Title: [275133] trunk
- Revision
- 275133
- Author
- [email protected]
- Date
- 2021-03-27 06:51:18 -0700 (Sat, 27 Mar 2021)
Log Message
[Multicolumn] Do not try to re-validate a multicol spanner when the renderer is moved internally
https://bugs.webkit.org/show_bug.cgi?id=223836
<rdar://75742694>
Reviewed by Ryosuke Niwa.
Source/WebCore:
When a renderer becomes a multicol spanner
1. it is moved out of its original tree position and placed as a sibling of the enclosing multicolumn flow and
2. a spanner placeholder is constructed and inserted at the original position
This patch fixes the case when an already placed multicol spanner is internally moved (e.g. collapsing an anonymous block parent)
and we attempt to re-insert this spanner to the multicolumn flow. No spanner state should change due to internal re-parenting.
Test: fast/multicol/spanner-get-re-added-on-move-crash.html
* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::attachToRenderElementInternal):
LayoutTests:
* TestExpectations:
* fast/multicol/spanner-get-re-added-on-move-crash-expected.txt: Added.
* fast/multicol/spanner-get-re-added-on-move-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (275132 => 275133)
--- trunk/LayoutTests/ChangeLog 2021-03-27 10:52:17 UTC (rev 275132)
+++ trunk/LayoutTests/ChangeLog 2021-03-27 13:51:18 UTC (rev 275133)
@@ -1,3 +1,15 @@
+2021-03-27 Zalan Bujtas <[email protected]>
+
+ [Multicolumn] Do not try to re-validate a multicol spanner when the renderer is moved internally
+ https://bugs.webkit.org/show_bug.cgi?id=223836
+ <rdar://75742694>
+
+ Reviewed by Ryosuke Niwa.
+
+ * TestExpectations:
+ * fast/multicol/spanner-get-re-added-on-move-crash-expected.txt: Added.
+ * fast/multicol/spanner-get-re-added-on-move-crash.html: Added.
+
2021-03-26 Robert Jenner <[email protected]>
[ macOS ] inspector/debugger/csp-exceptions.html is a flakey text failure
Modified: trunk/LayoutTests/TestExpectations (275132 => 275133)
--- trunk/LayoutTests/TestExpectations 2021-03-27 10:52:17 UTC (rev 275132)
+++ trunk/LayoutTests/TestExpectations 2021-03-27 13:51:18 UTC (rev 275133)
@@ -5002,3 +5002,4 @@
imported/w3c/web-platform-tests/css/css-counter-styles/upper-roman/css3-counter-styles-024a.html [ ImageOnlyFailure ]
webkit.org/b/223170 [ Debug ] fast/multicol/widow-relayout-with-border-fit.html [ Skip ]
+webkit.org/b/31278 [ Debug ] fast/multicol/spanner-get-re-added-on-move-crash.html [ Skip ]
Added: trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash-expected.txt (0 => 275133)
--- trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash-expected.txt 2021-03-27 13:51:18 UTC (rev 275133)
@@ -0,0 +1,2 @@
+PASS if no crash in release.
