 168280)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 11:32:34 UTC (rev 168279)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 12:23:02 UTC (rev 168280)
@@ -1,3 +1,38 @@
+2014-04-07 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Assertion failure, !node || node->isElementNode(), in
+ WebCore::RenderBlock::clone()
+ <https://bugs.webkit.org/show_bug.cgi?id=110489>
+ <rdar://problem/13666425>
+
+ Reviewed by Antti Koivisto.
+
+ We're ending up in RenderBlock::splitBlocks() with |this| ==
+ |fromBlock|. We then try to climb the ancestor block chain from
+ this->parent() to |fromBlock|, but this->parent() is already above
+ |fromBlock|, so we end up climbing up to the RenderView and trying to
+ clone it, causing the assertion failure.
+
+ Adopt Chromium's mitigation for this from
+ <https://codereview.chromium.org/13852041>. This is not intended as a
+ fix for the underlying issue.
+
+ Also, fix another issue that occurs with this fuzzed test case that's
+ not handled by the Chromium fix.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::splitBlocks):
+ Ensure while we're in the loop that |curr| is a descendant of
+ |fromBlock|. From the Chromium patch:
+
+ We need to check in every iteration of the loop because
+ moveChildrenTo could have moved |curr|. This is a mitigation and
+ not really a fix against a class of tree craziness.
+
+ Finally, before moving children from |fromBlock| to |toBlock|, ensure
+ that the children are children of |fromBlock|. If we never entered the
+ loop, they will be siblings of |fromBlock|, not children.
+
2014-04-17 David Kilzer <ddkil...@apple.com>
Tidy up isIsolatedInline() and highestContainingIsolateWithinRoot()
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlock.cpp (168279 => 168280)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlock.cpp 2014-05-05 11:32:34 UTC (rev 168279)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlock.cpp 2014-05-05 12:23:02 UTC (rev 168280)
@@ -543,9 +543,7 @@
RenderBoxModelObject* currChild = this;
RenderObject* currChildNextSibling = currChild->nextSibling();
- while (curr && curr != fromBlock) {
- ASSERT_WITH_SECURITY_IMPLICATION(curr->isRenderBlock());
-
+ while (curr && curr->isDescendantOf(fromBlock) && curr != fromBlock) {
RenderBlock* blockCurr = toRenderBlock(curr);
// Create a new clone.
@@ -580,7 +578,8 @@
// Now take all the children after currChild and remove them from the fromBlock
// and put them in the toBlock.
- fromBlock->moveChildrenTo(toBlock, currChildNextSibling, 0, true);
+ if (currChildNextSibling && currChildNextSibling->parent() == fromBlock)
+ fromBlock->moveChildrenTo(toBlock, currChildNextSibling, 0, true);
}
void RenderBlock::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox,
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
