Diff
Modified: trunk/LayoutTests/ChangeLog (94540 => 94541)
--- trunk/LayoutTests/ChangeLog 2011-09-05 23:18:00 UTC (rev 94540)
+++ trunk/LayoutTests/ChangeLog 2011-09-06 01:16:57 UTC (rev 94541)
@@ -1,3 +1,21 @@
+2011-09-05 Abhishek Arya <[email protected]>
+
+ Crash in RenderObjectChildList::destroyLeftOverChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=64753
+
+ Reviewed by James Robinson.
+
+ anonymous-split-block-crash rendering was already wrong. The fix prevents
+ the tree to go bad and hence does not do the column-span rendering. same issue
+ with clone-anonymous-block-non-inline-child-crash test.
+
+ * fast/multicol/column-span-parent-continuation-crash-expected.txt: Added.
+ * fast/multicol/column-span-parent-continuation-crash.html: Added.
+ * platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png:
+ * platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt:
+ * platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png:
+ * platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt:
+
2011-09-05 John Knottenbelt <[email protected]>
Take pageScaleFactor into account for MouseRelatedEvents.
Added: trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt (0 => 94541)
--- trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt 2011-09-06 01:16:57 UTC (rev 94541)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html (0 => 94541)
--- trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html 2011-09-06 01:16:57 UTC (rev 94541)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="console"></div>
+<style>
+div { -webkit-column-count: 1; }
+h2 { -webkit-column-span: all; }
+</style>
+<script src=""
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+ document.body.offsetTop;
+ child = document.getElementById('test');
+ child.parentNode.removeChild(child);
+ child = document.getElementById('anything');
+ gc();
+ document.body.innerHTML = "PASS";
+
+ var successfullyParsed = true;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+setTimeout("runTest()", 0);
+</script>
+<script src=""
+<div>
+<span id="test"><h2></span>
+</div>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png
(Binary files differ)
Modified: trunk/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt (94540 => 94541)
--- trunk/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt 2011-09-05 23:18:00 UTC (rev 94540)
+++ trunk/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt 2011-09-06 01:16:57 UTC (rev 94541)
@@ -3,27 +3,26 @@
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,16) size 784x568
-layer at (8,16) size 784x184
- RenderBlock {DIV} at (0,0) size 784x184 [border: (5px solid #800000)]
- RenderBlock (anonymous multi-column span) at (5,113) size 774x66
- RenderBlock {H2} at (0,19) size 774x28 [bgcolor=#EEEEEE]
+layer at (8,16) size 784x151
+ RenderBlock {DIV} at (0,0) size 784x151 [border: (5px solid #800000)]
+ RenderBlock (anonymous) at (5,5) size 379x0
+ RenderInline {JUNK} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderBlock (anonymous) at (5,24) size 379x28
+ RenderBlock {H2} at (0,0) size 379x28 [bgcolor=#EEEEEE]
RenderText {#text} at (0,0) size 58x28
text run at (0,0) width 58: "PASS"
-layer at (13,21) size 774x108
- RenderBlock (anonymous multi-column) at (5,5) size 774x108
- RenderBlock (anonymous) at (0,0) size 379x198
- RenderInline {JUNK} at (0,0) size 369x198
- RenderText {#text} at (0,0) size 0x0
- RenderText {#text} at (0,0) size 369x198
+ RenderBlock (anonymous) at (5,71) size 379x201
+ RenderInline {JUNK} at (0,0) size 369x201
+ RenderText {#text} at (0,0) size 369x201
text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
text run at (0,54) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
- text run at (0,72) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
- text run at (0,90) width 318: "nonummy enim. Nullam bibendum lobortis neque."
- text run at (0,108) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
- text run at (0,126) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
- text run at (0,144) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
- text run at (0,162) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
- text run at (0,180) width 211: "amet, consectetuer adipiscing elit."
- RenderBlock (anonymous) at (0,198) size 379x0
+ text run at (0,75) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
+ text run at (0,93) width 318: "nonummy enim. Nullam bibendum lobortis neque."
+ text run at (0,111) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
+ text run at (0,129) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
+ text run at (0,147) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
+ text run at (0,165) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
+ text run at (0,183) width 211: "amet, consectetuer adipiscing elit."
