Title: [118249] trunk
- Revision
- 118249
- Author
- [email protected]
- Date
- 2012-05-23 14:51:06 -0700 (Wed, 23 May 2012)
Log Message
Crash in run-ins with continuations while moving back to original position.
https://bugs.webkit.org/show_bug.cgi?id=87264
Reviewed by Julien Chaffraix.
Source/WebCore:
Run-in that are now placed in sibling block can break up into continuation
chains when new children are added to it. We cannot easily send them back to their
original place since that requires writing integration logic with RenderInline::addChild
and all other places that might cause continuations to be created (without blowing away
|this|). Disabling this feature for now to prevent crashes.
Test: fast/runin/runin-continuations-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::moveRunInToOriginalPosition):
LayoutTests:
* fast/runin/runin-continuations-crash-expected.txt: Added.
* fast/runin/runin-continuations-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (118248 => 118249)
--- trunk/LayoutTests/ChangeLog 2012-05-23 21:47:51 UTC (rev 118248)
+++ trunk/LayoutTests/ChangeLog 2012-05-23 21:51:06 UTC (rev 118249)
@@ -1,5 +1,15 @@
2012-05-23 Abhishek Arya <[email protected]>
+ Crash in run-ins with continuations while moving back to original position.
+ https://bugs.webkit.org/show_bug.cgi?id=87264
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/runin/runin-continuations-crash-expected.txt: Added.
+ * fast/runin/runin-continuations-crash.html: Added.
+
+2012-05-23 Abhishek Arya <[email protected]>
+
Crash in RenderInline::linesVisualOverflowBoundingBox.
https://bugs.webkit.org/show_bug.cgi?id=85804
Added: trunk/LayoutTests/fast/runin/runin-continuations-crash-expected.txt (0 => 118249)
--- trunk/LayoutTests/fast/runin/runin-continuations-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/runin/runin-continuations-crash-expected.txt 2012-05-23 21:51:06 UTC (rev 118249)
@@ -0,0 +1,3 @@
+WebKit Bug 87264 - Crash in run-ins with continuations while moving back to original position.
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/runin/runin-continuations-crash.html (0 => 118249)
--- trunk/LayoutTests/fast/runin/runin-continuations-crash.html (rev 0)
+++ trunk/LayoutTests/fast/runin/runin-continuations-crash.html 2012-05-23 21:51:06 UTC (rev 118249)
@@ -0,0 +1,33 @@
+<html>
+<body>
+WebKit Bug 87264 - Crash in run-ins with continuations while moving back to original position.<br />
+Test passes if it does not crash.<br />
+<style>
+.runIn { display: run-in; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+
+runIn1 = document.createElement('div');
+runIn1.setAttribute('class', 'runIn');
+document.body.appendChild(runIn1);
+
+q1 = document.createElement('q');
+q1.style.display = 'block';
+document.body.appendChild(q1);
+
+span1 = document.createElement('span');
+q1.appendChild(span1);
+
+document.body.offsetTop;
+
+runIn1.appendChild(document.createElement('div'));
+span1.style.display = 'block';
+document.body.offsetTop;
+q1.style.display = 'none';
+</script>
+</body>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/runin/runin-continuations-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (118248 => 118249)
--- trunk/Source/WebCore/ChangeLog 2012-05-23 21:47:51 UTC (rev 118248)
+++ trunk/Source/WebCore/ChangeLog 2012-05-23 21:51:06 UTC (rev 118249)
@@ -1,5 +1,23 @@
2012-05-23 Abhishek Arya <[email protected]>
+ Crash in run-ins with continuations while moving back to original position.
+ https://bugs.webkit.org/show_bug.cgi?id=87264
+
+ Reviewed by Julien Chaffraix.
+
+ Run-in that are now placed in sibling block can break up into continuation
+ chains when new children are added to it. We cannot easily send them back to their
+ original place since that requires writing integration logic with RenderInline::addChild
+ and all other places that might cause continuations to be created (without blowing away
+ |this|). Disabling this feature for now to prevent crashes.
+
+ Test: fast/runin/runin-continuations-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::moveRunInToOriginalPosition):
+
+2012-05-23 Abhishek Arya <[email protected]>
+
Crash in RenderInline::linesVisualOverflowBoundingBox.
https://bugs.webkit.org/show_bug.cgi?id=85804
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (118248 => 118249)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-05-23 21:47:51 UTC (rev 118248)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-05-23 21:51:06 UTC (rev 118249)
@@ -1835,8 +1835,8 @@
if (!runIn->isRenderBlock())
return;
- // We shouldn't run in into the sibling block if we are part of a
- // continuation chain. In that case, treat it as a normal block.
+ // FIXME: We don't support run-ins with or as part of a continuation
+ // as it makes the back-and-forth placing complex.
if (runIn->isElementContinuation() || runIn->virtualContinuation())
return;
@@ -1896,6 +1896,14 @@
if (!runInIsPlacedIntoSiblingBlock(runIn))
return;
+ // FIXME: Run-in that are now placed in sibling block can break up into continuation
+ // chains when new children are added to it. We cannot easily send them back to their
+ // original place since that requires writing integration logic with RenderInline::addChild
+ // and all other places that might cause continuations to be created (without blowing away
+ // |this|). Disabling this feature for now to prevent crashes.
+ if (runIn->isElementContinuation() || runIn->virtualContinuation())
+ return;
+
RenderBoxModelObject* oldRunIn = toRenderBoxModelObject(runIn);
RenderBoxModelObject* newRunIn = createReplacementRunIn(oldRunIn);
destroyRunIn(oldRunIn);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
