Title: [290549] trunk
- Revision
- 290549
- Author
- za...@apple.com
- Date
- 2022-02-26 10:44:03 -0800 (Sat, 26 Feb 2022)
Log Message
[RenderTreeBuilder] Clean up descendant floats when a block container becomes float
https://bugs.webkit.org/show_bug.cgi?id=237238
<rdar://79960422>
Reviewed by Antti Koivisto.
Source/WebCore:
When a block box becomes float, it forms a "lockdown" container for the descendant floats by establishing a BFC.
What it means is that such descendant floats can't intrude to sibling block containers anymore.
This patch ensures that we remove such floats from sibling (and their descendant) renderers.
Test: fast/block/float/float-merge-anon-parent-crash.html
* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::normalizeTreeAfterStyleChange):
LayoutTests:
* fast/block/float/float-merge-anon-parent-crash-expected.txt: Added.
* fast/block/float/float-merge-anon-parent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (290548 => 290549)
--- trunk/LayoutTests/ChangeLog 2022-02-26 18:43:07 UTC (rev 290548)
+++ trunk/LayoutTests/ChangeLog 2022-02-26 18:44:03 UTC (rev 290549)
@@ -1,3 +1,14 @@
+2022-02-26 Alan Bujtas <za...@apple.com>
+
+ [RenderTreeBuilder] Clean up descendant floats when a block container becomes float
+ https://bugs.webkit.org/show_bug.cgi?id=237238
+ <rdar://79960422>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/block/float/float-merge-anon-parent-crash-expected.txt: Added.
+ * fast/block/float/float-merge-anon-parent-crash.html: Added.
+
2022-02-26 Simon Fraser <simon.fra...@apple.com>
No animation when scroll snap scroller is navigated with the keyboard
Added: trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash-expected.txt (0 => 290549)
--- trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
@@ -0,0 +1,2 @@
+
+
Added: trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash.html (0 => 290549)
--- trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-merge-anon-parent-crash.html 2022-02-26 18:44:03 UTC (rev 290549)
@@ -0,0 +1,35 @@
+<style>
+ html {
+ -webkit-user-modify: read-write;
+ }
+ span {
+ padding: 1px;
+ }
+ div {
+ padding: 123456789px;
+ }
+ div:only-child, div:nth-child(2) {
+ float: left;
+ }
+</style>
+<body>
+<!-- PASS if no crash or assert. -->
+<span></span><div><div></body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+let firstDiv = document.createElement('div');
+document.body.appendChild(firstDiv);
+firstDiv.appendChild(document.createElement('div'));
+let middleDiv = document.createElement('div');
+document.body.appendChild(middleDiv);
+middleDiv.appendChild(document.createElement('span'));
+middleDiv.appendChild(document.createElement('div'));
+let lastDiv = document.createElement('div');
+middleDiv.appendChild(lastDiv);
+lastDiv.appendChild(document.createElement('div'));
+
+document.execCommand('SelectAll');
+document.execCommand('Delete');
+</script>
Modified: trunk/Source/WebCore/ChangeLog (290548 => 290549)
--- trunk/Source/WebCore/ChangeLog 2022-02-26 18:43:07 UTC (rev 290548)
+++ trunk/Source/WebCore/ChangeLog 2022-02-26 18:44:03 UTC (rev 290549)
@@ -1,3 +1,20 @@
+2022-02-26 Alan Bujtas <za...@apple.com>
+
+ [RenderTreeBuilder] Clean up descendant floats when a block container becomes float
+ https://bugs.webkit.org/show_bug.cgi?id=237238
+ <rdar://79960422>
+
+ Reviewed by Antti Koivisto.
+
+ When a block box becomes float, it forms a "lockdown" container for the descendant floats by establishing a BFC.
+ What it means is that such descendant floats can't intrude to sibling block containers anymore.
+ This patch ensures that we remove such floats from sibling (and their descendant) renderers.
+
+ Test: fast/block/float/float-merge-anon-parent-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::normalizeTreeAfterStyleChange):
+
2022-02-26 Simon Fraser <simon.fra...@apple.com>
No animation when scroll snap scroller is navigated with the keyboard
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (290548 => 290549)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2022-02-26 18:43:07 UTC (rev 290548)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2022-02-26 18:44:03 UTC (rev 290549)
@@ -641,10 +641,18 @@
if (noLongerAffectsParent) {
childFlowStateChangesAndNoLongerAffectsParentBlock(renderer);
- if (is<RenderBlockFlow>(renderer)) {
+ if (isFloating && is<RenderBlockFlow>(renderer)) {
+ auto clearDescendantFloats = [&] {
+ // These descendent floats can not intrude other, sibling block containers anymore.
+ for (auto& descendant : descendantsOfType<RenderBox>(renderer)) {
+ if (descendant.isFloatingOrOutOfFlowPositioned())
+ descendant.removeFloatingOrPositionedChildFromBlockLists();
+ }
+ };
+ clearDescendantFloats();
// Fresh floats need to be reparented if they actually belong to the previous anonymous block.
// It copies the logic of RenderBlock::addChildIgnoringContinuation
- if (isFloating && renderer.previousSibling() && renderer.previousSibling()->isAnonymousBlock())
+ if (renderer.previousSibling() && renderer.previousSibling()->isAnonymousBlock())
move(downcast<RenderBoxModelObject>(parent), downcast<RenderBoxModelObject>(*renderer.previousSibling()), renderer, RenderTreeBuilder::NormalizeAfterInsertion::No);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
