Diff
Modified: branches/safari-604-branch/LayoutTests/ChangeLog (222023 => 222024)
--- branches/safari-604-branch/LayoutTests/ChangeLog 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/LayoutTests/ChangeLog 2017-09-14 16:15:35 UTC (rev 222024)
@@ -1,5 +1,20 @@
2017-09-14 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r222008. rdar://problem/34426473
+
+ 2017-09-13 Zalan Bujtas <za...@apple.com>
+
+ Switch multicolumn's spanner map from raw over to weak pointers.
+ https://bugs.webkit.org/show_bug.cgi?id=176367
+ <rdar://problem/34254896>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/multicol/spanner-crash-when-adding-summary-expected.txt: Added.
+ * fast/multicol/spanner-crash-when-adding-summary.html: Added.
+
+2017-09-14 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r222005. rdar://problem/34426487
2017-09-13 Wenson Hsieh <wenson_hs...@apple.com>
Added: branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary-expected.txt (0 => 222024)
--- branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary-expected.txt (rev 0)
+++ branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary-expected.txt 2017-09-14 16:15:35 UTC (rev 222024)
@@ -0,0 +1 @@
+PASS if no crash.
Added: branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary.html (0 => 222024)
--- branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary.html (rev 0)
+++ branches/safari-604-branch/LayoutTests/fast/multicol/spanner-crash-when-adding-summary.html 2017-09-14 16:15:35 UTC (rev 222024)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+div {
+ column-count: 2;
+}
+details {
+ border-image: url(#foo);
+}
+</style>
+</head>
+<body>
+<div><details><summary style="column-span: all"></summary></details></div>
+PASS if no crash.
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+r = document.caretRangeFromPoint(0, 0);
+r.insertNode(document.createElement("summary"));
+document.body.offsetHeight;
+document.getElementsByTagName("summary")[1].remove();
+</script>
+</body>
+</html>
Modified: branches/safari-604-branch/LayoutTests/platform/mac/TestExpectations (222023 => 222024)
--- branches/safari-604-branch/LayoutTests/platform/mac/TestExpectations 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/LayoutTests/platform/mac/TestExpectations 2017-09-14 16:15:35 UTC (rev 222024)
@@ -1611,3 +1611,4 @@
webkit.org/b/173068 imported/w3c/web-platform-tests/IndexedDB/idbobjectstore_getKey.html [ Pass Failure ]
+webkit.org/b/176878 [ Debug ] fast/multicol/spanner-crash-when-adding-summary.html [ Crash ]
Modified: branches/safari-604-branch/Source/WebCore/ChangeLog (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/ChangeLog 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/ChangeLog 2017-09-14 16:15:35 UTC (rev 222024)
@@ -1,5 +1,31 @@
2017-09-14 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r222008. rdar://problem/34426473
+
+ 2017-09-13 Zalan Bujtas <za...@apple.com>
+
+ Switch multicolumn's spanner map from raw over to weak pointers.
+ https://bugs.webkit.org/show_bug.cgi?id=176367
+ <rdar://problem/34254896>
+
+ Reviewed by Antti Koivisto.
+
+ Test: fast/multicol/spanner-crash-when-adding-summary.html
+
+ * rendering/RenderMultiColumnFlowThread.cpp:
+ (WebCore::RenderMultiColumnFlowThread::evacuateAndDestroy):
+ (WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted):
+ (WebCore::RenderMultiColumnFlowThread::handleSpannerRemoval):
+ * rendering/RenderMultiColumnFlowThread.h:
+ * rendering/RenderMultiColumnSet.cpp:
+ (WebCore::RenderMultiColumnSet::firstRendererInFlowThread const):
+ (WebCore::RenderMultiColumnSet::lastRendererInFlowThread const):
+ * rendering/RenderMultiColumnSpannerPlaceholder.cpp:
+ (WebCore::RenderMultiColumnSpannerPlaceholder::RenderMultiColumnSpannerPlaceholder):
+ * rendering/RenderMultiColumnSpannerPlaceholder.h:
+
+2017-09-14 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r222005. rdar://problem/34426487
2017-09-13 Wenson Hsieh <wenson_hs...@apple.com>
Modified: branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp 2017-09-14 16:15:35 UTC (rev 222024)
@@ -184,11 +184,13 @@
SpannerMap::iterator it;
while ((it = m_spannerMap.begin()) != m_spannerMap.end()) {
RenderBox* spanner = it->key;
- RenderMultiColumnSpannerPlaceholder* placeholder = it->value;
- RenderBlockFlow& originalContainer = downcast<RenderBlockFlow>(*placeholder->parent());
multicolContainer->removeChild(*spanner);
- originalContainer.addChild(spanner, placeholder);
- placeholder->destroy();
+ ASSERT(it->value.get());
+ if (RenderMultiColumnSpannerPlaceholder* placeholder = it->value.get()) {
+ RenderBlockFlow& originalContainer = downcast<RenderBlockFlow>(*placeholder->parent());
+ originalContainer.addChild(spanner, placeholder);
+ placeholder->destroy();
+ }
m_spannerMap.remove(it);
}
@@ -436,7 +438,7 @@
}
ASSERT(!m_spannerMap.get(placeholder.spanner()));
- m_spannerMap.add(placeholder.spanner(), &placeholder);
+ m_spannerMap.add(placeholder.spanner(), placeholder.createWeakPtr());
ASSERT(!placeholder.firstChild()); // There should be no children here, but if there are, we ought to skip them.
continue;
}
@@ -447,7 +449,7 @@
void RenderMultiColumnFlowThread::handleSpannerRemoval(RenderObject& spanner)
{
// The placeholder may already have been removed, but if it hasn't, do so now.
