Title: [207923] branches/safari-602-branch
- Revision
- 207923
- Author
- matthew_han...@apple.com
- Date
- 2016-10-26 16:18:13 -0700 (Wed, 26 Oct 2016)
Log Message
Merge r207683. rdar://problem/28849627
Modified Paths
Added Paths
Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207922 => 207923)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-26 23:18:13 UTC (rev 207923)
@@ -1,5 +1,20 @@
2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+ Merge r207683. rdar://problem/28849627
+
+ 2016-10-21 Zalan Bujtas <za...@apple.com>
+
+ Do not mutate the render tree while collecting selection repaint rects.
+ https://bugs.webkit.org/show_bug.cgi?id=163800
+ <rdar://problem/28806886>
+
+ Reviewed by David Hyatt.
+
+ * fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt: Added.
+ * fast/lists/crash-when-list-marker-is-moved-during-selection.html: Added.
+
+2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+
Merge r207661. rdar://problem/28857478
2016-10-21 Jer Noble <jer.no...@apple.com>
Added: branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt (0 => 207923)
--- branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt 2016-10-26 23:18:13 UTC (rev 207923)
@@ -0,0 +1,2 @@
+Pass if no crash or assert.
+
Added: branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html (0 => 207923)
--- branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html 2016-10-26 23:18:13 UTC (rev 207923)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't mutate the render tree during selection.</title>
+<style>
+ body {
+ column-count: 2;
+ }
+</style>
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function runTest() {
+ setTimeout(function() {
+ li.style.webkitWritingMode = "horizontal-tb";
+ innerSpan.style.display = "list-item";
+ mostInnerSpan.style.display = "list-item";
+ document.getSelection().setBaseAndExtent(container, 0, document.body, document.body.childNodes.length);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }
+</script>
+</head>
+<body _onload_=runTest()>
+Pass if no crash or assert.
+<div id="container" style="-webkit-writing-mode: vertical-rl"><table><tr><td><li id="li"><span id="innerSpan"><span id="mostInnerSpan"></span></span></li></tr></td></table>
+</body>
+</html>
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207922 => 207923)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:18:13 UTC (rev 207923)
@@ -1,5 +1,28 @@
2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+ Merge r207683. rdar://problem/28849627
+
+ 2016-10-21 Zalan Bujtas <za...@apple.com>
+
+ Do not mutate the render tree while collecting selection repaint rects.
+ https://bugs.webkit.org/show_bug.cgi?id=163800
+ <rdar://problem/28806886>
+
+ Reviewed by David Hyatt.
+
+ RenderListItem not only mutates the tree while in layout but it also uses
+ the old descendant context to find the insertion point.
+ This patch strictly ensures that we only do it while in layout and never
+ in other cases such as collecting repaint rects.
+ This gets redundant when webkit.org/b/163789 is fixed.
+
+ Test: fast/lists/crash-when-list-marker-is-moved-during-selection.html
+
+ * rendering/RenderListItem.cpp:
+ (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
+
+2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+
Merge r207661. rdar://problem/28857478
2016-10-21 Jer Noble <jer.no...@apple.com>
Modified: branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp (207922 => 207923)
--- branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp 2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp 2016-10-26 23:18:13 UTC (rev 207923)
@@ -274,6 +274,11 @@
if (!m_marker)
return;
+ // FIXME: Do not even try reposition the marker when we are not in layout
+ // until after we fixed webkit.org/b/163789.
+ if (!view().frameView().isInRenderTreeLayout())
+ return;
+
RenderElement* currentParent = m_marker->parent();
RenderBlock* newParent = getParentOfFirstLineBox(*this, *m_marker);
if (!newParent) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes