Diff
Modified: trunk/LayoutTests/ChangeLog (109687 => 109688)
--- trunk/LayoutTests/ChangeLog 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/LayoutTests/ChangeLog 2012-03-05 01:39:47 UTC (rev 109688)
@@ -1,3 +1,13 @@
+2012-03-01 MORITA Hajime <[email protected]>
+
+ REGRESSION(r108758): Assertion failure in WebCore::RenderMenuList::addChild
+ https://bugs.webkit.org/show_bug.cgi?id=80096
+
+ Reviewed by Dimitri Glazkov.
+
+ * fast/forms/select-generated-content-expected.txt: Added.
+ * fast/forms/select-generated-content.html: Added.
+
2012-03-04 Kentaro Hara <[email protected]>
Unreviewed, gardening.
Added: trunk/LayoutTests/fast/forms/select-generated-content-expected.txt (0 => 109688)
--- trunk/LayoutTests/fast/forms/select-generated-content-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/select-generated-content-expected.txt 2012-03-05 01:39:47 UTC (rev 109688)
@@ -0,0 +1 @@
+PASS unless crash.
Property changes on: trunk/LayoutTests/fast/forms/select-generated-content-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: trunk/LayoutTests/fast/forms/select-generated-content.html (0 => 109688)
--- trunk/LayoutTests/fast/forms/select-generated-content.html (rev 0)
+++ trunk/LayoutTests/fast/forms/select-generated-content.html 2012-03-05 01:39:47 UTC (rev 109688)
@@ -0,0 +1,22 @@
+<html>
+<head>
+<style>
+.s1::before { display: table; content: counter(section); }
+.s2::after { display: table; content: counter(section); }
+</style>
+<script>
+function boom() {
+ var s1 = document.createElement('select');
+ s1.setAttribute('class', 's1');
+ document.documentElement.appendChild(s1);
+ var s2 = document.createElement('select');
+ s2.setAttribute('class', 's2');
+ document.documentElement.appendChild(s2);
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+}
+window._onload_ = boom;
+</script>
+<head>
+<body>PASS unless crash.</body>
+</html>
Property changes on: trunk/LayoutTests/fast/forms/select-generated-content.html
___________________________________________________________________
Added: svn:eol-style
Modified: trunk/Source/WebCore/ChangeLog (109687 => 109688)
--- trunk/Source/WebCore/ChangeLog 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/ChangeLog 2012-03-05 01:39:47 UTC (rev 109688)
@@ -1,3 +1,36 @@
+2012-03-01 MORITA Hajime <[email protected]>
+
+ REGRESSION(r108758): Assertion failure in WebCore::RenderMenuList::addChild
+ https://bugs.webkit.org/show_bug.cgi?id=80096
+
+ Reviewed by Dimitri Glazkov.
+
+ After r108758 RenderBlock allowed <select> to have generated
+ contents. But it shouldn't. This change stops allowing it again by
+ replacing some canHaveChildren() invocations with
+ less permissive canHaveGeneratedChildren().
+
+ This change also pulls back original canHaveChildren() logic to
+ RenderButton to allow <button> to have generated contents.
+
+ Then RenderDeprecatedFlexibleBox::buttonText() is morphed to
+ more intention revealing canHaveGeneratedChildren().
+
+ Test: fast/forms/select-generated-content.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore):
+ (WebCore::canHaveGeneratedChildren):
+ (WebCore::RenderBlock::styleDidChange):
+ (WebCore::findFirstLetterBlock):
+ (WebCore::RenderBlock::updateFirstLetter):
+ * rendering/RenderButton.cpp:
+ * rendering/RenderButton.h:
+ (RenderButton):
+ * rendering/RenderDeprecatedFlexibleBox.h:
+ (WebCore::RenderDeprecatedFlexibleBox::canHaveGeneratedChildren):
+ * rendering/RenderMenuList.h:
+
2012-03-04 Robin Cao <[email protected]>
[BlackBerry] Upstream two helper files from platform/graphics/blackberry
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (109687 => 109688)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-03-05 01:39:47 UTC (rev 109688)
@@ -84,6 +84,18 @@
static int gDelayUpdateScrollInfo = 0;
static DelayedUpdateScrollInfoSet* gDelayedUpdateScrollInfoSet = 0;
+// We only create "generated" renderers like one for first-letter and
+// before/after pseudo elements if:
+// - the firstLetterBlock can have children in the DOM and
+// - the block doesn't have any special assumption on its text children.
+// This correctly prevents form controls from having such renderers.
+static inline bool canHaveGeneratedChildren(RenderObject* renderer)
+{
+ return (renderer->canHaveChildren()
+ && (!renderer->isDeprecatedFlexibleBox()
+ || static_cast<RenderDeprecatedFlexibleBox*>(renderer)->canHaveGeneratedChildren()));
+}
+
bool RenderBlock::s_canPropagateFloatIntoSibling = false;
// This class helps dispatching the 'overflow' event on layout change. overflow can be set on RenderBoxes, yet the existing code
@@ -303,7 +315,7 @@
m_lineHeight = -1;
// Update pseudos for :before and :after now.
