[webkit-changes] [194016] trunk

[zalan]

Title: [194016] trunk

Revision

194016

Author

za...@apple.com

Date

2015-12-13 08:18:07 -0800 (Sun, 13 Dec 2015)

Log Message

Clean up absolute positioned map properly.
https://bugs.webkit.org/show_bug.cgi?id=152219
rdar://problem/23861165

Reviewed by Simon Fraser.

We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
Since this static map is at block level, (positioned)inline renderers use their containing block to store
their positioned descendants.
This patch ensures that when an inline element can no longer hold positioned children, we remove them from
the inline's containing block's map. -unless the container itself can hold positioned renderers(see RenderElement::canContainAbsolutelyPositionedObjects).

Source/WebCore:

Test: fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html

* rendering/RenderInline.cpp:
(WebCore::RenderInline::styleWillChange):
* rendering/RenderInline.h:

LayoutTests:

* fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt: Added.
* fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderInline.cpp
• trunk/Source/WebCore/rendering/RenderInline.h

Added Paths

• trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt
• trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html

Diff

Modified: trunk/LayoutTests/ChangeLog (194015 => 194016)

--- trunk/LayoutTests/ChangeLog	2015-12-13 14:07:40 UTC (rev 194015)
+++ trunk/LayoutTests/ChangeLog	2015-12-13 16:18:07 UTC (rev 194016)
@@ -1,3 +1,20 @@
+2015-12-13  Zalan Bujtas  <za...@apple.com>
+
+        Clean up absolute positioned map properly.
+        https://bugs.webkit.org/show_bug.cgi?id=152219
+        rdar://problem/23861165
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        Since this static map is at block level, (positioned)inline renderers use their containing block to store
+        their positioned descendants.
+        This patch ensures that when an inline element can no longer hold positioned children, we remove them from
+        the inline's containing block's map. -unless the container itself can hold positioned renderers(see RenderElement::canContainAbsolutelyPositionedObjects).
+
+        * fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt: Added.
+        * fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html: Added.
+
 2015-12-13  Joanmarie Diggs  <jdi...@igalia.com>
 
         AX: [EFL] Anonymous render block flow elements should be exposed as ATK_ROLE_SECTION; not ATK_ROLE_PANEL

Added: trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt (0 => 194016)

--- trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child-expected.txt	2015-12-13 16:18:07 UTC (rev 194016)
@@ -0,0 +1 @@
+Pass if no assert in debug.

Added: trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html (0 => 194016)

--- trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html	2015-12-13 16:18:07 UTC (rev 194016)
@@ -0,0 +1,16 @@
+Pass if no assert in debug.
+<div id=wrapper><span id=container style="position: relative;"><span style="position: absolute;"></span></span><div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.getElementById("container").innerText;
+document.getElementById("container").setAttribute("style","-webkit-justify-self: stretch;");
+if (window.testRunner)
+    testRunner.waitUntilDone();
+setTimeout(function() { 
+ var element = document.getElementById("wrapper");
+ element.parentNode.removeChild(element);
+  if (window.testRunner)
+      testRunner.notifyDone();
+  }, 0);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (194015 => 194016)

--- trunk/Source/WebCore/ChangeLog	2015-12-13 14:07:40 UTC (rev 194015)
+++ trunk/Source/WebCore/ChangeLog	2015-12-13 16:18:07 UTC (rev 194016)
@@ -1,3 +1,23 @@
+2015-12-13  Zalan Bujtas  <za...@apple.com>
+
+        Clean up absolute positioned map properly.
+        https://bugs.webkit.org/show_bug.cgi?id=152219
+        rdar://problem/23861165
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        Since this static map is at block level, (positioned)inline renderers use their containing block to store
+        their positioned descendants.
+        This patch ensures that when an inline element can no longer hold positioned children, we remove them from
+        the inline's containing block's map. -unless the container itself can hold positioned renderers(see RenderElement::canContainAbsolutelyPositionedObjects).
+
+        Test: fast/block/positioning/crash-when-positioned-inline-has-positioned-child.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::styleWillChange):
+        * rendering/RenderInline.h:
+
 2015-12-13  Joanmarie Diggs  <jdi...@igalia.com>
 
         AX: [EFL] Anonymous render block flow elements should be exposed as ATK_ROLE_SECTION; not ATK_ROLE_PANEL

Modified: trunk/Source/WebCore/rendering/RenderInline.cpp (194015 => 194016)

--- trunk/Source/WebCore/rendering/RenderInline.cpp	2015-12-13 14:07:40 UTC (rev 194015)
+++ trunk/Source/WebCore/rendering/RenderInline.cpp	2015-12-13 16:18:07 UTC (rev 194016)
@@ -164,6 +164,19 @@
     }
 }
 
+void RenderInline::styleWillChange(StyleDifference diff, const RenderStyle& newStyle)
+{
+    RenderBoxModelObject::styleWillChange(diff, newStyle);
+
+    // Check if this inline can hold absolute positioned elmements even after the style change.
+    if (canContainAbsolutelyPositionedObjects() && newStyle.position() == StaticPosition) {
+        // RenderInlines forward their absolute positioned descendants to their (non-anonymous) containing block.
+        auto* container = containingBlockForAbsolutePosition();
+        if (container && !container->canContainAbsolutelyPositionedObjects())
+            container->removePositionedObjects(nullptr, NewContainingBlock);
+    }
+}
+
 void RenderInline::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
 {
     RenderBoxModelObject::styleDidChange(diff, oldStyle);

Modified: trunk/Source/WebCore/rendering/RenderInline.h (194015 => 194016)

--- trunk/Source/WebCore/rendering/RenderInline.h	2015-12-13 14:07:40 UTC (rev 194015)
+++ trunk/Source/WebCore/rendering/RenderInline.h	2015-12-13 16:18:07 UTC (rev 194016)
@@ -104,6 +104,7 @@
 protected:
     virtual void willBeDestroyed() override;
 
+    void styleWillChange(StyleDifference, const RenderStyle& newStyle) override;
     virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle) override;
 
     virtual void updateFromStyle() override;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes