[webkit-changes] [257129] trunk

Fri, 21 Feb 2020 00:27:23 -0800

Title: [257129] trunk
Revision
257129
Author
[email protected]
Date
2020-02-21 00:26:17 -0800 (Fri, 21 Feb 2020)

Log Message

Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant
https://bugs.webkit.org/show_bug.cgi?id=207296
<rdar://problem/49687828>

Patch by Jack Lee <[email protected]> on 2020-02-21
Reviewed by Antti Koivisto.

When a multi-column fragment flow gains a new in-flow descendant, we need to call
multiColumnDescendantInserted so RenderMultiColumnSet would be created for the new
descendant.

Source/WebCore:

Test: fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html

* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::childFlowStateChangesAndAffectsParentBlock):

LayoutTests:

* TestExpectations:
* fast/multicol/fragflow-gains-new-in-flow-descendant-crash-expected.txt: Added.
* fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (257128 => 257129)


--- trunk/LayoutTests/ChangeLog	2020-02-21 07:44:06 UTC (rev 257128)
+++ trunk/LayoutTests/ChangeLog	2020-02-21 08:26:17 UTC (rev 257129)
@@ -1,3 +1,19 @@
+2020-02-21  Jack Lee  <[email protected]>
+
+        Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant
+        https://bugs.webkit.org/show_bug.cgi?id=207296
+        <rdar://problem/49687828>
+
+        Reviewed by Antti Koivisto.
+
+        When a multi-column fragment flow gains a new in-flow descendant, we need to call
+        multiColumnDescendantInserted so RenderMultiColumnSet would be created for the new
+        descendant.
+
+        * TestExpectations:
+        * fast/multicol/fragflow-gains-new-in-flow-descendant-crash-expected.txt: Added.
+        * fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html: Added.
+
 2020-02-20  Eric Carlson  <[email protected]>
 
         Support in-band metadata cues when loading media in the GPU Process

Modified: trunk/LayoutTests/TestExpectations (257128 => 257129)


--- trunk/LayoutTests/TestExpectations	2020-02-21 07:44:06 UTC (rev 257128)
+++ trunk/LayoutTests/TestExpectations	2020-02-21 08:26:17 UTC (rev 257129)
@@ -2884,6 +2884,8 @@
 
 [ Debug ] fast/multicol/crash-in-vertical-writing-mode.html [ Skip ]
 
+webkit.org/b/202805 [ Debug ] fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html [ Crash ]
+
 webkit.org/b/187269 [ Debug ] imported/w3c/web-platform-tests/FileAPI/reading-data-section/filereader_abort.html [ Skip ]
 
 webkit.org/b/185308 legacy-animation-engine/animations/combo-transform-translate+scale.html [ Pass Failure ]

Added: trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash-expected.txt (0 => 257129)


--- trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash-expected.txt	2020-02-21 08:26:17 UTC (rev 257129)
@@ -0,0 +1 @@
+Tests multicol when a fragment flow gains a new in-flow descendant. The test passes if WebKit doesn't crash or hit an assertion.

Added: trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html (0 => 257129)


--- trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html	2020-02-21 08:26:17 UTC (rev 257129)
@@ -0,0 +1,13 @@
+<style>
+#outer {
+    -webkit-columns: 2;
+}
+#inner {
+    position: absolute;
+}
+</style><div id=outer><div id=inner><span>Tests multicol when a fragment flow gains a new in-flow descendant. The test passes if WebKit doesn't crash or hit an assertion.</span><iframe></iframe></div></div><script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.body.offsetHeight;
+    inner.style.position = "static";
+</script>

Modified: trunk/Source/WebCore/ChangeLog (257128 => 257129)


--- trunk/Source/WebCore/ChangeLog	2020-02-21 07:44:06 UTC (rev 257128)
+++ trunk/Source/WebCore/ChangeLog	2020-02-21 08:26:17 UTC (rev 257129)
@@ -1,3 +1,20 @@
+2020-02-21  Jack Lee  <[email protected]>
+
+        Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant
+        https://bugs.webkit.org/show_bug.cgi?id=207296
+        <rdar://problem/49687828>
+
+        Reviewed by Antti Koivisto.
+
+        When a multi-column fragment flow gains a new in-flow descendant, we need to call
+        multiColumnDescendantInserted so RenderMultiColumnSet would be created for the new
+        descendant.
+
+        Test: fast/multicol/fragflow-gains-new-in-flow-descendant-crash.html
+
+        * rendering/updating/RenderTreeBuilder.cpp:
+        (WebCore::RenderTreeBuilder::childFlowStateChangesAndAffectsParentBlock):
+
 2020-02-20  Michael Catanzaro  <[email protected]>
 
         [GTK] Improve user agent quirk for Google Docs and Google Drive

Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (257128 => 257129)


--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp	2020-02-21 07:44:06 UTC (rev 257128)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp	2020-02-21 08:26:17 UTC (rev 257129)
@@ -694,6 +694,12 @@
             // We need to re-run the grid items placement if it had gained a new item.
             if (newParent != parent && is<RenderGrid>(*newParent))
                 downcast<RenderGrid>(*newParent).dirtyGrid();
+            else if (auto* enclosingFragmentedFlow = newParent->enclosingFragmentedFlow()) {
+                if (is<RenderMultiColumnFlow>(*enclosingFragmentedFlow)) {
+                    // Let the fragmented flow know that it has a new in-flow descendant.
+                    multiColumnBuilder().multiColumnDescendantInserted(downcast<RenderMultiColumnFlow>(*enclosingFragmentedFlow), child);
+                }
+            }
         }
     } else {
         // An anonymous block must be made to wrap this inline.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to