[webkit-changes] [207923] branches/safari-602-branch

Wed, 26 Oct 2016 16:17:36 -0700

Title: [207923] branches/safari-602-branch

Diff

Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207922 => 207923)


--- branches/safari-602-branch/LayoutTests/ChangeLog	2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/LayoutTests/ChangeLog	2016-10-26 23:18:13 UTC (rev 207923)
@@ -1,5 +1,20 @@
 2016-10-26  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r207683. rdar://problem/28849627
+
+    2016-10-21  Zalan Bujtas  <za...@apple.com>
+
+            Do not mutate the render tree while collecting selection repaint rects.
+            https://bugs.webkit.org/show_bug.cgi?id=163800
+            <rdar://problem/28806886>
+
+            Reviewed by David Hyatt.
+
+            * fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt: Added.
+            * fast/lists/crash-when-list-marker-is-moved-during-selection.html: Added.
+
+2016-10-26  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r207661. rdar://problem/28857478
 
     2016-10-21  Jer Noble  <jer.no...@apple.com>

Added: branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt (0 => 207923)


--- branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection-expected.txt	2016-10-26 23:18:13 UTC (rev 207923)
@@ -0,0 +1,2 @@
+Pass if no crash or assert.
+

Added: branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html (0 => 207923)


--- branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/lists/crash-when-list-marker-is-moved-during-selection.html	2016-10-26 23:18:13 UTC (rev 207923)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't mutate the render tree during selection.</title>
+<style>
+  body {
+    column-count: 2;
+  }
+</style>
+<script>
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+  }
+  
+  function runTest() {
+    setTimeout(function() {
+      li.style.webkitWritingMode = "horizontal-tb";
+      innerSpan.style.display = "list-item";
+      mostInnerSpan.style.display = "list-item";
+      document.getSelection().setBaseAndExtent(container, 0, document.body, document.body.childNodes.length);
+      if (window.testRunner)
+        testRunner.notifyDone();
+    }, 0);
+  }
+</script>
+</head>
+<body _onload_=runTest()>
+Pass if no crash or assert.
+<div id="container" style="-webkit-writing-mode: vertical-rl"><table><tr><td><li id="li"><span id="innerSpan"><span id="mostInnerSpan"></span></span></li></tr></td></table>
+</body>
+</html>

Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207922 => 207923)


--- branches/safari-602-branch/Source/WebCore/ChangeLog	2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog	2016-10-26 23:18:13 UTC (rev 207923)
@@ -1,5 +1,28 @@
 2016-10-26  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r207683. rdar://problem/28849627
+
+    2016-10-21  Zalan Bujtas  <za...@apple.com>
+
+            Do not mutate the render tree while collecting selection repaint rects.
+            https://bugs.webkit.org/show_bug.cgi?id=163800
+            <rdar://problem/28806886>
+
+            Reviewed by David Hyatt.
+
+            RenderListItem not only mutates the tree while in layout but it also uses
+            the old descendant context to find the insertion point.
+            This patch strictly ensures that we only do it while in layout and never
+            in other cases such as collecting repaint rects.
+            This gets redundant when webkit.org/b/163789 is fixed.
+
+            Test: fast/lists/crash-when-list-marker-is-moved-during-selection.html
+
+            * rendering/RenderListItem.cpp:
+            (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
+
+2016-10-26  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r207661. rdar://problem/28857478
 
     2016-10-21  Jer Noble  <jer.no...@apple.com>

Modified: branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp (207922 => 207923)


--- branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp	2016-10-26 23:18:09 UTC (rev 207922)
+++ branches/safari-602-branch/Source/WebCore/rendering/RenderListItem.cpp	2016-10-26 23:18:13 UTC (rev 207923)
@@ -274,6 +274,11 @@
     if (!m_marker)
         return;
 
+    // FIXME: Do not even try reposition the marker when we are not in layout
+    // until after we fixed webkit.org/b/163789.
+    if (!view().frameView().isInRenderTreeLayout())
+        return;
+
     RenderElement* currentParent = m_marker->parent();
     RenderBlock* newParent = getParentOfFirstLineBox(*this, *m_marker);
     if (!newParent) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to