Diff
Modified: branches/safari-607-branch/LayoutTests/ChangeLog (243579 => 243580)
--- branches/safari-607-branch/LayoutTests/ChangeLog 2019-03-27 23:43:57 UTC (rev 243579)
+++ branches/safari-607-branch/LayoutTests/ChangeLog 2019-03-27 23:44:01 UTC (rev 243580)
@@ -1,5 +1,45 @@
2019-03-27 Alan Coon <alanc...@apple.com>
+ Cherry-pick r243331. rdar://problem/49308068
+
+ Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=195919
+ <rdar://problem/48573434>
+
+ Reviewed by Brent Fulgham.
+
+ Source/WebCore:
+
+ When the container is injected too early, we might end up removing it as part of the collapsing logic
+ while the text renderer is being removed (replaced with the first letter + remaining text).
+
+ Test: fast/css/first-letter-and-float-crash.html
+
+ * rendering/updating/RenderTreeBuilderFirstLetter.cpp:
+ (WebCore::RenderTreeBuilder::FirstLetter::createRenderers):
+
+ LayoutTests:
+
+ * fast/css/first-letter-and-float-crash-expected.txt: Added.
+ * fast/css/first-letter-and-float-crash.html: Added.
+ * platform/mac/TestExpectations:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243331 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-03-21 Zalan Bujtas <za...@apple.com>
+
+ Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=195919
+ <rdar://problem/48573434>
+
+ Reviewed by Brent Fulgham.
+
+ * fast/css/first-letter-and-float-crash-expected.txt: Added.
+ * fast/css/first-letter-and-float-crash.html: Added.
+ * platform/mac/TestExpectations:
+
+2019-03-27 Alan Coon <alanc...@apple.com>
+
Cherry-pick r242919. rdar://problem/49307949
Use RenderBox::previousSiblingBox/nextSiblingBox in RenderMultiColumnFlow
Modified: branches/safari-607-branch/LayoutTests/TestExpectations (243579 => 243580)
--- branches/safari-607-branch/LayoutTests/TestExpectations 2019-03-27 23:43:57 UTC (rev 243579)
+++ branches/safari-607-branch/LayoutTests/TestExpectations 2019-03-27 23:44:01 UTC (rev 243580)
@@ -2905,3 +2905,5 @@
fast/mediacapturefromelement/CanvasCaptureMediaStream-imagebitmaprenderingcontext.html [ Skip ]
fast/mediacapturefromelement/CanvasCaptureMediaStream-framerate-0.html [ Skip ]
fast/mediacapturefromelement/CanvasCaptureMediaStream-capture-out-of-DOM-element.html [ Skip ]
+
+[ Debug ] fast/css/first-letter-and-float-crash.html [ Skip ]
Added: branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash-expected.txt (0 => 243580)
--- branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash-expected.txt (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash-expected.txt 2019-03-27 23:44:01 UTC (rev 243580)
@@ -0,0 +1 @@
+Pass if no crash
Added: branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash.html (0 => 243580)
--- branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash.html (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/css/first-letter-and-float-crash.html 2019-03-27 23:44:01 UTC (rev 243580)
@@ -0,0 +1,11 @@
+<style>
+:matches(foobar, .inlineContainer .floatContainer)::first-letter {
+ font-size: 10px;
+}
+</style>
+
+<span class=inlineContainer><div style="float: left" class=floatContainer>Pass if no crash</div></span>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
\ No newline at end of file
Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (243579 => 243580)
--- branches/safari-607-branch/Source/WebCore/ChangeLog 2019-03-27 23:43:57 UTC (rev 243579)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog 2019-03-27 23:44:01 UTC (rev 243580)
@@ -1,5 +1,49 @@
2019-03-27 Alan Coon <alanc...@apple.com>
+ Cherry-pick r243331. rdar://problem/49308068
+
+ Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=195919
+ <rdar://problem/48573434>
+
+ Reviewed by Brent Fulgham.
+
+ Source/WebCore:
+
+ When the container is injected too early, we might end up removing it as part of the collapsing logic
+ while the text renderer is being removed (replaced with the first letter + remaining text).
+
+ Test: fast/css/first-letter-and-float-crash.html
+
+ * rendering/updating/RenderTreeBuilderFirstLetter.cpp:
+ (WebCore::RenderTreeBuilder::FirstLetter::createRenderers):
+
+ LayoutTests:
+
+ * fast/css/first-letter-and-float-crash-expected.txt: Added.
+ * fast/css/first-letter-and-float-crash.html: Added.
+ * platform/mac/TestExpectations:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243331 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-03-21 Zalan Bujtas <za...@apple.com>
+
+ Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=195919
+ <rdar://problem/48573434>
+
+ Reviewed by Brent Fulgham.
+
+ When the container is injected too early, we might end up removing it as part of the collapsing logic
+ while the text renderer is being removed (replaced with the first letter + remaining text).
+
+ Test: fast/css/first-letter-and-float-crash.html
+
+ * rendering/updating/RenderTreeBuilderFirstLetter.cpp:
+ (WebCore::RenderTreeBuilder::FirstLetter::createRenderers):
+
+2019-03-27 Alan Coon <alanc...@apple.com>
+
Cherry-pick r243298. rdar://problem/49308011
Hardening: Use WeakPtrs in VideoFullscreenInterface{Mac,AVKit}
Modified: branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp (243579 => 243580)
--- branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp 2019-03-27 23:43:57 UTC (rev 243579)
+++ branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp 2019-03-27 23:44:01 UTC (rev 243580)
@@ -217,9 +217,6 @@
newFirstLetter->initializeStyle();
newFirstLetter->setIsFirstLetter();
- auto& firstLetter = *newFirstLetter;
- m_builder.attach(*firstLetterContainer, WTFMove(newFirstLetter), ¤tTextChild);
-
// The original string is going to be either a generated content string or a DOM node's
// string. We want the original string before it got transformed in case first-letter has
// no text-transform or a different text-transform applied to it.
@@ -253,6 +250,8 @@
auto* textNode = currentTextChild.textNode();
auto* beforeChild = currentTextChild.nextSibling();
+ auto inlineWrapperForDisplayContents = makeWeakPtr(currentTextChild.inlineWrapperForDisplayContents());
+ auto hasInlineWrapperForDisplayContents = inlineWrapperForDisplayContents.get();
m_builder.destroy(currentTextChild);
// Construct a text fragment for the text after the first letter.
@@ -265,13 +264,18 @@
newRemainingText = createRenderer<RenderTextFragment>(firstLetterBlock.document(), oldText, length, oldText.length() - length);
RenderTextFragment& remainingText = *newRemainingText;
+ ASSERT_UNUSED(hasInlineWrapperForDisplayContents, hasInlineWrapperForDisplayContents == inlineWrapperForDisplayContents.get());
+ remainingText.setInlineWrapperForDisplayContents(inlineWrapperForDisplayContents.get());
m_builder.attach(*textContentParent, WTFMove(newRemainingText), beforeChild);
+
+ // FIXME: Make attach the final step so that we don't need to keep firstLetter around.
+ auto& firstLetter = *newFirstLetter;
remainingText.setFirstLetter(firstLetter);
firstLetter.setFirstLetterRemainingText(remainingText);
+ m_builder.attach(*firstLetterContainer, WTFMove(newFirstLetter), &remainingText);
- // construct text fragment for the first letter
+ // Construct text fragment for the first letter.
auto letter = createRenderer<RenderTextFragment>(firstLetterBlock.document(), oldText, 0, length);
-
m_builder.attach(firstLetter, WTFMove(letter));
}
}