- if (RenderMultiColumnSpannerPlaceholder* placeholder = m_spannerMap.get(&downcast<RenderBox>(spanner))) {
+ if (RenderMultiColumnSpannerPlaceholder* placeholder = m_spannerMap.get(&downcast<RenderBox>(spanner)).get()) {
placeholder->parent()->removeChild(*placeholder);
m_spannerMap.remove(&downcast<RenderBox>(spanner));
}
Modified: branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.h (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.h 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnFlowThread.h 2017-09-14 16:15:35 UTC (rev 222024)
@@ -47,7 +47,7 @@
static RenderBox* nextColumnSetOrSpannerSiblingOf(const RenderBox*);
static RenderBox* previousColumnSetOrSpannerSiblingOf(const RenderBox*);
- RenderMultiColumnSpannerPlaceholder* findColumnSpannerPlaceholder(RenderBox* spanner) const { return m_spannerMap.get(spanner); }
+ RenderMultiColumnSpannerPlaceholder* findColumnSpannerPlaceholder(RenderBox* spanner) const { return m_spannerMap.get(spanner).get(); }
void layout() override;
@@ -127,7 +127,7 @@
RenderObject* processPossibleSpannerDescendant(RenderObject*& subtreeRoot, RenderObject& descendant);
private:
- typedef HashMap<RenderBox*, RenderMultiColumnSpannerPlaceholder*> SpannerMap;
+ typedef HashMap<RenderBox*, WeakPtr<RenderMultiColumnSpannerPlaceholder>> SpannerMap;
SpannerMap m_spannerMap;
// The last set we worked on. It's not to be used as the "current set". The concept of a
Modified: branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2017-09-14 16:15:35 UTC (rev 222024)
@@ -74,8 +74,9 @@
// Adjacent sets should not occur. Currently we would have no way of figuring out what each
// of them contains then.
ASSERT(!sibling->isRenderMultiColumnSet());
- RenderMultiColumnSpannerPlaceholder* placeholder = multiColumnFlowThread()->findColumnSpannerPlaceholder(sibling);
- return placeholder->nextInPreOrderAfterChildren();
+ if (RenderMultiColumnSpannerPlaceholder* placeholder = multiColumnFlowThread()->findColumnSpannerPlaceholder(sibling))
+ return placeholder->nextInPreOrderAfterChildren();
+ ASSERT_NOT_REACHED();
}
return flowThread()->firstChild();
}
@@ -86,8 +87,9 @@
// Adjacent sets should not occur. Currently we would have no way of figuring out what each
// of them contains then.
ASSERT(!sibling->isRenderMultiColumnSet());
- RenderMultiColumnSpannerPlaceholder* placeholder = multiColumnFlowThread()->findColumnSpannerPlaceholder(sibling);
- return placeholder->previousInPreOrder();
+ if (RenderMultiColumnSpannerPlaceholder* placeholder = multiColumnFlowThread()->findColumnSpannerPlaceholder(sibling))
+ return placeholder->previousInPreOrder();
+ ASSERT_NOT_REACHED();
}
return flowThread()->lastLeafChild();
}
Modified: branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp 2017-09-14 16:15:35 UTC (rev 222024)
@@ -47,6 +47,7 @@
: RenderBox(flowThread->document(), WTFMove(style), RenderBoxModelObjectFlag)
, m_spanner(&spanner)
, m_flowThread(flowThread)
+ , m_weakPtrFactory(this)
{
}
Modified: branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.h (222023 => 222024)
--- branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.h 2017-09-14 16:15:32 UTC (rev 222023)
+++ branches/safari-604-branch/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.h 2017-09-14 16:15:35 UTC (rev 222024)
@@ -31,6 +31,8 @@
#include "RenderBox.h"
+#include <wtf/WeakPtr.h>
+
namespace WebCore {
class RenderMultiColumnFlowThread;
@@ -41,6 +43,7 @@
RenderBox* spanner() const { return m_spanner; }
RenderMultiColumnFlowThread* flowThread() const { return m_flowThread; }
+ WeakPtr<RenderMultiColumnSpannerPlaceholder> createWeakPtr() { return m_weakPtrFactory.createWeakPtr(); }
private:
RenderMultiColumnSpannerPlaceholder(RenderMultiColumnFlowThread*, RenderBox& spanner, RenderStyle&&);
@@ -52,6 +55,7 @@
RenderBox* m_spanner;
RenderMultiColumnFlowThread* m_flowThread;
+ WeakPtrFactory<RenderMultiColumnSpannerPlaceholder> m_weakPtrFactory;
};
} // namespace WebCore
