Diff
Modified: trunk/LayoutTests/ChangeLog (207803 => 207804)
--- trunk/LayoutTests/ChangeLog 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/LayoutTests/ChangeLog 2016-10-25 04:19:09 UTC (rev 207804)
@@ -1,3 +1,14 @@
+2016-10-24 Zalan Bujtas <za...@apple.com>
+
+ Do not update selection rect on dirty lineboxes.
+ https://bugs.webkit.org/show_bug.cgi?id=163862
+ <rdar://problem/28813156>
+
+ Reviewed by Simon Fraser.
+
+ * fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt: Added.
+ * fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html: Added.
+
2016-10-24 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r207795.
Added: trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt (0 => 207804)
--- trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt 2016-10-25 04:19:09 UTC (rev 207804)
@@ -0,0 +1,2 @@
+Pass if
+no crash.
Added: trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html (0 => 207804)
--- trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html 2016-10-25 04:19:09 UTC (rev 207804)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we can clear selection properly on dynamic content with first letter.</title>
+<style>
+.floatClass::first-letter {
+ float: right;
+}
+
+#innerBody {
+ column-count: 2;
+}
+
+</style>
+</head>
+<body>
+<li id=li style="float: right;">Pass if<span style="float: right;"></span></li><body id=innerBody style="height: 100px"><span id=span style="display: none;"></span>no crash.</body>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ innerBody.style.webkitWritingMode = "vertical-rl";
+ innerBody.className = "floatClass";
+
+ document.getSelection().setBaseAndExtent(span, 0, innerBody, innerBody.childNodes.length);
+ window.getSelection().modify("extend", "left", "documentboundary");
+ innerBody.scrollIntoViewIfNeeded(true);
+ li.style.cssText = "float: right; height: 40px; width: 40px;";
+ document.body.offsetHeight;
+ li.style.cssText = "";
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (207803 => 207804)
--- trunk/Source/WebCore/ChangeLog 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/ChangeLog 2016-10-25 04:19:09 UTC (rev 207804)
@@ -1,3 +1,34 @@
+2016-10-24 Zalan Bujtas <za...@apple.com>
+
+ Do not update selection rect on dirty lineboxes.
+ https://bugs.webkit.org/show_bug.cgi?id=163862
+ <rdar://problem/28813156>
+
+ Reviewed by Simon Fraser.
+
+ In certain cases RenderBlock::updateFirstLetter() triggers
+ unwanted render tree mutation while the caller assumes intact renderers.
+ This patch ensures that no renderers gets destroyed while computing the preferred widths
+ when we are outside of layout context.
+
+ Test: fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::computePreferredLogicalWidths):
+ (WebCore::RenderBlock::updateFirstLetter):
+ * rendering/RenderBlock.h:
+ * rendering/RenderListItem.cpp:
+ (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
+ * rendering/RenderRubyRun.cpp:
+ (WebCore::RenderRubyRun::updateFirstLetter):
+ * rendering/RenderRubyRun.h:
+ * rendering/RenderTable.cpp:
+ (WebCore::RenderTable::updateFirstLetter):
+ * rendering/RenderTable.h:
+ * rendering/svg/RenderSVGText.cpp:
+ (WebCore::RenderSVGText::updateFirstLetter):
+ * rendering/svg/RenderSVGText.h:
+
2016-10-24 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r207795.
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2016-10-25 04:19:09 UTC (rev 207804)
@@ -2755,7 +2755,9 @@
{
ASSERT(preferredLogicalWidthsDirty());
- updateFirstLetter();
+ // FIXME: Do not even try to reshuffle first letter renderers when we are not in layout
+ // until after webkit.org/b/163848 is fixed.
+ updateFirstLetter(view().frameView().isInRenderTreeLayout() ? RenderTreeMutationIsAllowed::Yes : RenderTreeMutationIsAllowed::No);
m_minPreferredLogicalWidth = 0;
m_maxPreferredLogicalWidth = 0;
@@ -3305,7 +3307,7 @@
firstLetterContainer = nullptr;
}
-void RenderBlock::updateFirstLetter()
+void RenderBlock::updateFirstLetter(RenderTreeMutationIsAllowed mutationAllowedOrNot)
{
RenderObject* firstLetterObj;
RenderElement* firstLetterContainer;
@@ -3326,6 +3328,8 @@
if (!is<RenderText>(*firstLetterObj))
return;
+ if (mutationAllowedOrNot != RenderTreeMutationIsAllowed::Yes)
+ return;
// Our layout state is not valid for the repaints we are going to trigger by
// adding and removing children of firstLetterContainer.
