Title: [269954] trunk/Source/WebCore
- Revision
- 269954
- Author
- [email protected]
- Date
- 2020-11-18 07:03:19 -0800 (Wed, 18 Nov 2020)
Log Message
RenderTreeBuilderBlock using an incorrect anonymous parent to attach a new renderer
https://bugs.webkit.org/show_bug.cgi?id=218505
Reviewed by Antti Koivisto.
Let's consider the following simplified render tree:
PARENT
|___beforeChildAnonymousContainer
|___hierarchy of anonymous blocks
|___beforeChild
When RenderTreeBuilderBlock is attaching a new renderer given PARENT and beforeChild, it first tries to attach it to the PARENT
if beforeChild is a direct child of PARENT. Otherwise it assumes that beforeChild is the direct child of an anonymous block which is
in between PARENT and beforeChild. However in some cases, as the one presented above, beforeChild might have a whole hierarchy of
anonymous blocks in between. That's why we cannot assume that beforeChild->parent() is a direct child of PARENT. Instead we should use
beforeChildAnonymousContainer as the parent of the new renderer.
* rendering/updating/RenderTreeBuilderBlock.cpp:
(WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation): Use beforeChildAnonymousContainer instead of beforeChild->parent().
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (269953 => 269954)
--- trunk/Source/WebCore/ChangeLog 2020-11-18 15:01:03 UTC (rev 269953)
+++ trunk/Source/WebCore/ChangeLog 2020-11-18 15:03:19 UTC (rev 269954)
@@ -1,3 +1,26 @@
+2020-11-17 Sergio Villar Senin <[email protected]>
+
+ RenderTreeBuilderBlock using an incorrect anonymous parent to attach a new renderer
+ https://bugs.webkit.org/show_bug.cgi?id=218505
+
+ Reviewed by Antti Koivisto.
+
+ Let's consider the following simplified render tree:
+
+ PARENT
+ |___beforeChildAnonymousContainer
+ |___hierarchy of anonymous blocks
+ |___beforeChild
+
+ When RenderTreeBuilderBlock is attaching a new renderer given PARENT and beforeChild, it first tries to attach it to the PARENT
+ if beforeChild is a direct child of PARENT. Otherwise it assumes that beforeChild is the direct child of an anonymous block which is
+ in between PARENT and beforeChild. However in some cases, as the one presented above, beforeChild might have a whole hierarchy of
+ anonymous blocks in between. That's why we cannot assume that beforeChild->parent() is a direct child of PARENT. Instead we should use
+ beforeChildAnonymousContainer as the parent of the new renderer.
+
+ * rendering/updating/RenderTreeBuilderBlock.cpp:
+ (WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation): Use beforeChildAnonymousContainer instead of beforeChild->parent().
+
2020-11-18 Sam Weinig <[email protected]>
Address additional feedback from https://bugs.webkit.org/show_bug.cgi?id=218960
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp (269953 => 269954)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp 2020-11-18 15:01:03 UTC (rev 269953)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp 2020-11-18 15:03:19 UTC (rev 269954)
@@ -186,8 +186,8 @@
#endif
) {
// Insert the child into the anonymous block box instead of here.
- if (child->isInline() || beforeChild->parent()->firstChild() != beforeChild)
- m_builder.attach(*beforeChild->parent(), WTFMove(child), beforeChild);
+ if (child->isInline() || beforeChildAnonymousContainer->firstChild() != beforeChild)
+ m_builder.attach(*beforeChildAnonymousContainer, WTFMove(child), beforeChild);
else
m_builder.attach(parent, WTFMove(child), beforeChild->parent());
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
