Title: [211942] releases/WebKitGTK/webkit-2.14
- Revision
- 211942
- Author
- [email protected]
- Date
- 2017-02-09 00:56:15 -0800 (Thu, 09 Feb 2017)
Log Message
Merge r210120 - Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
https://bugs.webkit.org/show_bug.cgi?id=166436
rdar://problem/29772233
Reviewed by Simon Fraser.
Source/WebCore:
When as the result of certain style change, the generated anonymous block is not needed anymore, we
move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc.
Test: fast/regions/flow-fragment-as-anonymous-block-crash.html
* rendering/RenderObject.h:
(WebCore::RenderObject::isAnonymousBlock):
LayoutTests:
* fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
* fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (211941 => 211942)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:56:03 UTC (rev 211941)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:56:15 UTC (rev 211942)
@@ -1,3 +1,14 @@
+2016-12-22 Zalan Bujtas <[email protected]>
+
+ Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+ https://bugs.webkit.org/show_bug.cgi?id=166436
+ rdar://problem/29772233
+
+ Reviewed by Simon Fraser.
+
+ * fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
+ * fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.
+
2016-12-16 Zalan Bujtas <[email protected]>
Defer certain accessibility callbacks until after layout is finished.
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt (0 => 211942)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt 2017-02-09 08:56:15 UTC (rev 211942)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html (0 => 211942)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html 2017-02-09 08:56:15 UTC (rev 211942)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't destroy the fragment anonymous block while cleaning up the render tree.</title>
+<style>
+li {
+ -webkit-flow-from: foobar;
+}
+
+q {
+ display: list-item;
+ -webkit-flow-from: foobar;
+}
+
+.fuzz0::before{
+ display: block;
+}
+</style>
+</head>
+<body>
+PASS if no crash or assert.
+<li></li><q></q>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.offsetHeight;
+document.getElementsByTagName("q")[0].className = "fuzz0";
+document.body.offsetHeight;
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (211941 => 211942)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:56:03 UTC (rev 211941)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:56:15 UTC (rev 211942)
@@ -1,3 +1,20 @@
+2016-12-22 Zalan Bujtas <[email protected]>
+
+ Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+ https://bugs.webkit.org/show_bug.cgi?id=166436
+ rdar://problem/29772233
+
+ Reviewed by Simon Fraser.
+
+ When as the result of certain style change, the generated anonymous block is not needed anymore, we
+ move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
+ block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc.
+
+ Test: fast/regions/flow-fragment-as-anonymous-block-crash.html
+
+ * rendering/RenderObject.h:
+ (WebCore::RenderObject::isAnonymousBlock):
+
2016-12-16 Zalan Bujtas <[email protected]>
Defer certain accessibility callbacks until after layout is finished.
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderObject.h (211941 => 211942)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderObject.h 2017-02-09 08:56:03 UTC (rev 211941)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderObject.h 2017-02-09 08:56:15 UTC (rev 211942)
@@ -412,7 +412,7 @@
// RenderBlock::createAnonymousBlock(). This includes creating an anonymous
// RenderBlock having a BLOCK or BOX display. Other classes such as RenderTextFragment
// are not RenderBlocks and will return false. See https://bugs.webkit.org/show_bug.cgi?id=56709.
- return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderMultiColumnSet() && !isRenderView()
+ return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderNamedFlowFragment() && !isRenderMultiColumnSet() && !isRenderView()
#if ENABLE(FULLSCREEN_API)
&& !isRenderFullScreen()
&& !isRenderFullScreenPlaceholder()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