LayoutStateDisabler layoutStateDisabler(view());
Modified: trunk/Source/WebCore/rendering/RenderBlock.h (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderBlock.h 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderBlock.h 2016-10-25 04:19:09 UTC (rev 207804)
@@ -245,7 +245,8 @@
LayoutUnit collapsedMarginBeforeForChild(const RenderBox& child) const;
LayoutUnit collapsedMarginAfterForChild(const RenderBox& child) const;
- virtual void updateFirstLetter();
+ enum class RenderTreeMutationIsAllowed { Yes, No };
+ virtual void updateFirstLetter(RenderTreeMutationIsAllowed = RenderTreeMutationIsAllowed::Yes);
void getFirstLetter(RenderObject*& firstLetter, RenderElement*& firstLetterContainer, RenderObject* skipObject = nullptr);
virtual void scrollbarsChanged(bool /*horizontalScrollbarChanged*/, bool /*verticalScrollbarChanged*/) { }
Modified: trunk/Source/WebCore/rendering/RenderListItem.cpp (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderListItem.cpp 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderListItem.cpp 2016-10-25 04:19:09 UTC (rev 207804)
@@ -268,7 +268,7 @@
if (!m_marker)
return;
- // FIXME: Do not even try reposition the marker when we are not in layout
+ // FIXME: Do not even try to reposition the marker when we are not in layout
// until after we fixed webkit.org/b/163789.
if (!view().frameView().isInRenderTreeLayout())
return;
Modified: trunk/Source/WebCore/rendering/RenderRubyRun.cpp (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderRubyRun.cpp 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderRubyRun.cpp 2016-10-25 04:19:09 UTC (rev 207804)
@@ -101,7 +101,7 @@
return 0;
}
-void RenderRubyRun::updateFirstLetter()
+void RenderRubyRun::updateFirstLetter(RenderTreeMutationIsAllowed)
{
}
Modified: trunk/Source/WebCore/rendering/RenderRubyRun.h (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderRubyRun.h 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderRubyRun.h 2016-10-25 04:19:09 UTC (rev 207804)
@@ -61,7 +61,7 @@
void removeChild(RenderObject&) override;
RenderBlock* firstLineBlock() const override;
- void updateFirstLetter() override;
+ void updateFirstLetter(RenderTreeMutationIsAllowed = RenderTreeMutationIsAllowed::Yes) override;
void getOverhang(bool firstLine, RenderObject* startRenderer, RenderObject* endRenderer, float& startOverhang, float& endOverhang) const;
Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderTable.cpp 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp 2016-10-25 04:19:09 UTC (rev 207804)
@@ -1458,7 +1458,7 @@
return nullptr;
}
-void RenderTable::updateFirstLetter()
+void RenderTable::updateFirstLetter(RenderTreeMutationIsAllowed)
{
}
Modified: trunk/Source/WebCore/rendering/RenderTable.h (207803 => 207804)
--- trunk/Source/WebCore/rendering/RenderTable.h 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/RenderTable.h 2016-10-25 04:19:09 UTC (rev 207804)
@@ -303,7 +303,7 @@
void invalidateCachedColumnOffsets();
RenderBlock* firstLineBlock() const final;
- void updateFirstLetter() final;
+ void updateFirstLetter(RenderTreeMutationIsAllowed = RenderTreeMutationIsAllowed::Yes) final;
void updateLogicalWidth() final;
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp (207803 => 207804)
--- trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp 2016-10-25 04:19:09 UTC (rev 207804)
@@ -545,7 +545,7 @@
// Fix for <rdar://problem/8048875>. We should not render :first-letter CSS Style
// in a SVG text element context.
-void RenderSVGText::updateFirstLetter()
+void RenderSVGText::updateFirstLetter(RenderTreeMutationIsAllowed)
{
}
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGText.h (207803 => 207804)
--- trunk/Source/WebCore/rendering/svg/RenderSVGText.h 2016-10-25 03:46:32 UTC (rev 207803)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGText.h 2016-10-25 04:19:09 UTC (rev 207804)
@@ -92,7 +92,7 @@
std::unique_ptr<RootInlineBox> createRootInlineBox() override;
RenderBlock* firstLineBlock() const override;
- void updateFirstLetter() override;
+ void updateFirstLetter(RenderTreeMutationIsAllowed = RenderTreeMutationIsAllowed::Yes) override;
bool shouldHandleSubtreeMutations() const;
