Title: [245353] branches/safari-607-branch
- Revision
- 245353
- Author
- [email protected]
- Date
- 2019-05-15 14:44:58 -0700 (Wed, 15 May 2019)
Log Message
Cherry-pick r245158. rdar://problem/50753914
Do not mix inline and block level boxes.
https://bugs.webkit.org/show_bug.cgi?id=197462
<rdar://problem/50369362>
Reviewed by Antti Koivisto.
Source/WebCore:
This patch tightens the remove-anonymous-wrappers logic by checking if the removal would
produce an inline-block sibling mix.
When a block level box is removed from the tree, we check if after the removal the anonymous sibling block
boxes are still needed or whether we can removed them as well (and have only inline level child boxes).
In addition to checking if the container is anonymous and is part of a continuation, we also need to check
if collapsing it (and by that moving its children one level up) would cause a inline-block box mix.
Test: fast/ruby/continuation-and-column-spanner-crash.html
* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded):
* rendering/updating/RenderTreeBuilderContinuation.cpp:
(WebCore::RenderTreeBuilder::Continuation::cleanupOnDestroy):
LayoutTests:
* fast/ruby/continuation-and-column-spanner-crash-expected.txt: Added.
* fast/ruby/continuation-and-column-spanner-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245158 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/LayoutTests/ChangeLog (245352 => 245353)
--- branches/safari-607-branch/LayoutTests/ChangeLog 2019-05-15 21:44:54 UTC (rev 245352)
+++ branches/safari-607-branch/LayoutTests/ChangeLog 2019-05-15 21:44:58 UTC (rev 245353)
@@ -1,5 +1,49 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r245158. rdar://problem/50753914
+
+ Do not mix inline and block level boxes.
+ https://bugs.webkit.org/show_bug.cgi?id=197462
+ <rdar://problem/50369362>
+
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ This patch tightens the remove-anonymous-wrappers logic by checking if the removal would
+ produce an inline-block sibling mix.
+ When a block level box is removed from the tree, we check if after the removal the anonymous sibling block
+ boxes are still needed or whether we can removed them as well (and have only inline level child boxes).
+ In addition to checking if the container is anonymous and is part of a continuation, we also need to check
+ if collapsing it (and by that moving its children one level up) would cause a inline-block box mix.
+
+ Test: fast/ruby/continuation-and-column-spanner-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded):
+ * rendering/updating/RenderTreeBuilderContinuation.cpp:
+ (WebCore::RenderTreeBuilder::Continuation::cleanupOnDestroy):
+
+ LayoutTests:
+
+ * fast/ruby/continuation-and-column-spanner-crash-expected.txt: Added.
+ * fast/ruby/continuation-and-column-spanner-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245158 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-08 Zalan Bujtas <[email protected]>
+
+ Do not mix inline and block level boxes.
+ https://bugs.webkit.org/show_bug.cgi?id=197462
+ <rdar://problem/50369362>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/ruby/continuation-and-column-spanner-crash-expected.txt: Added.
+ * fast/ruby/continuation-and-column-spanner-crash.html: Added.
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r239742. rdar://problem/50753925
Prevent cross-site top-level navigations from third-party iframes
Added: branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash-expected.txt (0 => 245353)
--- branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash-expected.txt (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash-expected.txt 2019-05-15 21:44:58 UTC (rev 245353)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+
Added: branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash.html (0 => 245353)
--- branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash.html (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/ruby/continuation-and-column-spanner-crash.html 2019-05-15 21:44:58 UTC (rev 245353)
@@ -0,0 +1,10 @@
+PASS if no crash or assert.
+<ruby><rtc><span><details open="false"><span id=span2></span></details></span><div id=div3></div></rtc><rt id=rt2></rt></ruby><script>
+document.body.offsetHeight;
+rt2.remove();
+span2.remove();
+document.body.offsetHeight;
+div3.style.cssText = "column-span: all";
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (245352 => 245353)
--- branches/safari-607-branch/Source/WebCore/ChangeLog 2019-05-15 21:44:54 UTC (rev 245352)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog 2019-05-15 21:44:58 UTC (rev 245353)
@@ -1,5 +1,60 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r245158. rdar://problem/50753914
+
+ Do not mix inline and block level boxes.
+ https://bugs.webkit.org/show_bug.cgi?id=197462
+ <rdar://problem/50369362>
+
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ This patch tightens the remove-anonymous-wrappers logic by checking if the removal would
+ produce an inline-block sibling mix.
