[webkit-changes] [160819] trunk

Wed, 18 Dec 2013 19:07:07 -0800

Title: [160819] trunk
Revision
160819
Author
[email protected]
Date
2013-12-18 19:09:56 -0800 (Wed, 18 Dec 2013)

Log Message

Crash in WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches
https://bugs.webkit.org/show_bug.cgi?id=125970

Reviewed by Antti Koivisto.

Source/WebCore: 

The bug was caused by containingBlockForAbsolutePosition returning a non-RenderBlock render object.
Fixed the bug by obtaining its containg block.

Also changed the return type of containingBlockForFixedPosition, containingBlockForAbsolutePosition,
containingBlockForObjectInFlow from RenderElement to RenderBlock as all callers of these functions
had assumed the return value to be an instance of RenderBlock.

Test: svg/text/select-text-inside-non-static-position.html

* rendering/LogicalSelectionOffsetCaches.h:
(WebCore::containingBlockForFixedPosition):
(WebCore::containingBlockForAbsolutePosition):
(WebCore::containingBlockForObjectInFlow):
(WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches):

LayoutTests: 

Added a regression test.

* svg/text/select-text-inside-non-static-position-expected.txt: Added.
* svg/text/select-text-inside-non-static-position.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (160818 => 160819)


--- trunk/LayoutTests/ChangeLog	2013-12-19 02:33:33 UTC (rev 160818)
+++ trunk/LayoutTests/ChangeLog	2013-12-19 03:09:56 UTC (rev 160819)
@@ -1,3 +1,15 @@
+2013-12-18  Ryosuke Niwa  <[email protected]>
+
+        Crash in WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches
+        https://bugs.webkit.org/show_bug.cgi?id=125970
+
+        Reviewed by Antti Koivisto.
+
+        Added a regression test.
+
+        * svg/text/select-text-inside-non-static-position-expected.txt: Added.
+        * svg/text/select-text-inside-non-static-position.html: Added.
+
 2013-12-18  Chris Fleizach  <[email protected]>
 
         AX: make aria-hidden=false work with subtrees

Added: trunk/LayoutTests/svg/text/select-text-inside-non-static-position-expected.txt (0 => 160819)


--- trunk/LayoutTests/svg/text/select-text-inside-non-static-position-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/text/select-text-inside-non-static-position-expected.txt	2013-12-19 03:09:56 UTC (rev 160819)
@@ -0,0 +1 @@
+This tests selecting text inside a non-statically positioned SVG content. WebKit should not hit assertions. PASS.

Added: trunk/LayoutTests/svg/text/select-text-inside-non-static-position.html (0 => 160819)


--- trunk/LayoutTests/svg/text/select-text-inside-non-static-position.html	                        (rev 0)
+++ trunk/LayoutTests/svg/text/select-text-inside-non-static-position.html	2013-12-19 03:09:56 UTC (rev 160819)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+* {
+    position: -webkit-sticky;
+    -webkit-transform: scaleX(2);
+}
+</style>
+</head>
+<body>
+<p id="description">This tests selecting text inside a non-statically positioned SVG content. WebKit should not hit assertions.</p>
+<svg style="width: 50px; height: 50px; border: 1px solid black;">
+<text>svg text</text>
+</svg>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.execCommand("SelectAll");
+
+document.querySelector('style').remove();
+document.write('PASS');
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (160818 => 160819)


--- trunk/Source/WebCore/ChangeLog	2013-12-19 02:33:33 UTC (rev 160818)
+++ trunk/Source/WebCore/ChangeLog	2013-12-19 03:09:56 UTC (rev 160819)
@@ -1,3 +1,25 @@
+2013-12-18  Ryosuke Niwa  <[email protected]>
+
+        Crash in WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches
+        https://bugs.webkit.org/show_bug.cgi?id=125970
+
+        Reviewed by Antti Koivisto.
+
+        The bug was caused by containingBlockForAbsolutePosition returning a non-RenderBlock render object.
+        Fixed the bug by obtaining its containg block.
+
+        Also changed the return type of containingBlockForFixedPosition, containingBlockForAbsolutePosition,
+        containingBlockForObjectInFlow from RenderElement to RenderBlock as all callers of these functions
+        had assumed the return value to be an instance of RenderBlock.
+
+        Test: svg/text/select-text-inside-non-static-position.html
+
+        * rendering/LogicalSelectionOffsetCaches.h:
+        (WebCore::containingBlockForFixedPosition):
+        (WebCore::containingBlockForAbsolutePosition):
+        (WebCore::containingBlockForObjectInFlow):
+        (WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches):
+
 2013-12-18  Andreas Kling  <[email protected]>
 
         Don't waste cycles on zeroing every CascadedProperties::Property.

Modified: trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h (160818 => 160819)


--- trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h	2013-12-19 02:33:33 UTC (rev 160818)
+++ trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h	2013-12-19 03:09:56 UTC (rev 160819)
@@ -40,16 +40,16 @@
     return (object.isInline() && !object.isReplaced()) || !object.isRenderBlock();
 }
 
-static inline RenderElement* containingBlockForFixedPosition(RenderElement* parent)
+static inline RenderBlock* containingBlockForFixedPosition(RenderElement* parent)
 {
     RenderElement* object = parent;
     while (object && !object->canContainFixedPositionObjects())
         object = object->parent();
     ASSERT(!object || !object->isAnonymousBlock());
-    return object;
+    return toRenderBlock(object);
 }
 
-static inline RenderElement* containingBlockForAbsolutePosition(RenderElement* parent)
+static inline RenderBlock* containingBlockForAbsolutePosition(RenderElement* parent)
 {
     RenderElement* object = parent;
     while (object && !isContainingBlockCandidateForAbsolutelyPositionedObject(*object))
@@ -59,21 +59,21 @@
     // not the inline itself, to avoid having a positioned objects list in all RenderInlines
     // and use RenderBlock* as RenderElement::containingBlock's return type.
     // Use RenderBlock::container() to obtain the inline.
-    if (object && object->isRenderInline())
+    if (object && !object->isRenderBlock())
         object = object->containingBlock();
 
     while (object && object->isAnonymousBlock())
         object = object->containingBlock();
 
-    return object;
+    return toRenderBlock(object);
 }
 
-static inline RenderElement* containingBlockForObjectInFlow(RenderElement* parent)
+static inline RenderBlock* containingBlockForObjectInFlow(RenderElement* parent)
 {
     RenderElement* object = parent;
     while (object && isNonRenderBlockInline(*object))
         object = object->parent();
-    return object;
+    return toRenderBlock(object);
 }
 
 class LogicalSelectionOffsetCaches {
@@ -143,9 +143,9 @@
         auto parent = rootBlock.parent();
 
         // LogicalSelectionOffsetCaches should not be used on an orphaned tree.
-        m_containingBlockForFixedPosition.setBlock(toRenderBlock(containingBlockForFixedPosition(parent)), 0);
-        m_containingBlockForAbsolutePosition.setBlock(toRenderBlock(containingBlockForAbsolutePosition(parent)), 0);
-        m_containingBlockForInflowPosition.setBlock(toRenderBlock(containingBlockForObjectInFlow(parent)), 0);
+        m_containingBlockForFixedPosition.setBlock(containingBlockForFixedPosition(parent), 0);
+        m_containingBlockForAbsolutePosition.setBlock(containingBlockForAbsolutePosition(parent), 0);
+        m_containingBlockForInflowPosition.setBlock(containingBlockForObjectInFlow(parent), 0);
     }
 
     LogicalSelectionOffsetCaches(RenderBlock& block, const LogicalSelectionOffsetCaches& cache)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to