Title: [109142] trunk
- Revision
- 109142
- Author
- [email protected]
- Date
- 2012-02-28 13:00:02 -0800 (Tue, 28 Feb 2012)
Log Message
Crash due to accessing removed continuation in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=78417
Reviewed by David Hyatt.
Source/WebCore:
This patch addresses two problems:
1. Run-in block got split due to addition of a column-span child.
The clone part was incorrectly intruding into the sibling block,
even when it was part of the continuation chain.
2. Like r73296, we don't need to set continuation on an
anonymous block since we haven't split a real element.
Test: fast/multicol/span/runin-continuation-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
(WebCore::RenderBlock::handleRunInChild):
LayoutTests:
* fast/multicol/span/runin-continuation-crash-expected.txt: Added.
* fast/multicol/span/runin-continuation-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (109141 => 109142)
--- trunk/LayoutTests/ChangeLog 2012-02-28 20:46:56 UTC (rev 109141)
+++ trunk/LayoutTests/ChangeLog 2012-02-28 21:00:02 UTC (rev 109142)
@@ -1,5 +1,15 @@
2012-02-28 Abhishek Arya <[email protected]>
+ Crash due to accessing removed continuation in multi-column layout.
+ https://bugs.webkit.org/show_bug.cgi?id=78417
+
+ Reviewed by David Hyatt.
+
+ * fast/multicol/span/runin-continuation-crash-expected.txt: Added.
+ * fast/multicol/span/runin-continuation-crash.html: Added.
+
+2012-02-28 Abhishek Arya <[email protected]>
+
Incorrect before child parent calculation when adding new children
to anonymous column blocks.
https://bugs.webkit.org/show_bug.cgi?id=79755
Added: trunk/LayoutTests/fast/multicol/span/runin-continuation-crash-expected.txt (0 => 109142)
--- trunk/LayoutTests/fast/multicol/span/runin-continuation-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/runin-continuation-crash-expected.txt 2012-02-28 21:00:02 UTC (rev 109142)
@@ -0,0 +1,2 @@
+PASS
+
Added: trunk/LayoutTests/fast/multicol/span/runin-continuation-crash.html (0 => 109142)
--- trunk/LayoutTests/fast/multicol/span/runin-continuation-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/runin-continuation-crash.html 2012-02-28 21:00:02 UTC (rev 109142)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+.div1 { -webkit-column-span: all; }
+.divContainer::after { content: ''; }
+.divContainer { -webkit-column-width: 1px; }
+.runin { display: run-in; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+div1 = document.createElement('div');
+div1.setAttribute('class', 'div1');
+div2 = document.createElement('div');
+div3 = document.createElement('div');
+
+divContainer = document.createElement('div');
+divContainer.setAttribute('class', 'divContainer');
+document.documentElement.appendChild(divContainer);
+
+div2.appendChild(div1);
+divContainer.appendChild(div2);
+divContainer.appendChild(div3);
+document.body.offsetTop;
+div2.setAttribute('class', 'runin');
+document.body.offsetTop;
+document.body.innerHTML = "PASS";
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/multicol/span/runin-continuation-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (109141 => 109142)
--- trunk/Source/WebCore/ChangeLog 2012-02-28 20:46:56 UTC (rev 109141)
+++ trunk/Source/WebCore/ChangeLog 2012-02-28 21:00:02 UTC (rev 109142)
@@ -1,5 +1,25 @@
2012-02-28 Abhishek Arya <[email protected]>
+ Crash due to accessing removed continuation in multi-column layout.
+ https://bugs.webkit.org/show_bug.cgi?id=78417
+
+ Reviewed by David Hyatt.
+
+ This patch addresses two problems:
+ 1. Run-in block got split due to addition of a column-span child.
+ The clone part was incorrectly intruding into the sibling block,
+ even when it was part of the continuation chain.
+ 2. Like r73296, we don't need to set continuation on an
+ anonymous block since we haven't split a real element.
+
+ Test: fast/multicol/span/runin-continuation-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+ (WebCore::RenderBlock::handleRunInChild):
+
+2012-02-28 Abhishek Arya <[email protected]>
+
Incorrect before child parent calculation when adding new children
to anonymous column blocks.
https://bugs.webkit.org/show_bug.cgi?id=79755
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (109141 => 109142)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-02-28 20:46:56 UTC (rev 109141)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-02-28 21:00:02 UTC (rev 109142)
@@ -852,8 +852,12 @@
// We are nested inside a multi-column element and are being split by the span. We have to break up
// our block into continuations.
RenderBoxModelObject* oldContinuation = continuation();
- setContinuation(newBox);
+ // When we split an anonymous block, there's no need to do any continuation hookup,
+ // since we haven't actually split a real element.
+ if (!isAnonymousBlock())
+ setContinuation(newBox);
+
// Someone may have put a <p> inside a <q>, causing a split. When this happens, the :after content
// has to move into the inline continuation. Call updateBeforeAfterContent to ensure that our :after
// content gets properly destroyed.
@@ -1759,6 +1763,10 @@
return false;
// FIXME: We don't handle non-block elements with run-in for now.
if (!child->isRenderBlock())
+ return false;
+ // Run-in child shouldn't intrude into the sibling block if it is part of a
+ // continuation chain. In that case, treat it as a normal block.
+ if (child->isElementContinuation() || child->virtualContinuation())
return false;
RenderBlock* blockRunIn = toRenderBlock(child);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
