Skip to site navigation (Press enter)

[webkit-changes] [193773] trunk

zalan Tue, 08 Dec 2015 12:47:50 -0800

Title: [193773] trunk

Revision: 193773
Author: za...@apple.com
Date: 2015-12-08 12:44:51 -0800 (Tue, 08 Dec 2015)

Log Message

Do not insert positioned renderers to multiple gPositionedDescendantsMap.
https://bugs.webkit.org/show_bug.cgi?id=151878
rdar://problem/22229889


Reviewed by Simon Fraser.

We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
returns true for RenderElement::canContainAbsolutelyPositionedObjects().
canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
If this container's style changes so that it's no longer positioned and it has no transform anymore,
we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).

This patch addresses the case when the renderer does not have transforms anymore.

Source/WebCore:

Test: fast/block/positioning/crash-when-transform-is-removed.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::styleWillChange):

LayoutTests:

* fast/block/positioning/crash-when-transform-is-removed-expected.txt: Added.
* fast/block/positioning/crash-when-transform-is-removed.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp

Added Paths

trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed-expected.txt
trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed.html

Diff

Modified: trunk/LayoutTests/ChangeLog (193772 => 193773)


--- trunk/LayoutTests/ChangeLog	2015-12-08 20:43:33 UTC (rev 193772)
+++ trunk/LayoutTests/ChangeLog	2015-12-08 20:44:51 UTC (rev 193773)
@@ -1,3 +1,23 @@
+2015-12-08  Zalan Bujtas  <za...@apple.com>
+
+        Do not insert positioned renderers to multiple gPositionedDescendantsMap.
+        https://bugs.webkit.org/show_bug.cgi?id=151878
+        rdar://problem/22229889
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
+        returns true for RenderElement::canContainAbsolutelyPositionedObjects().
+        canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
+        If this container's style changes so that it's no longer positioned and it has no transform anymore,
+        we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).
+
+        This patch addresses the case when the renderer does not have transforms anymore.
+
+        * fast/block/positioning/crash-when-transform-is-removed-expected.txt: Added.
+        * fast/block/positioning/crash-when-transform-is-removed.html: Added.
+
 2015-12-08  Ryan Haddad  <ryanhad...@apple.com>
 
         Marking fast/canvas/canvas-too-large-to-draw.html as flaky on ElCapitan Debug

Added: trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed-expected.txt (0 => 193773)


--- trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed-expected.txt	2015-12-08 20:44:51 UTC (rev 193773)
@@ -0,0 +1 @@
+ PASS if no crash or assert.

Added: trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed.html (0 => 193773)


--- trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/crash-when-transform-is-removed.html	2015-12-08 20:44:51 UTC (rev 193773)
@@ -0,0 +1,12 @@
+<body style="transform: translateX(0);">
+<img style="position: absolute;">
+PASS if no crash or assert.
+</body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+document.body.setAttribute("style","");
+document.body.offsetHeight;
+document.getElementsByTagName("img")[0].setAttribute("style","");
+</script>

Modified: trunk/Source/WebCore/ChangeLog (193772 => 193773)


--- trunk/Source/WebCore/ChangeLog	2015-12-08 20:43:33 UTC (rev 193772)
+++ trunk/Source/WebCore/ChangeLog	2015-12-08 20:44:51 UTC (rev 193773)
@@ -1,3 +1,25 @@
+2015-12-08  Zalan Bujtas  <za...@apple.com>
+
+        Do not insert positioned renderers to multiple gPositionedDescendantsMap.
+        https://bugs.webkit.org/show_bug.cgi?id=151878
+        rdar://problem/22229889
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
+        returns true for RenderElement::canContainAbsolutelyPositionedObjects().
+        canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
+        If this container's style changes so that it's no longer positioned and it has no transform anymore,
+        we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).
+
+        This patch addresses the case when the renderer does not have transforms anymore.
+
+        Test: fast/block/positioning/crash-when-transform-is-removed.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::styleWillChange):
+
 2015-12-08  Eric Carlson  <eric.carl...@apple.com>
 
         [MediaStream] Rename UserMediaClient and UserMediaController methods

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (193772 => 193773)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2015-12-08 20:43:33 UTC (rev 193772)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2015-12-08 20:44:51 UTC (rev 193773)
@@ -242,11 +242,14 @@
 
     setReplaced(newStyle.isDisplayInlineType());
 
+    if (oldStyle && oldStyle->hasTransformRelatedProperty() && !newStyle.hasTransformRelatedProperty())
+        removePositionedObjects(nullptr, NewContainingBlock);
+
     if (oldStyle && parent() && diff == StyleDifferenceLayout && oldStyle->position() != newStyle.position()) {
         if (newStyle.position() == StaticPosition)
             // Clear our positioned objects list. Our absolutely positioned descendants will be
             // inserted into our containing block's positioned objects list during layout.
-            removePositionedObjects(0, NewContainingBlock);
+            removePositionedObjects(nullptr, NewContainingBlock);
         else if (oldStyle->position() == StaticPosition) {
             // Remove our absolutely positioned descendants from their current containing block.
             // They will be inserted into our positioned objects list during layout.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes