[webkit-changes] [197267] releases/WebKitGTK/webkit-2.4

Sun, 28 Feb 2016 01:51:13 -0800

Title: [197267] releases/WebKitGTK/webkit-2.4
Revision
197267
Author
carlo...@webkit.org
Date
2016-02-28 01:51:27 -0800 (Sun, 28 Feb 2016)

Log Message

Merge r182051 - Inline continuation code should not take anonymous containing wrapper granted.
https://bugs.webkit.org/show_bug.cgi?id=133312

Reviewed by Dave Hyatt.

It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
is an anonymous wrapper and its sibling might be a block level renderer.
When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
anonymous wrappers)

Source/WebCore:

Test: fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html

* rendering/RenderInline.cpp:
(WebCore::updateStyleOfAnonymousBlockContinuations):
(WebCore::RenderInline::styleDidChange):

LayoutTests:

* fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt: Added.
* fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (197266 => 197267)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-02-28 09:37:40 UTC (rev 197266)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-02-28 09:51:27 UTC (rev 197267)
@@ -1,3 +1,19 @@
+2015-03-26  Zalan Bujtas  <za...@apple.com>
+
+        Inline continuation code should not take anonymous containing wrapper granted.
+        https://bugs.webkit.org/show_bug.cgi?id=133312
+
+        Reviewed by Dave Hyatt.
+
+        It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
+        is an anonymous wrapper and its sibling might be a block level renderer.
+        When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
+        is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
+        anonymous wrappers)
+
+        * fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt: Added.
+        * fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html: Added.
+
 2014-12-10  Dean Jackson  <d...@apple.com>
 
         InstancedArray crashes attempting to draw out of bounds

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt (0 => 197267)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt	2016-02-28 09:51:27 UTC (rev 197267)
@@ -0,0 +1 @@
+PASS if no crash or assert in debug.

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html (0 => 197267)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html	2016-02-28 09:51:27 UTC (rev 197267)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>This tests that position property can be changed on a inline element once it is not part of an active continuation.</title>
+</head>
+<body>
+PASS if no crash or assert in debug.
+<div style="position: absolute">
+  <span id=foo>
+    <div id=removethis></div>
+  </span>
+</div>
+<span></span>
+<script>
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+  }
+  setTimeout(function() { 
+    var blockToRemove = document.getElementById("removethis");
+    blockToRemove.parentNode.removeChild(blockToRemove);
+    document.getElementById("foo").style.position="relative";
+    if (window.testRunner)
+       testRunner.notifyDone(); 
+  }, 0);
+</script>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (197266 => 197267)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-02-28 09:37:40 UTC (rev 197266)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-02-28 09:51:27 UTC (rev 197267)
@@ -1,3 +1,22 @@
+2015-03-26  Zalan Bujtas  <za...@apple.com>
+
+        Inline continuation code should not take anonymous containing wrapper granted.
+        https://bugs.webkit.org/show_bug.cgi?id=133312
+
+        Reviewed by Dave Hyatt.
+
+        It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
+        is an anonymous wrapper and its sibling might be a block level renderer.
+        When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
+        is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
+        anonymous wrappers)
+
+        Test: fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::updateStyleOfAnonymousBlockContinuations):
+        (WebCore::RenderInline::styleDidChange):
+
 2014-12-10  Dean Jackson  <d...@apple.com>
 
         InstancedArray crashes attempting to draw out of bounds

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderInline.cpp (197266 => 197267)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderInline.cpp	2016-02-28 09:37:40 UTC (rev 197266)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderInline.cpp	2016-02-28 09:51:27 UTC (rev 197267)
@@ -149,9 +149,9 @@
     return 0;
 }
 
-static void updateStyleOfAnonymousBlockContinuations(RenderBox* box, const RenderStyle* newStyle, const RenderStyle* oldStyle)
+static void updateStyleOfAnonymousBlockContinuations(RenderBlock& block, const RenderStyle* newStyle, const RenderStyle* oldStyle)
 {
-    for (;box && box->isAnonymousBlock(); box = box->nextSiblingBox()) {
+    for (RenderBox* box = &block; box && box->isAnonymousBlock(); box = box->nextSiblingBox()) {
         if (box->style().position() == newStyle->position())
             continue;
         
@@ -185,23 +185,25 @@
     // need to pass its style on to anyone else.
     RenderStyle& newStyle = style();
     RenderInline* continuation = inlineElementContinuation();
-    for (RenderInline* currCont = continuation; currCont; currCont = currCont->inlineElementContinuation()) {
-        RenderBoxModelObject* nextCont = currCont->continuation();
-        currCont->setContinuation(0);
-        currCont->setStyle(newStyle);
-        currCont->setContinuation(nextCont);
+    if (continuation) {
+        for (RenderInline* currCont = continuation; currCont; currCont = currCont->inlineElementContinuation()) {
+            RenderBoxModelObject* nextCont = currCont->continuation();
+            currCont->setContinuation(nullptr);
+            currCont->setStyle(newStyle);
+            currCont->setContinuation(nextCont);
+        }
+        // If an inline's in-flow positioning has changed and it is part of an active continuation as a descendant of an anonymous containing block,
+        // then any descendant blocks will need to change their in-flow positioning accordingly.
+        // Do this by updating the position of the descendant blocks' containing anonymous blocks - there may be more than one.
+        if (containingBlock()->isAnonymousBlock() && oldStyle && newStyle.position() != oldStyle->position() && (newStyle.hasInFlowPosition() || oldStyle->hasInFlowPosition())) {
+            // If any descendant blocks exist then they will be in the next anonymous block and its siblings.
+            ASSERT(containingBlock()->nextSibling());
+            RenderBlock& block = *toRenderBlock(containingBlock()->nextSibling());
+            ASSERT(block.isAnonymousBlock());
+            updateStyleOfAnonymousBlockContinuations(block, &newStyle, oldStyle);
+        }
     }
 
-    // If an inline's in-flow positioning has changed then any descendant blocks will need to change their in-flow positioning accordingly.
-    // Do this by updating the position of the descendant blocks' containing anonymous blocks - there may be more than one.
-    if (continuation && oldStyle && newStyle.position() != oldStyle->position()
-        && (newStyle.hasInFlowPosition() || oldStyle->hasInFlowPosition())) {
-        // If any descendant blocks exist then they will be in the next anonymous block and its siblings.
-        RenderObject* block = containingBlock()->nextSibling();
-        ASSERT(block && block->isAnonymousBlock());
-        updateStyleOfAnonymousBlockContinuations(toRenderBlock(block), &newStyle, oldStyle);
-    }
-
     if (!alwaysCreateLineBoxes()) {
         bool alwaysCreateLineBoxes = hasSelfPaintingLayer() || hasBoxDecorations() || newStyle.hasPadding() || newStyle.hasMargin() || hasOutline();
         if (oldStyle && alwaysCreateLineBoxes) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to