- if (!isAnonymous() && document()->usesBeforeAfterRules() && canHaveChildren()) {
+ if (!isAnonymous() && document()->usesBeforeAfterRules() && canHaveGeneratedChildren(this)) {
updateBeforeAfterContent(BEFORE);
updateBeforeAfterContent(AFTER);
}
@@ -5950,23 +5962,12 @@
return isSpaceOrNewline(c) || c == noBreakSpace || isPunctuationForFirstLetter(c);
}
-// We only honor first-letter if
-// - the firstLetterBlock can have children in the DOM and
-// - the block doesn't have any special assumption on its text children.
-// This correctly prevents form controls from honoring first-letter.
-static inline bool isSafeToCreateFirstLetterRendererOn(RenderObject* renderer)
-{
- return (renderer->canHaveChildren()
- && !(renderer->isDeprecatedFlexibleBox()
- && static_cast<RenderDeprecatedFlexibleBox*>(renderer)->buttonText()));
-}
-
static inline RenderObject* findFirstLetterBlock(RenderBlock* start)
{
RenderObject* firstLetterBlock = start;
while (true) {
bool canHaveFirstLetterRenderer = firstLetterBlock->style()->hasPseudoStyle(FIRST_LETTER)
- && isSafeToCreateFirstLetterRendererOn(firstLetterBlock);
+ && canHaveGeneratedChildren(firstLetterBlock);
if (canHaveFirstLetterRenderer)
return firstLetterBlock;
@@ -5979,7 +5980,7 @@
return 0;
}
-
+
void RenderBlock::updateFirstLetter()
{
if (!document()->usesFirstLetterRules())
@@ -6009,7 +6010,7 @@
currChild = currChild->nextSibling();
} else if (currChild->isReplaced() || currChild->isRenderButton() || currChild->isMenuList())
break;
- else if (currChild->style()->hasPseudoStyle(FIRST_LETTER) && currChild->canHaveChildren()) {
+ else if (currChild->style()->hasPseudoStyle(FIRST_LETTER) && canHaveGeneratedChildren(currChild)) {
// We found a lower-level node with first-letter, which supersedes the higher-level style
firstLetterBlock = currChild;
currChild = currChild->firstChild();
Modified: trunk/Source/WebCore/rendering/RenderButton.cpp (109687 => 109688)
--- trunk/Source/WebCore/rendering/RenderButton.cpp 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/rendering/RenderButton.cpp 2012-03-05 01:39:47 UTC (rev 109688)
@@ -141,6 +141,14 @@
return m_buttonText ? m_buttonText->text() : 0;
}
+bool RenderButton::canHaveGeneratedChildren() const OVERRIDE
+{
+ // Input elements can't have generated children, but button elements can. We'll
+ // write the code assuming any other button types that might emerge in the future
+ // can also have children.
+ return !node()->hasTagName(inputTag);
+}
+
void RenderButton::updateBeforeAfterContent(PseudoId type)
{
if (m_inner)
@@ -149,11 +157,6 @@
children()->updateBeforeAfterContent(this, type);
}
-RenderText* RenderButton::buttonText() const
-{
- return m_buttonText;
-}
-
LayoutRect RenderButton::controlClipRect(const LayoutPoint& additionalOffset) const
{
// Clip to the padding box to at least give content the extra padding space.
Modified: trunk/Source/WebCore/rendering/RenderButton.h (109687 => 109688)
--- trunk/Source/WebCore/rendering/RenderButton.h 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/rendering/RenderButton.h 2012-03-05 01:39:47 UTC (rev 109688)
@@ -50,7 +50,7 @@
virtual void updateBeforeAfterContent(PseudoId);
- virtual RenderText* buttonText() const OVERRIDE;
+ virtual bool canHaveGeneratedChildren() const OVERRIDE;
virtual bool hasControlClip() const { return true; }
virtual LayoutRect controlClipRect(const LayoutPoint&) const;
Modified: trunk/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.h (109687 => 109688)
--- trunk/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.h 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.h 2012-03-05 01:39:47 UTC (rev 109688)
@@ -49,7 +49,7 @@
virtual bool isDeprecatedFlexibleBox() const { return true; }
virtual bool isFlexingChildren() const { return m_flexingChildren; }
virtual bool isStretchingChildren() const { return m_stretchingChildren; }
- virtual RenderText* buttonText() const { return 0; }
+ virtual bool canHaveGeneratedChildren() const { return true; }
void placeChild(RenderBox* child, const LayoutPoint& location);
Modified: trunk/Source/WebCore/rendering/RenderMenuList.h (109687 => 109688)
--- trunk/Source/WebCore/rendering/RenderMenuList.h 2012-03-05 01:34:22 UTC (rev 109687)
+++ trunk/Source/WebCore/rendering/RenderMenuList.h 2012-03-05 01:39:47 UTC (rev 109688)
@@ -67,7 +67,7 @@
virtual LayoutRect controlClipRect(const LayoutPoint&) const;
virtual bool hasControlClip() const { return true; }
- virtual RenderText* buttonText() const OVERRIDE { return m_buttonText; }
+ virtual bool canHaveGeneratedChildren() const OVERRIDE { return false; }
virtual const char* renderName() const { return "RenderMenuList"; }
