Title: [142922] trunk
- Revision
- 142922
- Author
- [email protected]
- Date
- 2013-02-14 14:34:44 -0800 (Thu, 14 Feb 2013)
Log Message
Bad cast in RenderBlock::splitBlocks.
https://bugs.webkit.org/show_bug.cgi?id=108691
Reviewed by Levi Weintraub.
Source/WebCore:
Test: fast/multicol/remove-child-split-flow-crash.html
* rendering/RenderBlock.cpp:
(WebCore):
(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): rename gIsInColumnFlowSplit to gColumnFlowSplitEnabled
and use it to decide when to do the column flow split or not.
(WebCore::RenderBlock::removeChild): Do not allow column flow split inside removeChild
since we might be merging anonymous blocks.
LayoutTests:
* fast/multicol/remove-child-split-flow-crash-expected.txt: Added.
* fast/multicol/remove-child-split-flow-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142921 => 142922)
--- trunk/LayoutTests/ChangeLog 2013-02-14 22:31:20 UTC (rev 142921)
+++ trunk/LayoutTests/ChangeLog 2013-02-14 22:34:44 UTC (rev 142922)
@@ -1,3 +1,13 @@
+2013-02-14 Abhishek Arya <[email protected]>
+
+ Bad cast in RenderBlock::splitBlocks.
+ https://bugs.webkit.org/show_bug.cgi?id=108691
+
+ Reviewed by Levi Weintraub.
+
+ * fast/multicol/remove-child-split-flow-crash-expected.txt: Added.
+ * fast/multicol/remove-child-split-flow-crash.html: Added.
+
2013-02-14 Jer Noble <[email protected]>
EME: replace MediaKeySession.addKey() -> update()
Added: trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt (0 => 142922)
--- trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt 2013-02-14 22:34:44 UTC (rev 142922)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash.html (0 => 142922)
--- trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash.html 2013-02-14 22:34:44 UTC (rev 142922)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+.class1 { -webkit-column-span: all; }
+.class2 { -webkit-column-width: 1px; }
+.class3 { display: inline-block; }
+.class4 { section; -webkit-column-span: all; }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function crash() {
+ i1 = document.createElement('i');
+ document.documentElement.appendChild(i1);
+ i2 = document.createElement('i');
+ i1.appendChild(i2);
+ div1 = document.createElement('div');
+ div2 = document.createElement('div');
+ div2.setAttribute('class', 'class3');
+ i3 = document.createElement('i');
+ div3 = document.createElement('div');
+ div3.setAttribute('class', 'class1');
+ div4 = document.createElement('div');
+ div4.setAttribute('class', 'class4');
+ i2.appendChild(div2);
+ div2.appendChild(div1);
+ div1.appendChild(div4);
+ document.documentElement.offsetTop;
+ div1.setAttribute('class', 'class2');
+ div4.appendChild(div3);
+ document.documentElement.offsetTop;
+ i3.appendChild(div3);
+}
+window._onload_ = crash;
+</script>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (142921 => 142922)
--- trunk/Source/WebCore/ChangeLog 2013-02-14 22:31:20 UTC (rev 142921)
+++ trunk/Source/WebCore/ChangeLog 2013-02-14 22:34:44 UTC (rev 142922)
@@ -1,3 +1,19 @@
+2013-02-14 Abhishek Arya <[email protected]>
+
+ Bad cast in RenderBlock::splitBlocks.
+ https://bugs.webkit.org/show_bug.cgi?id=108691
+
+ Reviewed by Levi Weintraub.
+
+ Test: fast/multicol/remove-child-split-flow-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore):
+ (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): rename gIsInColumnFlowSplit to gColumnFlowSplitEnabled
+ and use it to decide when to do the column flow split or not.
+ (WebCore::RenderBlock::removeChild): Do not allow column flow split inside removeChild
+ since we might be merging anonymous blocks.
+
2013-02-14 Mark Lam <[email protected]>
Split SQLTransaction work between the frontend and backend.
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (142921 => 142922)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-02-14 22:31:20 UTC (rev 142921)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-02-14 22:34:44 UTC (rev 142922)
@@ -118,7 +118,7 @@
static int gDelayUpdateScrollInfo = 0;
static DelayedUpdateScrollInfoSet* gDelayedUpdateScrollInfoSet = 0;
-static bool gIsInColumnFlowSplit = false;
+static bool gColumnFlowSplitEnabled = true;
bool RenderBlock::s_canPropagateFloatIntoSibling = false;
@@ -836,10 +836,10 @@
beforeChild = beforeChild->nextSibling();
// Check for a spanning element in columns.
- if (!gIsInColumnFlowSplit) {
+ if (gColumnFlowSplitEnabled) {
RenderBlock* columnsBlockAncestor = columnsBlockForSpanningElement(newChild);
if (columnsBlockAncestor) {
- TemporaryChange<bool> isInColumnFlowSplit(gIsInColumnFlowSplit, true);
+ TemporaryChange<bool> columnFlowSplitEnabled(gColumnFlowSplitEnabled, false);
// We are placing a column-span element inside a block.
RenderBlock* newBox = createAnonymousColumnSpanBlock();
@@ -1152,6 +1152,9 @@
return;
}
+ // This protects against column split flows when anonymous blocks are getting merged.
+ TemporaryChange<bool> columnFlowSplitEnabled(gColumnFlowSplitEnabled, false);
+
// If this child is a block, and if our previous and next siblings are
// both anonymous blocks with inline content, then we can go ahead and
// fold the inline content back together.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
