[webkit-changes] [210120] trunk

Thu, 22 Dec 2016 15:49:41 -0800

Title: [210120] trunk
Revision
210120
Author
[email protected]
Date
2016-12-22 15:48:53 -0800 (Thu, 22 Dec 2016)

Log Message

Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
https://bugs.webkit.org/show_bug.cgi?id=166436
rdar://problem/29772233

Reviewed by Simon Fraser.

Source/WebCore:

When as the result of certain style change, the generated anonymous block is not needed anymore, we
move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc.

Test: fast/regions/flow-fragment-as-anonymous-block-crash.html

* rendering/RenderObject.h:
(WebCore::RenderObject::isAnonymousBlock):

LayoutTests:

* fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
* fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (210119 => 210120)


--- trunk/LayoutTests/ChangeLog	2016-12-22 23:23:51 UTC (rev 210119)
+++ trunk/LayoutTests/ChangeLog	2016-12-22 23:48:53 UTC (rev 210120)
@@ -1,3 +1,14 @@
+2016-12-22  Zalan Bujtas  <[email protected]>
+
+        Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+        https://bugs.webkit.org/show_bug.cgi?id=166436
+        rdar://problem/29772233
+
+        Reviewed by Simon Fraser.
+
+        * fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
+        * fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.
+
 2016-12-22  Wenson Hsieh  <[email protected]>
 
         CSS Scroll Snap does not work if scrollbar is hidden

Added: trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt (0 => 210120)


--- trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt	2016-12-22 23:48:53 UTC (rev 210120)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+

Added: trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html (0 => 210120)


--- trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html	2016-12-22 23:48:53 UTC (rev 210120)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't destroy the fragment anonymous block while cleaning up the render tree.</title> 
+<style>
+li { 
+  -webkit-flow-from: foobar;
+}
+
+q {
+  display: list-item;
+  -webkit-flow-from: foobar;
+}
+
+.fuzz0::before{
+  display: block;
+}
+</style>
+</head>
+<body>
+PASS if no crash or assert.
+<li></li><q></q>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+document.body.offsetHeight;
+document.getElementsByTagName("q")[0].className = "fuzz0";
+document.body.offsetHeight;
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (210119 => 210120)


--- trunk/Source/WebCore/ChangeLog	2016-12-22 23:23:51 UTC (rev 210119)
+++ trunk/Source/WebCore/ChangeLog	2016-12-22 23:48:53 UTC (rev 210120)
@@ -1,3 +1,20 @@
+2016-12-22  Zalan Bujtas  <[email protected]>
+
+        Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+        https://bugs.webkit.org/show_bug.cgi?id=166436
+        rdar://problem/29772233
+
+        Reviewed by Simon Fraser.
+
+        When as the result of certain style change, the generated anonymous block is not needed anymore, we
+        move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
+        block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc. 
+
+        Test: fast/regions/flow-fragment-as-anonymous-block-crash.html
+
+        * rendering/RenderObject.h:
+        (WebCore::RenderObject::isAnonymousBlock):
+
 2016-12-22  Wenson Hsieh  <[email protected]>
 
         CSS Scroll Snap does not work if scrollbar is hidden

Modified: trunk/Source/WebCore/rendering/RenderObject.h (210119 => 210120)


--- trunk/Source/WebCore/rendering/RenderObject.h	2016-12-22 23:23:51 UTC (rev 210119)
+++ trunk/Source/WebCore/rendering/RenderObject.h	2016-12-22 23:48:53 UTC (rev 210120)
@@ -410,7 +410,7 @@
         // RenderBlock::createAnonymousBlock(). This includes creating an anonymous
         // RenderBlock having a BLOCK or BOX display. Other classes such as RenderTextFragment
         // are not RenderBlocks and will return false. See https://bugs.webkit.org/show_bug.cgi?id=56709. 
-        return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderMultiColumnSet() && !isRenderView()
+        return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderNamedFlowFragment() && !isRenderMultiColumnSet() && !isRenderView()
 #if ENABLE(FULLSCREEN_API)
             && !isRenderFullScreen()
             && !isRenderFullScreenPlaceholder()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to