Title: [163531] trunk
- Revision
- 163531
- Author
- [email protected]
- Date
- 2014-02-06 06:42:02 -0800 (Thu, 06 Feb 2014)
Log Message
[CSS Regions] Null dereference applying animation with CSS regions
https://bugs.webkit.org/show_bug.cgi?id=128218
Reviewed by Andrei Bucur.
Source/WebCore:
The first issue (the null dereference) was caused by the checkForZoomChange method
not guarding against a null parentStyle parameter, as the checkForGenericFamilyChange
method does, which in the crashing scenario is called just before the faulty
checkForZoomChange method.
The second issue was an assert which was caused by the fact that detaching is performed
in a certain situation if the element has a renderer or if it's inside a named flow.
However, when reattaching and asserting the element has no renderer, the
"inside named flow" condition was no longer considered.
Test: fast/regions/animation-element-in-region-flowed-to-other-thread.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::checkForZoomChange):
* style/StyleResolveTree.cpp:
(WebCore::Style::attachChildren):
LayoutTests:
Added test for crash caused by using animations with DOM children of regions flowed
into another flow thread.
* fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html: Added.
* fast/regions/animation-element-in-region-flowed-to-other-thread.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (163530 => 163531)
--- trunk/LayoutTests/ChangeLog 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/LayoutTests/ChangeLog 2014-02-06 14:42:02 UTC (rev 163531)
@@ -1,3 +1,16 @@
+2014-02-06 Radu Stavila <[email protected]>
+
+ [CSS Regions] Null dereference applying animation with CSS regions
+ https://bugs.webkit.org/show_bug.cgi?id=128218
+
+ Reviewed by Andrei Bucur.
+
+ Added test for crash caused by using animations with DOM children of regions flowed
+ into another flow thread.
+
+ * fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html: Added.
+ * fast/regions/animation-element-in-region-flowed-to-other-thread.html: Added.
+
2014-02-06 Grzegorz Czajkowski <[email protected]>
Verify copy/paste of misspellings asynchronously
Added: trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html (0 => 163531)
--- trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html (rev 0)
+++ trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html 2014-02-06 14:42:02 UTC (rev 163531)
@@ -0,0 +1,2 @@
+<p>This test passes if it doesn't crash or assert</p>
+<a href="" 128218 - [CSS Regions] Null dereference applying animation with CSS regions</a>
Added: trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html (0 => 163531)
--- trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html (rev 0)
+++ trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html 2014-02-06 14:42:02 UTC (rev 163531)
@@ -0,0 +1,19 @@
+<style>
+ div {
+ -webkit-animation-name: n;
+ -webkit-animation-duration: 1s;
+ }
+
+ @-webkit-keyframes n {
+ to { font-weight: bold; }
+ }
+</style>
+
+<p>This test passes if it doesn't crash or assert</p>
+<a href="" 128218 - [CSS Regions] Null dereference applying animation with CSS regions</a>
+<div id="div1" style="-webkit-flow-from: a;">
+ <div id="div2">
+ <div id="div3" style="-webkit-flow-into: b;">test</div>
+ </div>
+</div>
+
Modified: trunk/Source/WebCore/ChangeLog (163530 => 163531)
--- trunk/Source/WebCore/ChangeLog 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/ChangeLog 2014-02-06 14:42:02 UTC (rev 163531)
@@ -1,3 +1,26 @@
+2014-02-06 Radu Stavila <[email protected]>
+
+ [CSS Regions] Null dereference applying animation with CSS regions
+ https://bugs.webkit.org/show_bug.cgi?id=128218
+
+ Reviewed by Andrei Bucur.
+
+ The first issue (the null dereference) was caused by the checkForZoomChange method
+ not guarding against a null parentStyle parameter, as the checkForGenericFamilyChange
+ method does, which in the crashing scenario is called just before the faulty
+ checkForZoomChange method.
+ The second issue was an assert which was caused by the fact that detaching is performed
+ in a certain situation if the element has a renderer or if it's inside a named flow.
+ However, when reattaching and asserting the element has no renderer, the
+ "inside named flow" condition was no longer considered.
+
+ Test: fast/regions/animation-element-in-region-flowed-to-other-thread.html
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::checkForZoomChange):
+ * style/StyleResolveTree.cpp:
+ (WebCore::Style::attachChildren):
+
2014-02-06 László Langó <[email protected]>
Create a HTMLUnknownElement when using createElement('image')
Modified: trunk/Source/WebCore/css/StyleResolver.cpp (163530 => 163531)
--- trunk/Source/WebCore/css/StyleResolver.cpp 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2014-02-06 14:42:02 UTC (rev 163531)
@@ -3122,6 +3122,9 @@
void StyleResolver::checkForZoomChange(RenderStyle* style, RenderStyle* parentStyle)
{
+ if (!parentStyle)
+ return;
+
if (style->effectiveZoom() == parentStyle->effectiveZoom())
return;
Modified: trunk/Source/WebCore/style/StyleResolveTree.cpp (163530 => 163531)
--- trunk/Source/WebCore/style/StyleResolveTree.cpp 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/style/StyleResolveTree.cpp 2014-02-06 14:42:02 UTC (rev 163531)
@@ -452,7 +452,7 @@
attachDistributedChildren(toInsertionPoint(current));
for (Node* child = current.firstChild(); child; child = child->nextSibling()) {
- ASSERT(!child->renderer() || current.shadowRoot() || isInsertionPoint(current));
+ ASSERT((!child->renderer() || child->inNamedFlow()) || current.shadowRoot() || isInsertionPoint(current));
if (child->renderer())
continue;
if (child->isTextNode()) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