+
Added: trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash.html (0 => 275133)
--- trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/spanner-get-re-added-on-move-crash.html 2021-03-27 13:51:18 UTC (rev 275133)
@@ -0,0 +1,49 @@
+<style>
+*:read-write {
+ -webkit-transform: skewX(180deg);
+ display: table-caption;
+ position: relative;
+ column-count: 2;
+}
+
+span {
+ list-style-image: url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAGAAAABgCAYAAADimHc4AAAABGdBTUEAALGPC/xhBQAAAAlwSFlzAAAOxAAADsQBlSsOGwAAABh0RVh0U29mdHdhcmUAUGFpbnQuTkVUIHYzLjIyt5EXfQAAAU5JREFUeF7t07ENACAMxMDA/jsDBTtcY6TUlmx+zcx510MGNuKG/QYKgL9CAQqADWB8CygANoDxLaAA2ADGt4ACYAMY3wIKgA1gfAsoADaA8S2gANgAxreAAmADGN8CCoANYHwLKAA2gPEtoADYAMa3gAJgAxjfAgqADWB8CygANoDxLaAA2ADGt4ACYAMY3wIKgA1gfAsoADaA8S2gANgAxreAAmADGN8CCoANYHwLKAA2gPEtoADYAMa3gAJgAxjfAgqADWB8CygANoDxLaAA2ADGt4ACYAMY3wIKgA1gfAsoADaA8S2gANgAxreAAmADGN8CCoANYHwLKAA2gPEtoADYAMa3gAJgAxjfAgqADWB8CygANoDxLaAA2ADGt4ACYAMY3wIKgA1gfAsoADaA8S2gANgAxreAAmADGN8CCoANYHwLKAA2gPEtAAe4i54BvwLfXFAAAAAASUVORK5CYII=);
+}
+
+* {
+ position: fixed;
+ column-span: all;
+}
+
+#gradient {
+ display: table;
+}
+</style>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+let callPrepend = true;
+
+function func() {
+ if (callPrepend) {
+ callPrepend = false;
+ fobject.prepend(gradient);
+ }
+ image.insertAdjacentHTML("beforebegin", fobject.outerHTML);
+ document.designMode = "off";
+}
+
+function runTest() {
+ document.documentElement._onselectstart_ = func;
+ document.designMode = "on";
+ document.execCommand("selectAll", false, null);
+}
+
+</script>
+
+<body _onload_="runTest()">
+<div></div>PASS if no crash in release.
+<svg><linearGradient id=gradient></linearGradient><foreignObject id=fobject></foreignObject><image id=image></svg>
+<span style="display: contents"><details _ontoggle_="func()" contenteditable="false" open="">
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (275132 => 275133)
--- trunk/Source/WebCore/ChangeLog 2021-03-27 10:52:17 UTC (rev 275132)
+++ trunk/Source/WebCore/ChangeLog 2021-03-27 13:51:18 UTC (rev 275133)
@@ -1,3 +1,23 @@
+2021-03-27 Zalan Bujtas <[email protected]>
+
+ [Multicolumn] Do not try to re-validate a multicol spanner when the renderer is moved internally
+ https://bugs.webkit.org/show_bug.cgi?id=223836
+ <rdar://75742694>
+
+ Reviewed by Ryosuke Niwa.
+
+ When a renderer becomes a multicol spanner
+ 1. it is moved out of its original tree position and placed as a sibling of the enclosing multicolumn flow and
+ 2. a spanner placeholder is constructed and inserted at the original position
+
+ This patch fixes the case when an already placed multicol spanner is internally moved (e.g. collapsing an anonymous block parent)
+ and we attempt to re-insert this spanner to the multicolumn flow. No spanner state should change due to internal re-parenting.
+
+ Test: fast/multicol/spanner-get-re-added-on-move-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::attachToRenderElementInternal):
+
2021-03-26 Ian Gilbert <[email protected]>
Dirty layout for floating children of inline on full layout
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (275132 => 275133)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2021-03-27 10:52:17 UTC (rev 275132)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2021-03-27 13:51:18 UTC (rev 275133)
@@ -447,14 +447,14 @@
if (!parent.renderTreeBeingDestroyed()) {
newChild->insertedIntoTree();
- auto* fragmentedFlow = newChild->enclosingFragmentedFlow();
- if (is<RenderMultiColumnFlow>(fragmentedFlow))
- multiColumnBuilder().multiColumnDescendantInserted(downcast<RenderMultiColumnFlow>(*fragmentedFlow), *newChild);
+ auto needsStateReset = reinsertAfterMove == ReinsertAfterMove::No;
+ if (needsStateReset) {
+ if (auto* fragmentedFlow = newChild->enclosingFragmentedFlow(); is<RenderMultiColumnFlow>(fragmentedFlow))
+ multiColumnBuilder().multiColumnDescendantInserted(downcast<RenderMultiColumnFlow>(*fragmentedFlow), *newChild);
- // FIXME: needsStateReset could probably be used for multicolumn as well.
- auto needsStateReset = reinsertAfterMove == ReinsertAfterMove::No;
- if (needsStateReset && is<RenderElement>(*newChild))
- RenderCounter::rendererSubtreeAttached(downcast<RenderElement>(*newChild));
+ if (is<RenderElement>(*newChild))
+ RenderCounter::rendererSubtreeAttached(downcast<RenderElement>(*newChild));
+ }
}
newChild->setNeedsLayoutAndPrefWidthsRecalc();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
