[webkit-changes] [276902] trunk

Mon, 03 May 2021 08:59:44 -0700

Title: [276902] trunk
Revision
276902
Author
[email protected]
Date
2021-05-03 08:58:50 -0700 (Mon, 03 May 2021)

Log Message

[Multi-column] Remove spanner placeholder when the spanner becomes nested
https://bugs.webkit.org/show_bug.cgi?id=225248
<rdar://77326189>

Reviewed by Antti Koivisto.

Source/WebCore:

Columns spanners (and their subtrees) are moved out of the RenderMultiColumnFlow subtree next to their RenderMultiColumnSet renderers.
Placeholder renderers are inserted at the original position e.g.

<div id=A style="column-count: 2;"><div id=B><div id=C style="column-span: all;"></div></div></div>

RenderBlockFlow (A) (<div column-count: 2>)
  RenderMultiColumnFlow
    RenderBlockFlow (B) (<div>)
      RenderBlockFlow (C) (<div>)
        RenderMultiColumnSpannerPlaceholder (placeholder for D)
  RenderBlockFlow (D) (<div column-span: all>)
  RenderMultiColumnSet

Now if (C) becomes a column spanner, we need to move the descendant spanner (D) back to its original position and move the subtree out starting from the outermost spanner (C).
RenderTreeUdpater normally solves this by tearing down the new spanner (and its subtree) when the 'column-spanner' property changes.
However this spanner property is essentially ignored for floats and out-of-flow boxes (we don't make them spanning the columns) and changing "float" and/or "position" makes
spanners active.

Test: fast/multicol/span/float-becomes-spanner-crash.html

* style/StyleChange.cpp:
(WebCore::Style::determineChange):

LayoutTests:

* TestExpectations:
* fast/multicol/span/float-becomes-spanner-crash-expected.txt: Added.
* fast/multicol/span/float-becomes-spanner-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (276901 => 276902)


--- trunk/LayoutTests/ChangeLog	2021-05-03 15:58:26 UTC (rev 276901)
+++ trunk/LayoutTests/ChangeLog	2021-05-03 15:58:50 UTC (rev 276902)
@@ -1,3 +1,15 @@
+2021-05-03  Zalan Bujtas  <[email protected]>
+
+        [Multi-column] Remove spanner placeholder when the spanner becomes nested
+        https://bugs.webkit.org/show_bug.cgi?id=225248
+        <rdar://77326189>
+
+        Reviewed by Antti Koivisto.
+
+        * TestExpectations:
+        * fast/multicol/span/float-becomes-spanner-crash-expected.txt: Added.
+        * fast/multicol/span/float-becomes-spanner-crash.html: Added.
+
 2021-05-03  Aditya Keerthi  <[email protected]>
 
         [iOS] Crash when tapping fields on cycle.travel

Modified: trunk/LayoutTests/TestExpectations (276901 => 276902)


--- trunk/LayoutTests/TestExpectations	2021-05-03 15:58:26 UTC (rev 276901)
+++ trunk/LayoutTests/TestExpectations	2021-05-03 15:58:50 UTC (rev 276902)
@@ -4873,3 +4873,5 @@
 
 webkit.org/b/223170 [ Debug ] fast/multicol/widow-relayout-with-border-fit.html [ Skip ]
 webkit.org/b/31278 [ Debug ] fast/multicol/spanner-get-re-added-on-move-crash.html [ Skip ]
+
+webkit.org/b/225247 [ Debug ] fast/multicol/span/float-becomes-spanner-crash.html [ Skip ]

Added: trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash-expected.txt (0 => 276902)


--- trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash-expected.txt	2021-05-03 15:58:50 UTC (rev 276902)
@@ -0,0 +1 @@
+

Added: trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash.html (0 => 276902)


--- trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/float-becomes-spanner-crash.html	2021-05-03 15:58:50 UTC (rev 276902)
@@ -0,0 +1,30 @@
+<style>
+  div {
+    column-span: all;
+  }
+  :nth-last-child(2) {
+    float: left;
+  }
+  :read-write::before {
+    content: '';
+  }
+  :scope {
+    column-count: 2;
+  }
+</style>
+<!-- Pass if no crash or assert -->
+<script>
+  if (window.testRunner)
+    testRunner.dumpAsText();
+  _onload_ = () => {
+    let span0 = document.createElement('span');
+    document.body.appendChild(span0);
+    let div0 = document.createElement('div');
+    div0.appendChild(document.createElement('div'));
+    span0.appendChild(div0);
+    span0.appendChild(document.createElement('div'));
+    document.body.offsetTop;
+    span0.appendChild(document.createElement('div'));
+    document.designMode = 'on';
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (276901 => 276902)


--- trunk/Source/WebCore/ChangeLog	2021-05-03 15:58:26 UTC (rev 276901)
+++ trunk/Source/WebCore/ChangeLog	2021-05-03 15:58:50 UTC (rev 276902)
@@ -1,3 +1,34 @@
+2021-05-03  Zalan Bujtas  <[email protected]>
+
+        [Multi-column] Remove spanner placeholder when the spanner becomes nested
+        https://bugs.webkit.org/show_bug.cgi?id=225248
+        <rdar://77326189>
+
+        Reviewed by Antti Koivisto.
+
+        Columns spanners (and their subtrees) are moved out of the RenderMultiColumnFlow subtree next to their RenderMultiColumnSet renderers.
+        Placeholder renderers are inserted at the original position e.g.
+
+        <div id=A style="column-count: 2;"><div id=B><div id=C style="column-span: all;"></div></div></div>
+
+        RenderBlockFlow (A) (<div column-count: 2>)
+          RenderMultiColumnFlow
+            RenderBlockFlow (B) (<div>)
+              RenderBlockFlow (C) (<div>)
+                RenderMultiColumnSpannerPlaceholder (placeholder for D)
+          RenderBlockFlow (D) (<div column-span: all>)
+          RenderMultiColumnSet
+
+        Now if (C) becomes a column spanner, we need to move the descendant spanner (D) back to its original position and move the subtree out starting from the outermost spanner (C).
+        RenderTreeUdpater normally solves this by tearing down the new spanner (and its subtree) when the 'column-spanner' property changes.
+        However this spanner property is essentially ignored for floats and out-of-flow boxes (we don't make them spanning the columns) and changing "float" and/or "position" makes
+        spanners active.
+
+        Test: fast/multicol/span/float-becomes-spanner-crash.html
+
+        * style/StyleChange.cpp:
+        (WebCore::Style::determineChange):
+
 2021-05-03  Sam Weinig  <[email protected]>
 
         Remove default parameter values for color space and pixel format from ImageBuffer::create to make it clear everwhere we are explicitly requesting SRGB/BGRA8 buffers

Modified: trunk/Source/WebCore/style/StyleChange.cpp (276901 => 276902)


--- trunk/Source/WebCore/style/StyleChange.cpp	2021-05-03 15:58:26 UTC (rev 276901)
+++ trunk/Source/WebCore/style/StyleChange.cpp	2021-05-03 15:58:50 UTC (rev 276902)
@@ -39,7 +39,15 @@
         return Change::Renderer;
     // We just detach if a renderer acquires or loses a column-span, since spanning elements
     // typically won't contain much content.
-    if (s1.columnSpan() != s2.columnSpan())
+    auto columnSpanNeedsNewRenderer = [&] {
+        if (s1.columnSpan() != s2.columnSpan())
+            return true;
+        if (s1.columnSpan() != ColumnSpan::All)
+            return false;
+        // Spanning in ignored for floating and out-of-flow boxes.
+        return s1.isFloating() != s2.isFloating() || s1.hasOutOfFlowPosition() != s2.hasOutOfFlowPosition();
+    }();
+    if (columnSpanNeedsNewRenderer)
         return Change::Renderer;
     if (!s1.contentDataEquivalent(&s2))
         return Change::Renderer;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to