Modified: trunk/LayoutTests/ChangeLog (192607 => 192608)
--- trunk/LayoutTests/ChangeLog 2015-11-19 03:20:11 UTC (rev 192607)
+++ trunk/LayoutTests/ChangeLog 2015-11-19 04:14:24 UTC (rev 192608)
@@ -1,3 +1,16 @@
+2015-11-18 Antti Koivisto <an...@apple.com>
+
+ Assertion failure in RenderTreePosition::computeNextSibling
+ https://bugs.webkit.org/show_bug.cgi?id=151337
+ rdar://problem/23250075
+
+ Reviewed by Zalan Bujtas.
+
+ Test case by Pranjal Jumde.
+
+ * fast/html/details-mathml-crash-expected.txt: Added.
+ * fast/html/details-mathml-crash.html: Added.
+
2015-11-18 Jiewen Tan <jiewen_...@apple.com>
[WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
Added: trunk/LayoutTests/fast/html/details-mathml-crash-expected.txt (0 => 192608)
--- trunk/LayoutTests/fast/html/details-mathml-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/html/details-mathml-crash-expected.txt 2015-11-19 04:14:24 UTC (rev 192608)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
Added: trunk/LayoutTests/fast/html/details-mathml-crash.html (0 => 192608)
--- trunk/LayoutTests/fast/html/details-mathml-crash.html (rev 0)
+++ trunk/LayoutTests/fast/html/details-mathml-crash.html 2015-11-19 04:14:24 UTC (rev 192608)
@@ -0,0 +1,10 @@
+This test passes if it doesn't crash.
+<div><br><summary><mrow></mrow><br>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.execCommand("SelectAll", false, null);
+var style = document.createElement("style");
+style.innerHTML="* { position: absolute; }";
+document.getElementsByTagName("head")[0].appendChild(style);
+</script>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (192607 => 192608)
--- trunk/Source/WebCore/ChangeLog 2015-11-19 03:20:11 UTC (rev 192607)
+++ trunk/Source/WebCore/ChangeLog 2015-11-19 04:14:24 UTC (rev 192608)
@@ -1,3 +1,28 @@
+2015-11-18 Antti Koivisto <an...@apple.com>
+
+ Assertion failure in RenderTreePosition::computeNextSibling
+ https://bugs.webkit.org/show_bug.cgi?id=151337
+ rdar://problem/23250075
+
+ Reviewed by Zalan Bujtas.
+
+ Test: fast/html/details-mathml-crash.html
+
+ * html/ads: Added.
+ * style/StyleResolveTree.cpp:
+ (WebCore::Style::resolveChildAtShadowBoundary):
+
+ Factor common code for resolving child here from resolveShadowTree.
+
+ (WebCore::Style::resolveShadowTree):
+
+ We don't need StyleResolverParentPusher because shadow tree uses different style resolver anyway.
+
+ (WebCore::Style::resolveSlotAssignees):
+
+ This needs to call renderTreePosition.invalidateNextSibling() if there is a renderer already.
+ Achieve this by calling the new common function resolveChildAtShadowBoundary.
+
2015-11-18 Jer Noble <jer.no...@apple.com>
WebGL slow video to texture
Modified: trunk/Source/WebCore/style/StyleResolveTree.cpp (192607 => 192608)
--- trunk/Source/WebCore/style/StyleResolveTree.cpp 2015-11-19 03:20:11 UTC (rev 192607)
+++ trunk/Source/WebCore/style/StyleResolveTree.cpp 2015-11-19 04:14:24 UTC (rev 192608)
@@ -677,27 +677,29 @@
invalidateWhitespaceOnlyTextSiblingsAfterAttachIfNeeded(text);
}
-static void resolveShadowTree(ShadowRoot& shadowRoot, Element& host, Style::Change change)
+static void resolveChildAtShadowBoundary(Node& child, RenderStyle& inheritedStyle, RenderTreePosition& renderTreePosition, Style::Change change)
{
- StyleResolverParentPusher parentPusher(&host);
+ if (auto* renderer = child.renderer())
+ renderTreePosition.invalidateNextSibling(*renderer);
+ if (is<Text>(child) && child.needsStyleRecalc()) {
+ resolveTextNode(downcast<Text>(child), renderTreePosition);
+ return;
+ }
+ if (is<Element>(child))
+ resolveTree(downcast<Element>(child), inheritedStyle, renderTreePosition, change);
+}
+
+static void resolveShadowTree(ShadowRoot& shadowRoot, Element& host, Style::Change change)
+{
ASSERT(shadowRoot.host() == &host);
ASSERT(host.renderer());
+ auto& inheritedStyle = host.renderer()->style();
if (shadowRoot.styleChangeType() >= FullStyleChange)
change = Force;
RenderTreePosition renderTreePosition(*host.renderer());
- for (Node* child = shadowRoot.firstChild(); child; child = child->nextSibling()) {
- if (child->renderer())
- renderTreePosition.invalidateNextSibling(*child->renderer());
- if (is<Text>(*child) && child->needsStyleRecalc()) {
- resolveTextNode(downcast<Text>(*child), renderTreePosition);
- continue;
- }
- if (is<Element>(*child)) {
- parentPusher.push();
- resolveTree(downcast<Element>(*child), host.renderer()->style(), renderTreePosition, change);
- }
- }
+ for (auto* child = shadowRoot.firstChild(); child; child = child->nextSibling())
+ resolveChildAtShadowBoundary(*child, inheritedStyle, renderTreePosition, change);
shadowRoot.clearNeedsStyleRecalc();
shadowRoot.clearChildNeedsStyleRecalc();
@@ -804,20 +806,11 @@
static void resolveSlotAssignees(HTMLSlotElement& slot, RenderStyle& inheritedStyle, RenderTreePosition& renderTreePosition, Change change)
{
if (auto* assignedNodes = slot.assignedNodes()) {
- for (auto* child : *assignedNodes) {
- if (is<Text>(*child))
- resolveTextNode(downcast<Text>(*child), renderTreePosition);
- else if (is<Element>(*child))
- resolveTree(downcast<Element>(*child), inheritedStyle, renderTreePosition, change);
- }
- } else {
- for (Node* child = slot.firstChild(); child; child = child->nextSibling()) {
- if (is<Text>(*child))
- resolveTextNode(downcast<Text>(*child), renderTreePosition);
- else if (is<Element>(*child))
- resolveTree(downcast<Element>(*child), inheritedStyle, renderTreePosition, change);
- }
- }
+ for (auto* child : *assignedNodes)
+ resolveChildAtShadowBoundary(*child, inheritedStyle, renderTreePosition, change);
+ } else
+ resolveChildren(slot, inheritedStyle, change, renderTreePosition);
+
slot.clearNeedsStyleRecalc();
slot.clearChildNeedsStyleRecalc();
}
