Title: [188340] trunk
- Revision
- 188340
- Author
- [email protected]
- Date
- 2015-08-12 11:54:05 -0700 (Wed, 12 Aug 2015)
Log Message
REGRESSION(r185606): ASSERT in WebCore::RenderElement::styleWillChange
https://bugs.webkit.org/show_bug.cgi?id=147596
<rdar://problem/21963355>
Reviewed by Jon Honeycutt.
Source/WebCore:
Only add (or remove) a RenderElement from the container of RenderBoxes with
scroll snap coordinates if the element actually is a RenderBox.
Tested by css3/scroll-snap/improper-snap-points-crash.html.
* rendering/RenderElement.cpp:
(WebCore::RenderElement::styleWillChange):
(WebCore::RenderElement::willBeRemovedFromTree):
LayoutTests:
* css3/scroll-snap/improper-snap-points-crash-expected.txt: Added.
* css3/scroll-snap/improper-snap-points-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (188339 => 188340)
--- trunk/LayoutTests/ChangeLog 2015-08-12 18:28:20 UTC (rev 188339)
+++ trunk/LayoutTests/ChangeLog 2015-08-12 18:54:05 UTC (rev 188340)
@@ -1,3 +1,14 @@
+2015-08-12 Brent Fulgham <[email protected]>
+
+ REGRESSION(r185606): ASSERT in WebCore::RenderElement::styleWillChange
+ https://bugs.webkit.org/show_bug.cgi?id=147596
+ <rdar://problem/21963355>
+
+ Reviewed by Jon Honeycutt.
+
+ * css3/scroll-snap/improper-snap-points-crash-expected.txt: Added.
+ * css3/scroll-snap/improper-snap-points-crash.html: Added.
+
2015-08-12 Youenn Fablet <[email protected]>
XHR.setRequestHeader should remove trailing and leading whitespaces from the header value
Added: trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash-expected.txt (0 => 188340)
--- trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash-expected.txt 2015-08-12 18:54:05 UTC (rev 188340)
@@ -0,0 +1,15 @@
+The test passes if this page renders without crashing.
+
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Scroll-snap offsets for horizontalTarget: horizontal = { 0, 100, 200, 300, 400, 500 }
+Scroll-snap offsets for first:
+Scroll-snap offsets for second:
+Scroll-snap offsets for third:
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash.html (0 => 188340)
--- trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash.html (rev 0)
+++ trunk/LayoutTests/css3/scroll-snap/improper-snap-points-crash.html 2015-08-12 18:54:05 UTC (rev 188340)
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <style>
+ .horizontalGallery {
+ width: 100px;
+ height: 100px;
+ overflow-y: hidden;
+ overflow-x: auto;
+ margin: 2px;
+ -webkit-overflow-scrolling: touch;
+ -webkit-scroll-snap-points-x: repeat(100%);
+ -webkit-scroll-snap-type: mandatory;
+ -webkit-scroll-snap-coordinate: 50% 50%;
+ }
+ .horizontalGalleryDrawer {
+ width: 600px;
+ height: 100px;
+ }
+ .colorBox {
+ height: 100px;
+ width: 100px;
+ float: left;
+ }
+ #item0 { background-color: red; }
+ #item1 { background-color: green; }
+ #item2 { background-color: blue; }
+ #item3 { background-color: aqua; }
+ #item4 { background-color: yellow; }
+ #item5 { background-color: fuchsia; }
+ </style>
+ <script src=""
+ <script>
+ function reportResult(horizontalTargetID)
+ {
+ var horizontalTarget = document.getElementById(horizontalTargetID);
+
+ debug("Scroll-snap offsets for " + horizontalTargetID + ": " + window.internals.scrollSnapOffsets(horizontalTarget));
+ }
+
+ function runTest()
+ {
+ reportResult('horizontalTarget');
+ reportResult('first');
+ reportResult('second');
+ reportResult('third');
+
+ finishJSTest();
+ testRunner.notifyDone();
+ }
+
+ function onLoad()
+ {
+ if (window.testRunner) {
+ window.jsTestIsAsync = true;
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ setTimeout(runTest, 0);
+ }
+ }
+ </script>
+ </head>
+ <body _onload_="onLoad();">
+ <div style="position: relative; width: 300px">
+ <div>The test passes if this page renders without crashing.</div>
+ <div class="horizontalGallery" id="horizontalTarget">
+ <div class="horizontalGalleryDrawer">
+ <div id="item0" class="colorBox"></div>
+ <div id="item1" class="colorBox"></div>
+ <div id="item2" class="colorBox"></div>
+ <br id="first" />
+ <br class="horizontalGallery" id="second" />
+ </div>
+ </div>
+ <br class="horizontalGallery" id="third" />
+ <div id="console"></div>
+ </div>
+ <script src=""
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (188339 => 188340)
--- trunk/Source/WebCore/ChangeLog 2015-08-12 18:28:20 UTC (rev 188339)
+++ trunk/Source/WebCore/ChangeLog 2015-08-12 18:54:05 UTC (rev 188340)
@@ -1,3 +1,20 @@
+2015-08-12 Brent Fulgham <[email protected]>
+
+ REGRESSION(r185606): ASSERT in WebCore::RenderElement::styleWillChange
+ https://bugs.webkit.org/show_bug.cgi?id=147596
+ <rdar://problem/21963355>
+
+ Reviewed by Jon Honeycutt.
+
+ Only add (or remove) a RenderElement from the container of RenderBoxes with
+ scroll snap coordinates if the element actually is a RenderBox.
+
+ Tested by css3/scroll-snap/improper-snap-points-crash.html.
+
+ * rendering/RenderElement.cpp:
+ (WebCore::RenderElement::styleWillChange):
+ (WebCore::RenderElement::willBeRemovedFromTree):
+
2015-08-12 Devin Rousso <[email protected]>
Web Inspector: Implement selector highlighting for iOS
Modified: trunk/Source/WebCore/rendering/RenderElement.cpp (188339 => 188340)
--- trunk/Source/WebCore/rendering/RenderElement.cpp 2015-08-12 18:28:20 UTC (rev 188339)
+++ trunk/Source/WebCore/rendering/RenderElement.cpp 2015-08-12 18:54:05 UTC (rev 188340)
@@ -901,11 +901,12 @@
#if ENABLE(CSS_SCROLL_SNAP)
if (!newStyle.scrollSnapCoordinates().isEmpty() || (oldStyle && !oldStyle->scrollSnapCoordinates().isEmpty())) {
- ASSERT(is<RenderBox>(this));
- if (newStyle.scrollSnapCoordinates().isEmpty())
- view().unregisterBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
- else
- view().registerBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
+ if (is<RenderBox>(*this)) {
+ if (newStyle.scrollSnapCoordinates().isEmpty())
+ view().unregisterBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
+ else
+ view().registerBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
+ }
}
#endif
@@ -1066,8 +1067,8 @@
#if ENABLE(CSS_SCROLL_SNAP)
if (!m_style->scrollSnapCoordinates().isEmpty()) {
- ASSERT(is<RenderBox>(this));
- view().unregisterBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
+ if (is<RenderBox>(*this))
+ view().unregisterBoxWithScrollSnapCoordinates(downcast<RenderBox>(*this));
}
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
