Title: [201393] trunk
- Revision
- 201393
- Author
- [email protected]
- Date
- 2016-05-25 12:04:47 -0700 (Wed, 25 May 2016)
Log Message
Source/WebCore:
Shadow DOM: RenderTreePosition miscomputed when display:contents value changes
https://bugs.webkit.org/show_bug.cgi?id=158072
rdar://problem/25766333
Reviewed by Darin Adler.
Test: fast/shadow-dom/slot-crash.html
* style/RenderTreePosition.h:
(WebCore::RenderTreePosition::invalidateNextSibling):
Add unconditional invalidation function.
* style/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::updateElementRenderer):
With display:contents rendering siblings may be found from the subtree and the existing cached
position may become invalid.
If the display:contents value changes invalidate the current render tree position.
LayoutTests:
Shadow DOM: RenderTreePosition should determine if element has display:contents from new style
https://bugs.webkit.org/show_bug.cgi?id=158072
Reviewed by Darin Adler.
* fast/shadow-dom/slot-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (201392 => 201393)
--- trunk/LayoutTests/ChangeLog 2016-05-25 18:59:40 UTC (rev 201392)
+++ trunk/LayoutTests/ChangeLog 2016-05-25 19:04:47 UTC (rev 201393)
@@ -1,3 +1,12 @@
+2016-05-25 Antti Koivisto <[email protected]>
+
+ Shadow DOM: RenderTreePosition should determine if element has display:contents from new style
+ https://bugs.webkit.org/show_bug.cgi?id=158072
+
+ Reviewed by Darin Adler.
+
+ * fast/shadow-dom/slot-crash.html: Added.
+
2016-05-25 Chris Dumez <[email protected]>
Update dom/Window/messageevent-source-postmessage-reified.html after r201315
Added: trunk/LayoutTests/fast/shadow-dom/slot-crash-expected.txt (0 => 201393)
--- trunk/LayoutTests/fast/shadow-dom/slot-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-crash-expected.txt 2016-05-25 19:04:47 UTC (rev 201393)
@@ -0,0 +1 @@
+This test passes if it doesn't crash/assert.
Added: trunk/LayoutTests/fast/shadow-dom/slot-crash.html (0 => 201393)
--- trunk/LayoutTests/fast/shadow-dom/slot-crash.html (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-crash.html 2016-05-25 19:04:47 UTC (rev 201393)
@@ -0,0 +1,23 @@
+<html id="webtest0">
+<head></head>
+<body>
+This test passes if it doesn't crash/assert.
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+for (wf_i=0;wf_i<30;wf_i++) {
+var scroll_35 = document.createElement("iframe");
+document.getElementById("webtest0").appendChild(document.createElement("slot")).appendChild(scroll_35);
+}
+
+document.body.offsetLeft;
+
+head = document.getElementsByTagName("head")[0];
+style = document.createElement("style");
+style.type = "text/css";
+style.innerHTML="* { position: absolute; }";
+head.appendChild(style);
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (201392 => 201393)
--- trunk/Source/WebCore/ChangeLog 2016-05-25 18:59:40 UTC (rev 201392)
+++ trunk/Source/WebCore/ChangeLog 2016-05-25 19:04:47 UTC (rev 201393)
@@ -1,3 +1,25 @@
+2016-05-25 Antti Koivisto <[email protected]>
+
+ Shadow DOM: RenderTreePosition miscomputed when display:contents value changes
+ https://bugs.webkit.org/show_bug.cgi?id=158072
+ rdar://problem/25766333
+
+ Reviewed by Darin Adler.
+
+ Test: fast/shadow-dom/slot-crash.html
+
+ * style/RenderTreePosition.h:
+ (WebCore::RenderTreePosition::invalidateNextSibling):
+
+ Add unconditional invalidation function.
+
+ * style/RenderTreeUpdater.cpp:
+ (WebCore::RenderTreeUpdater::updateElementRenderer):
+
+ With display:contents rendering siblings may be found from the subtree and the existing cached
+ position may become invalid.
+ If the display:contents value changes invalidate the current render tree position.
+
2016-05-25 Brady Eidson <[email protected]>
Modern IDB: IDB objects from a worker thread might be destroyed on the main thread.
Modified: trunk/Source/WebCore/style/RenderTreePosition.h (201392 => 201393)
--- trunk/Source/WebCore/style/RenderTreePosition.h 2016-05-25 18:59:40 UTC (rev 201392)
+++ trunk/Source/WebCore/style/RenderTreePosition.h 2016-05-25 19:04:47 UTC (rev 201393)
@@ -59,6 +59,7 @@
bool canInsert(RenderText&) const;
void computeNextSibling(const Node&);
+ void invalidateNextSibling() { m_hasValidNextSibling = false; }
void invalidateNextSibling(const RenderObject&);
RenderObject* previousSiblingRenderer(const Text&) const;
Modified: trunk/Source/WebCore/style/RenderTreeUpdater.cpp (201392 => 201393)
--- trunk/Source/WebCore/style/RenderTreeUpdater.cpp 2016-05-25 18:59:40 UTC (rev 201392)
+++ trunk/Source/WebCore/style/RenderTreeUpdater.cpp 2016-05-25 19:04:47 UTC (rev 201393)
@@ -245,7 +245,11 @@
tearDownRenderers(element, TeardownType::KeepHoverAndActive);
bool hasDisplayContest = update.style && update.style->display() == CONTENTS;
- element.setHasDisplayContents(hasDisplayContest);
+ if (hasDisplayContest != element.hasDisplayContents()) {
+ element.setHasDisplayContents(hasDisplayContest);
+ // Render tree position needs to be recomputed as rendering siblings may be found from the display:contents subtree.
+ renderTreePosition().invalidateNextSibling();
+ }
bool shouldCreateNewRenderer = !element.renderer() && update.style && !hasDisplayContest;
if (shouldCreateNewRenderer) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
