Skip to site navigation (Press enter)

[webkit-changes] [110324] trunk

inferno Fri, 09 Mar 2012 13:15:08 -0800

Title: [110324] trunk

Revision: 110324
Author: [email protected]
Date: 2012-03-09 13:14:59 -0800 (Fri, 09 Mar 2012)

Log Message

Crash when splitting an anonymous block in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=80432


Reviewed by David Hyatt.

Source/WebCore:

Calculating currChild->nextSibling() is risky after destroying :after content
because it can blow away currChild if it is a left over empty anonymous block.
We need to calculate next sibling upfront, using the same trick, we do in
RenderBlock::addChildIgnoringAnonymousColumnBlock to reset beforeChild (check
out the line before splitFlow call).

Test: fast/multicol/anonymous-block-split-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::splitBlocks):

LayoutTests:

* fast/multicol/anonymous-block-split-crash-expected.txt: Added.
* fast/multicol/anonymous-block-split-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp

Added Paths

trunk/LayoutTests/fast/multicol/anonymous-block-split-crash-expected.txt
trunk/LayoutTests/fast/multicol/anonymous-block-split-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (110323 => 110324)


--- trunk/LayoutTests/ChangeLog	2012-03-09 21:12:56 UTC (rev 110323)
+++ trunk/LayoutTests/ChangeLog	2012-03-09 21:14:59 UTC (rev 110324)
@@ -1,5 +1,15 @@
 2012-03-09  Abhishek Arya  <[email protected]>
 
+        Crash when splitting an anonymous block in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=80432
+
+        Reviewed by David Hyatt.
+
+        * fast/multicol/anonymous-block-split-crash-expected.txt: Added.
+        * fast/multicol/anonymous-block-split-crash.html: Added.
+
+2012-03-09  Abhishek Arya  <[email protected]>
+
         Crash due to accessing removed parent lineboxes when clearing selection.
         https://bugs.webkit.org/show_bug.cgi?id=79264

Added: trunk/LayoutTests/fast/multicol/anonymous-block-split-crash-expected.txt (0 => 110324)


--- trunk/LayoutTests/fast/multicol/anonymous-block-split-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/anonymous-block-split-crash-expected.txt	2012-03-09 21:14:59 UTC (rev 110324)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/multicol/anonymous-block-split-crash.html (0 => 110324)


--- trunk/LayoutTests/fast/multicol/anonymous-block-split-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/anonymous-block-split-crash.html	2012-03-09 21:14:59 UTC (rev 110324)
@@ -0,0 +1,43 @@
+<html>
+<head>
+<style>
+#test0 { -webkit-column-count: 2; }
+#test1::after { display: block; content: ''; }
+#test2:nth-last-child(2n) { content: ''; }
+#test2 { -webkit-column-span: all; }
+#test4 { float: right; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+_onload_ = function() {
+    test0 = document.createElement('div');
+    test0.setAttribute('id', 'test0');
+    document.body.appendChild(test0);
+    test1 = document.createElement('div');
+    test1.setAttribute('id', 'test1');
+    test0.appendChild(test1);
+    test2 = document.createElement('div');
+    test2.setAttribute('id', 'test2');
+    test1.appendChild(test2);
+    test3 = document.createElement('span');
+    test1.appendChild(test3);
+    test3.appendChild(document.createTextNode('A'));
+    test4 = document.createElement('table');
+    test4.setAttribute('id', 'test4');
+    test1.appendChild(test4);
+    test0.style.display = 'run-in'; 
+    test4.style.display = 'table-column';
+    document.body.offsetTop;
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('inserttext', '');
+    document.body.offsetTop;
+    document.body.innerHTML = "PASS";
+}
+</script>
+</head>
+<body>
+</body>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/multicol/anonymous-block-split-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (110323 => 110324)


--- trunk/Source/WebCore/ChangeLog	2012-03-09 21:12:56 UTC (rev 110323)
+++ trunk/Source/WebCore/ChangeLog	2012-03-09 21:14:59 UTC (rev 110324)
@@ -1,5 +1,23 @@
 2012-03-09  Abhishek Arya  <[email protected]>
 
+        Crash when splitting an anonymous block in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=80432
+
+        Reviewed by David Hyatt.
+
+        Calculating currChild->nextSibling() is risky after destroying :after content
+        because it can blow away currChild if it is a left over empty anonymous block.
+        We need to calculate next sibling upfront, using the same trick, we do in
+        RenderBlock::addChildIgnoringAnonymousColumnBlock to reset beforeChild (check
+        out the line before splitFlow call).
+
+        Test: fast/multicol/anonymous-block-split-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::splitBlocks):
+
+2012-03-09  Abhishek Arya  <[email protected]>
+
         Crash due to accessing removed parent lineboxes when clearing selection.
         https://bugs.webkit.org/show_bug.cgi?id=79264

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (110323 => 110324)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-03-09 21:12:56 UTC (rev 110323)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-03-09 21:14:59 UTC (rev 110324)
@@ -575,6 +575,7 @@
     // Once we hit the anonymous columns block we're done.
     RenderBoxModelObject* curr = toRenderBoxModelObject(parent());
     RenderBoxModelObject* currChild = this;
+    RenderObject* currChildNextSibling = currChild->nextSibling();
     
     while (curr && curr != fromBlock) {
         ASSERT(curr->isRenderBlock());
@@ -601,15 +602,20 @@
         // Someone may have indirectly caused a <q> to split.  When this happens, the :after content
         // has to move into the inline continuation.  Call updateBeforeAfterContent to ensure that the inline's :after
         // content gets properly destroyed.
+        bool isLastChild = (currChildNextSibling == blockCurr->lastChild());
         if (document()->usesBeforeAfterRules())
             blockCurr->children()->updateBeforeAfterContent(blockCurr, AFTER);
+        if (isLastChild && currChildNextSibling != blockCurr->lastChild())
+            currChildNextSibling = 0; // We destroyed the last child, so now we need to update
+                                      // the value of currChildNextSibling.
 
         // Now we need to take all of the children starting from the first child
         // *after* currChild and append them all to the clone.
-        blockCurr->moveChildrenTo(cloneBlock, currChild->nextSibling(), 0, true);
+        blockCurr->moveChildrenTo(cloneBlock, currChildNextSibling, 0, true);
 
         // Keep walking up the chain.
         currChild = curr;
+        currChildNextSibling = currChild->nextSibling();
         curr = toRenderBoxModelObject(curr->parent());
     }
 
@@ -618,7 +624,7 @@
 
     // Now take all the children after currChild and remove them from the fromBlock
     // and put them in the toBlock.
-    fromBlock->moveChildrenTo(toBlock, currChild->nextSibling(), 0, true);
+    fromBlock->moveChildrenTo(toBlock, currChildNextSibling, 0, true);
 }
 
 void RenderBlock::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox,

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes