Skip to site navigation (Press enter)

[webkit-changes] [207930] trunk

zalan Wed, 26 Oct 2016 19:49:59 -0700

Title: [207930] trunk

Revision: 207930
Author: [email protected]
Date: 2016-10-26 19:49:54 -0700 (Wed, 26 Oct 2016)

Log Message

Ignore out-of-flow siblings when searching for a spanner candidate.
https://bugs.webkit.org/show_bug.cgi?id=164042.
<rdar://problem/28758456>


Reviewed by Simon Fraser.

Source/WebCore:

While searching for the spanner candidates in a flow thread, we have to take into account
whether renderers are in- or out-of-flow.
What it means is that while traversing the renderer tree to find the the candidate
renderer (next sibling/ancestor's next child in pre-order traversal), we have to check if the candidate
is in the same layout context too.

Test: fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html

* rendering/RenderMultiColumnFlowThread.cpp:
(WebCore::spannerPlacehoderCandidate):
(WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant):

LayoutTests:

* fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt: Added.
* fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp

Added Paths

trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt
trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html

Diff

Modified: trunk/LayoutTests/ChangeLog (207929 => 207930)


--- trunk/LayoutTests/ChangeLog	2016-10-27 02:18:51 UTC (rev 207929)
+++ trunk/LayoutTests/ChangeLog	2016-10-27 02:49:54 UTC (rev 207930)
@@ -1,3 +1,14 @@
+2016-10-26  Zalan Bujtas  <[email protected]>
+
+        Ignore out-of-flow siblings when searching for a spanner candidate.
+        https://bugs.webkit.org/show_bug.cgi?id=164042.
+        <rdar://problem/28758456>
+
+        Reviewed by Simon Fraser.
+
+        * fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt: Added.
+        * fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html: Added.
+
 2016-10-26  Dan Bernstein  <[email protected]>
 
         When pasting web archive, width specifiers in srcset attribute change into density specifiers

Added: trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt (0 => 207930)


--- trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow-expected.txt	2016-10-27 02:49:54 UTC (rev 207930)
@@ -0,0 +1,3 @@
+
+Pass if no crash.
+

Added: trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html (0 => 207930)


--- trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html	2016-10-27 02:49:54 UTC (rev 207930)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that find the proper spanner in flow when out-of-flow elements are present.</title>
+<style>
+.multiCol {
+  column-count: 2;
+  position: absolute;
+}
+
+.spanner {
+  column-span: all;
+}
+</style>
+</head>
+<body class=multiCol>
+  <svg xmlns="http://www.w3.org/2000/svg">
+    <foreignobject class=multiCol>
+      <div class=multiCol><br></div>
+      <div class=spanner>Pass if no crash.</div>
+    </foreignobject>
+  </svg>
+</body>
+<script>
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+  }
+  
+  setTimeout(function() {
+    document.body.style.columnCount = "unset";    
+    if (window.testRunner)
+      testRunner.notifyDone();
+  }, 0);
+</script>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (207929 => 207930)


--- trunk/Source/WebCore/ChangeLog	2016-10-27 02:18:51 UTC (rev 207929)
+++ trunk/Source/WebCore/ChangeLog	2016-10-27 02:49:54 UTC (rev 207930)
@@ -1,3 +1,23 @@
+2016-10-26  Zalan Bujtas  <[email protected]>
+
+        Ignore out-of-flow siblings when searching for a spanner candidate.
+        https://bugs.webkit.org/show_bug.cgi?id=164042.
+        <rdar://problem/28758456>
+
+        Reviewed by Simon Fraser.
+
+        While searching for the spanner candidates in a flow thread, we have to take into account
+        whether renderers are in- or out-of-flow.
+        What it means is that while traversing the renderer tree to find the the candidate
+        renderer (next sibling/ancestor's next child in pre-order traversal), we have to check if the candidate
+        is in the same layout context too.
+
+        Test: fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html
+
+        * rendering/RenderMultiColumnFlowThread.cpp:
+        (WebCore::spannerPlacehoderCandidate):
+        (WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant):
+
 2016-10-26  Brian Burg  <[email protected]>
 
         Web Inspector: remove unused bool return value from FrontendChannel::sendMessageToFrontend

Modified: trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp (207929 => 207930)


--- trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp	2016-10-27 02:18:51 UTC (rev 207929)
+++ trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp	2016-10-27 02:49:54 UTC (rev 207930)
@@ -270,10 +270,34 @@
     return false;
 }
 
+static RenderObject* spannerPlacehoderCandidate(const RenderObject& renderer, const RenderMultiColumnFlowThread& stayWithin)
+{
+    // Spanner candidate is a next sibling/ancestor's next child within the flow thread and
+    // it is in the same inflow/out-of-flow layout context.
+    if (renderer.isOutOfFlowPositioned())
+        return nullptr;
+
+    ASSERT(renderer.isDescendantOf(&stayWithin));
+    auto* current = &renderer;
+    while (true) {
+        // Skip to the first in-flow sibling.
+        auto* nextSibling = current->nextSibling();
+        while (nextSibling && nextSibling->isOutOfFlowPositioned())
+            nextSibling = nextSibling->nextSibling();
+        if (nextSibling)
+            return nextSibling;
+        // No sibling candidate, jump to the parent and check its siblings.
+        current = current->parent();
+        if (!current || current == &stayWithin || current->isOutOfFlowPositioned())
+            return nullptr;
+    }
+    return nullptr;
+}
+
 RenderObject* RenderMultiColumnFlowThread::processPossibleSpannerDescendant(RenderObject*& subtreeRoot, RenderObject* descendant)
 {
     RenderBlockFlow* multicolContainer = multiColumnBlockFlow();
-    RenderObject* nextRendererInFlowThread = descendant->nextInPreOrderAfterChildren(this);
+    RenderObject* nextRendererInFlowThread = spannerPlacehoderCandidate(*descendant, *this);
     RenderObject* insertBeforeMulticolChild = nullptr;
     RenderObject* nextDescendant = descendant;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes