Title: [121991] releases/WebKitGTK/webkit-1.8
- Revision
- 121991
- Author
- [email protected]
- Date
- 2012-07-06 13:00:27 -0700 (Fri, 06 Jul 2012)
Log Message
Merge 116357 - Crash due to positioned object list not being cleared during block flow split
https://bugs.webkit.org/show_bug.cgi?id=85074
Patch by Ken Buchanan <[email protected]> on 2012-05-07
Reviewed by Abhishek Arya.
Source/WebCore:
When an element is being split due to a column span element being
inserted, any of its ancestors that are underneath the column
containing block also get split. If an ancestor has an object in
its positioned object list from a previous layout, then the list
will have to be cleared because the positioned object could have moved
to be under the continuation. This patch causes the list to be
cleared.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::splitBlocks):
LayoutTests:
Test exercises crashing condition in bug 85074. It creates a column
span that requires multiple layers of splitting blocks from the
element that contains the columns, puts a positioned element underneath
one of the split blocks, and then causes a reattach of the column span
element.
* fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt: Added
* fast/block/positioning/positioned-object-under-split-block-parent-crash.html: Added
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121990 => 121991)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 19:19:44 UTC (rev 121990)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:00:27 UTC (rev 121991)
@@ -1,3 +1,19 @@
+2012-05-07 Ken Buchanan <[email protected]>
+
+ Crash due to positioned object list not being cleared during block flow split
+ https://bugs.webkit.org/show_bug.cgi?id=85074
+
+ Reviewed by Abhishek Arya.
+
+ Test exercises crashing condition in bug 85074. It creates a column
+ span that requires multiple layers of splitting blocks from the
+ element that contains the columns, puts a positioned element underneath
+ one of the split blocks, and then causes a reattach of the column span
+ element.
+
+ * fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt: Added
+ * fast/block/positioning/positioned-object-under-split-block-parent-crash.html: Added
+
2012-05-01 James Simonsen <[email protected]>
Ensure HTMLElementStack fails gracefully if it has a non-Element.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt (0 => 121991)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt 2012-07-06 20:00:27 UTC (rev 121991)
@@ -0,0 +1,2 @@
+PASS if no assert or crash in debug
+
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash.html (0 => 121991)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash.html 2012-07-06 20:00:27 UTC (rev 121991)
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html>
+<style>
+.colContainer { -webkit-column-count: 0; }
+.absolutePosition { position: absolute; }
+.colSpanAll { -webkit-column-span: all; }
+.transformed { -webkit-transform: rotate(45deg); }
+.hidden { display:none; }
+.normal { display:block;}
+</style>
+<script>
+
+window._onload_ = function() {
+ columnContainerBlock = document.createElement('div');
+ columnContainerBlock.setAttribute('class', 'colContainer');
+ document.documentElement.appendChild(columnContainerBlock);
+
+ splitBlockParent = document.createElement('div');
+ splitBlockParent.setAttribute('class', 'transformed');
+ columnContainerBlock.appendChild(splitBlockParent);
+
+ splitFlowDt = document.createElement('dt');
+ splitBlockParent.appendChild(splitFlowDt);
+
+ positionedDiv = document.createElement('div');
+ positionedDiv.setAttribute('class', 'absolutePosition');
+ splitBlockParent.appendChild(positionedDiv);
+
+ columnSpan = document.createElement('col');
+ columnSpan.setAttribute('class', 'colSpanAll');
+ splitFlowDt.appendChild(columnSpan); // Inserting the col inside the dt causes it to get split.
+ document.documentElement.offsetHeight;
+
+ splitFlowDt.setAttribute('class', 'hidden'); // This removes the split dt and the col from the render tree.
+ document.documentElement.offsetHeight;
+
+ splitFlowDt.setAttribute('class', 'normal'); // Re-adding the dt causes the flow to split again.
+ document.documentElement.offsetHeight;
+
+ splitBlockParent.removeChild(positionedDiv); // Remove the positioned object from the tree.
+ document.documentElement.offsetHeight;
+
+ splitBlockParent.removeChild(splitFlowDt); // Ensure the node with the bad positioned object list gets layout.
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+}
+</script>
+<body>
+PASS if no assert or crash in debug
+</body>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/positioning/positioned-object-under-split-block-parent-crash.html
___________________________________________________________________
Added: svn:executable
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121990 => 121991)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 19:19:44 UTC (rev 121990)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:00:27 UTC (rev 121991)
@@ -1,3 +1,21 @@
+2012-05-07 Ken Buchanan <[email protected]>
+
+ Crash due to positioned object list not being cleared during block flow split
+ https://bugs.webkit.org/show_bug.cgi?id=85074
+
+ Reviewed by Abhishek Arya.
+
+ When an element is being split due to a column span element being
+ inserted, any of its ancestors that are underneath the column
+ containing block also get split. If an ancestor has an object in
+ its positioned object list from a previous layout, then the list
+ will have to be cleared because the positioned object could have moved
+ to be under the continuation. This patch causes the list to be
+ cleared.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::splitBlocks):
+
2012-05-01 James Simonsen <[email protected]>
Ensure HTMLElementStack fails gracefully if it has a non-Element.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp (121990 => 121991)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp 2012-07-06 19:19:44 UTC (rev 121990)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp 2012-07-06 20:00:27 UTC (rev 121991)
@@ -527,6 +527,13 @@
if (document()->usesBeforeAfterRules())
blockCurr->children()->updateBeforeAfterContent(blockCurr, AFTER);
+ // It is possible that positioned objects under blockCurr are going to be moved to cloneBlock.
+ // Since we are doing layout anyway, it is easier to blow away the entire list, than
+ // traversing down the subtree looking for positioned children and then remove them
+ // from our positioned objects list.
+ if (currChildNextSibling)
+ blockCurr->removePositionedObjects(0);
+
// Now we need to take all of the children starting from the first child
// *after* currChild and append them all to the clone.
blockCurr->moveChildrenTo(cloneBlock, currChild->nextSibling(), 0, true);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