+ When a block level box is removed from the tree, we check if after the removal the anonymous sibling block
+ boxes are still needed or whether we can removed them as well (and have only inline level child boxes).
+ In addition to checking if the container is anonymous and is part of a continuation, we also need to check
+ if collapsing it (and by that moving its children one level up) would cause a inline-block box mix.
+
+ Test: fast/ruby/continuation-and-column-spanner-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded):
+ * rendering/updating/RenderTreeBuilderContinuation.cpp:
+ (WebCore::RenderTreeBuilder::Continuation::cleanupOnDestroy):
+
+ LayoutTests:
+
+ * fast/ruby/continuation-and-column-spanner-crash-expected.txt: Added.
+ * fast/ruby/continuation-and-column-spanner-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245158 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-09 Zalan Bujtas <[email protected]>
+
+ Do not mix inline and block level boxes.
+ https://bugs.webkit.org/show_bug.cgi?id=197462
+ <rdar://problem/50369362>
+
+ Reviewed by Antti Koivisto.
+
+ This patch tightens the remove-anonymous-wrappers logic by checking if the removal would
+ produce an inline-block sibling mix.
+ When a block level box is removed from the tree, we check if after the removal the anonymous sibling block
+ boxes are still needed or whether we can removed them as well (and have only inline level child boxes).
+ In addition to checking if the container is anonymous and is part of a continuation, we also need to check
+ if collapsing it (and by that moving its children one level up) would cause a inline-block box mix.
+
+ Test: fast/ruby/continuation-and-column-spanner-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded):
+ * rendering/updating/RenderTreeBuilderContinuation.cpp:
+ (WebCore::RenderTreeBuilder::Continuation::cleanupOnDestroy):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r243820. rdar://problem/50753921
Crash in HTMLCanvasElement::createContext2d after the element got adopted to a new document
Modified: branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (245352 => 245353)
--- branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2019-05-15 21:44:54 UTC (rev 245352)
+++ branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2019-05-15 21:44:58 UTC (rev 245353)
@@ -683,15 +683,28 @@
// otherwise we can proceed to stripping solitary anonymous wrappers from the inlines.
// FIXME: We should also handle split inlines here - we exclude them at the moment by returning
// if we find a continuation.
- auto* current = blockParent.firstChild();
- while (current && ((current->isAnonymousBlock() && !downcast<RenderBlock>(*current).isContinuation()) || current->style().isFloating() || current->style().hasOutOfFlowPosition()))
- current = current->nextSibling();
+ Optional<bool> shouldAllChildrenBeInline;
+ for (auto* current = blockParent.firstChild(); current; current = current->nextSibling()) {
+ if (current->style().isFloating() || current->style().hasOutOfFlowPosition())
+ continue;
+ if (!current->isAnonymousBlock() || downcast<RenderBlock>(*current).isContinuation())
+ return;
+ // Anonymous block not in continuation. Check if it holds a set of inline or block children and try not to mix them.
+ auto* firstChild = current->firstChildSlow();
+ if (!firstChild)
+ continue;
+ auto isInlineLevelBox = firstChild->isInline();
+ if (!shouldAllChildrenBeInline.hasValue()) {
+ shouldAllChildrenBeInline = isInlineLevelBox;
+ continue;
+ }
+ // Mixing inline and block level boxes?
+ if (*shouldAllChildrenBeInline != isInlineLevelBox)
+ return;
+ }
- if (current)
- return;
-
- RenderObject* next;
- for (current = blockParent.firstChild(); current; current = next) {
+ RenderObject* next = nullptr;
+ for (auto* current = blockParent.firstChild(); current; current = next) {
next = current->nextSibling();
if (current->isAnonymousBlock())
blockBuilder().dropAnonymousBoxChild(blockParent, downcast<RenderBlock>(*current));
Modified: branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderContinuation.cpp (245352 => 245353)
--- branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderContinuation.cpp 2019-05-15 21:44:54 UTC (rev 245352)
+++ branches/safari-607-branch/Source/WebCore/rendering/updating/RenderTreeBuilderContinuation.cpp 2019-05-15 21:44:58 UTC (rev 245353)
@@ -37,8 +37,11 @@
void RenderTreeBuilder::Continuation::cleanupOnDestroy(RenderBoxModelObject& renderer)
{
- if (!renderer.continuation() || renderer.isContinuation())
+ if (!renderer.continuation() || renderer.isContinuation()) {
+ if (renderer.hasContinuationChainNode())
+ renderer.removeFromContinuationChain();
return;
+ }
ASSERT(renderer.hasContinuationChainNode());
ASSERT(renderer.continuationChainNode());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