Modified: trunk/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png
(Binary files differ)
Modified: trunk/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt (94540 => 94541)
--- trunk/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt 2011-09-05 23:18:00 UTC (rev 94540)
+++ trunk/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt 2011-09-06 01:16:57 UTC (rev 94541)
@@ -3,37 +3,32 @@
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,16) size 784x568
-layer at (8,16) size 784x202
- RenderBlock {DIV} at (0,0) size 784x202 [border: (5px solid #800000)]
- RenderBlock (anonymous multi-column span) at (5,23) size 774x66
- RenderBlock {H2} at (0,19) size 774x28 [bgcolor=#EEEEEE]
- RenderText {#text} at (0,0) size 58x28
- text run at (0,0) width 58: "PASS"
-layer at (13,21) size 774x18
- RenderBlock (anonymous multi-column) at (5,5) size 774x18
- RenderBlock (anonymous) at (0,0) size 379x18
+layer at (8,16) size 784x169
+ RenderBlock {DIV} at (0,0) size 784x169 [border: (5px solid #800000)]
+ RenderBlock (anonymous) at (5,5) size 379x18
RenderInline {LABEL} at (0,0) size 102x18
RenderText {#text} at (0,0) size 102x18
text run at (0,0) width 102: "Some inline text"
- RenderBlock (anonymous) at (0,18) size 379x18
- RenderSummary {SUMMARY} at (0,0) size 379x18
- RenderText {#text} at (0,0) size 102x18
- text run at (0,0) width 102: "Some block text"
-layer at (13,105) size 774x108
- RenderBlock (anonymous multi-column) at (5,89) size 774x108
- RenderBlock (anonymous) at (0,0) size 379x198
- RenderBlock {SUMMARY} at (0,0) size 379x198
- RenderText {#text} at (0,0) size 369x198
- text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
- text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
- text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
- text run at (0,54) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
- text run at (0,72) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
- text run at (0,90) width 318: "nonummy enim. Nullam bibendum lobortis neque."
- text run at (0,108) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
- text run at (0,126) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
- text run at (0,144) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
- text run at (0,162) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
- text run at (0,180) width 211: "amet, consectetuer adipiscing elit."
- RenderBlock (anonymous) at (0,198) size 379x0
+ RenderBlock (anonymous) at (5,23) size 379x285
+ RenderSummary {SUMMARY} at (0,0) size 379x285
+ RenderBlock (anonymous) at (0,0) size 379x18
+ RenderText {#text} at (0,0) size 102x18
+ text run at (0,0) width 102: "Some block text"
+ RenderBlock {H2} at (0,37) size 379x28 [bgcolor=#EEEEEE]
+ RenderText {#text} at (0,0) size 58x28
+ text run at (0,0) width 58: "PASS"
+ RenderBlock (anonymous) at (0,84) size 379x201
+ RenderText {#text} at (0,0) size 369x201
+ text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
+ text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
+ text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
+ text run at (0,57) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
+ text run at (0,75) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
+ text run at (0,93) width 318: "nonummy enim. Nullam bibendum lobortis neque."
+ text run at (0,111) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
+ text run at (0,129) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
+ text run at (0,147) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
+ text run at (0,165) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
+ text run at (0,183) width 211: "amet, consectetuer adipiscing elit."
+ RenderBlock (anonymous) at (5,308) size 379x0
RenderInline {LABEL} at (0,0) size 0x0
Modified: trunk/Source/WebCore/ChangeLog (94540 => 94541)
--- trunk/Source/WebCore/ChangeLog 2011-09-05 23:18:00 UTC (rev 94540)
+++ trunk/Source/WebCore/ChangeLog 2011-09-06 01:16:57 UTC (rev 94541)
@@ -1,3 +1,19 @@
+2011-09-05 Abhishek Arya <[email protected]>
+
+ Crash in RenderObjectChildList::destroyLeftOverChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=64753
+
+ Reviewed by James Robinson.
+
+ If any of the ancestors between column span element and containing
+ column's block is a continuation, then don't attempt to render the
+ column span by splitting the block into continuations.
+
+ Test: fast/multicol/column-span-parent-continuation-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::columnsBlockForSpanningElement):
+
2011-09-05 Sheriff Bot <[email protected]>
Unreviewed, rolling out r94537.
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (94540 => 94541)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-09-05 23:18:00 UTC (rev 94540)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-09-06 01:16:57 UTC (rev 94541)
@@ -659,8 +659,22 @@
&& !newChild->isInline() && !isAnonymousColumnSpanBlock()) {
if (style()->specifiesColumns())
columnsBlockAncestor = this;
- else if (!isInline() && parent() && parent()->isRenderBlock())
+ else if (!isInline() && parent() && parent()->isRenderBlock()) {
columnsBlockAncestor = toRenderBlock(parent())->containingColumnsBlock(false);
+
+ if (columnsBlockAncestor) {
+ // Make sure that none of the parent ancestors have a continuation.
+ // If yes, we do not want split the block into continuations.
+ RenderObject* curr = this;
+ while (curr && curr != columnsBlockAncestor) {
+ if (curr->isRenderBlock() && toRenderBlock(curr)->continuation()) {
+ columnsBlockAncestor = 0;
+ break;
+ }
+ curr = curr->parent();
+ }
+ }
+ }
}
return columnsBlockAncestor;
}
