[webkit-changes] [198701] trunk/Source/WebCore

Fri, 25 Mar 2016 16:46:13 -0700

Title: [198701] trunk/Source/WebCore
Revision
198701
Author
[email protected]
Date
2016-03-25 16:45:13 -0700 (Fri, 25 Mar 2016)

Log Message

RenderImage::repaintOrMarkForLayout fails when the renderer is detached.
https://bugs.webkit.org/show_bug.cgi?id=155885
<rdar://problem/25359164>

Reviewed by Simon Fraser.

Making containingBlockFor* functions standalone ensures that we don't
call them on an invalid object.

Covered by existing tests.

* dom/Element.cpp:
(WebCore::layoutOverflowRectContainsAllDescendants):
* rendering/LogicalSelectionOffsetCaches.h:
(WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches):
* rendering/RenderElement.cpp:
(WebCore::containingBlockForFixedPosition):
(WebCore::containingBlockForAbsolutePosition):
(WebCore::containingBlockForObjectInFlow):
(WebCore::RenderElement::containingBlockForFixedPosition): Deleted.
(WebCore::RenderElement::containingBlockForAbsolutePosition): Deleted.
(WebCore::isNonRenderBlockInline): Deleted.
(WebCore::RenderElement::containingBlockForObjectInFlow): Deleted.
* rendering/RenderElement.h:
* rendering/RenderInline.cpp:
(WebCore::RenderInline::styleWillChange):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::containingBlock):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (198700 => 198701)


--- trunk/Source/WebCore/ChangeLog	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/ChangeLog	2016-03-25 23:45:13 UTC (rev 198701)
@@ -1,3 +1,34 @@
+2016-03-25  Zalan Bujtas  <[email protected]>
+
+        RenderImage::repaintOrMarkForLayout fails when the renderer is detached.
+        https://bugs.webkit.org/show_bug.cgi?id=155885
+        <rdar://problem/25359164>
+
+        Reviewed by Simon Fraser.
+
+        Making containingBlockFor* functions standalone ensures that we don't
+        call them on an invalid object. 
+
+        Covered by existing tests.
+
+        * dom/Element.cpp:
+        (WebCore::layoutOverflowRectContainsAllDescendants):
+        * rendering/LogicalSelectionOffsetCaches.h:
+        (WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches):
+        * rendering/RenderElement.cpp:
+        (WebCore::containingBlockForFixedPosition):
+        (WebCore::containingBlockForAbsolutePosition):
+        (WebCore::containingBlockForObjectInFlow):
+        (WebCore::RenderElement::containingBlockForFixedPosition): Deleted.
+        (WebCore::RenderElement::containingBlockForAbsolutePosition): Deleted.
+        (WebCore::isNonRenderBlockInline): Deleted.
+        (WebCore::RenderElement::containingBlockForObjectInFlow): Deleted.
+        * rendering/RenderElement.h:
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::styleWillChange):
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::containingBlock):
+
 2016-03-25  Dean Jackson  <[email protected]>
 
         Remove use of extern "C" to include QuartzCore files

Modified: trunk/Source/WebCore/dom/Element.cpp (198700 => 198701)


--- trunk/Source/WebCore/dom/Element.cpp	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/dom/Element.cpp	2016-03-25 23:45:13 UTC (rev 198701)
@@ -974,7 +974,7 @@
     }
 
     // This renderer may have positioned descendants whose containing block is some ancestor.
-    if (auto containingBlock = renderer.containingBlockForAbsolutePosition()) {
+    if (auto containingBlock = containingBlockForAbsolutePosition(&renderer)) {
         if (auto positionedObjects = containingBlock->positionedObjects()) {
             for (RenderBox* it : *positionedObjects) {
                 if (it != &renderer && renderer.element()->contains(it->element()))

Modified: trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h (198700 => 198701)


--- trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h	2016-03-25 23:45:13 UTC (rev 198701)
@@ -91,9 +91,9 @@
         auto parent = rootBlock.parent();
 
         // LogicalSelectionOffsetCaches should not be used on an orphaned tree.
-        m_containingBlockForFixedPosition.setBlock(parent->containingBlockForFixedPosition(), nullptr);
-        m_containingBlockForAbsolutePosition.setBlock(parent->containingBlockForAbsolutePosition(), nullptr);
-        m_containingBlockForInflowPosition.setBlock(parent->containingBlockForObjectInFlow(), nullptr);
+        m_containingBlockForFixedPosition.setBlock(containingBlockForFixedPosition(parent), nullptr);
+        m_containingBlockForAbsolutePosition.setBlock(containingBlockForAbsolutePosition(parent), nullptr);
+        m_containingBlockForInflowPosition.setBlock(containingBlockForObjectInFlow(parent), nullptr);
     }
 
     LogicalSelectionOffsetCaches(RenderBlock& block, const LogicalSelectionOffsetCaches& cache)

Modified: trunk/Source/WebCore/rendering/RenderElement.cpp (198700 => 198701)


--- trunk/Source/WebCore/rendering/RenderElement.cpp	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/rendering/RenderElement.cpp	2016-03-25 23:45:13 UTC (rev 198701)
@@ -1585,48 +1585,6 @@
     return styleResolver.pseudoStyleForElement(*element(), pseudoStyleRequest, *parentStyle);
 }
 
-RenderBlock* RenderElement::containingBlockForFixedPosition() const
-{
-    const RenderElement* object = this;
-    while (object && !object->canContainFixedPositionObjects())
-        object = object->parent();
-
-    ASSERT(!object || !object->isAnonymousBlock());
-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
-}
-
-RenderBlock* RenderElement::containingBlockForAbsolutePosition() const
-{
-    const RenderElement* object = this;
-    while (object && !object->canContainAbsolutelyPositionedObjects())
-        object = object->parent();
-
-    // For a relatively positioned inline, return its nearest non-anonymous containing block,
-    // not the inline itself, to avoid having a positioned objects list in all RenderInlines
-    // and use RenderBlock* as RenderElement::containingBlock's return type.
-    // Use RenderBlock::container() to obtain the inline.
-    if (object && !is<RenderBlock>(*object))
-        object = object->containingBlock();
-
-    while (object && object->isAnonymousBlock())
-        object = object->containingBlock();
-
-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
-}
-
-static inline bool isNonRenderBlockInline(const RenderElement& object)
-{
-    return (object.isInline() && !object.isReplaced()) || !object.isRenderBlock();
-}
-
-RenderBlock* RenderElement::containingBlockForObjectInFlow() const
-{
-    const RenderElement* object = this;
-    while (object && isNonRenderBlockInline(*object))
-        object = object->parent();
-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
-}
-
 Color RenderElement::selectionColor(int colorProperty) const
 {
     // If the element is unselectable, or we are only painting the selection,
@@ -2210,4 +2168,41 @@
         downcast<RenderBoxModelObject>(*this).continuation()->updateOutlineAutoAncestor(hasOutlineAuto);
 }
 
+RenderBlock* containingBlockForFixedPosition(const RenderElement* element)
+{
+    const auto* object = element;
+    while (object && !object->canContainFixedPositionObjects())
+        object = object->parent();
+
+    ASSERT(!object || !object->isAnonymousBlock());
+    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
 }
+
+RenderBlock* containingBlockForAbsolutePosition(const RenderElement* element)
+{
+    const auto* object = element;
+    while (object && !object->canContainAbsolutelyPositionedObjects())
+        object = object->parent();
+
+    // For a relatively positioned inline, return its nearest non-anonymous containing block,
+    // not the inline itself, to avoid having a positioned objects list in all RenderInlines
+    // and use RenderBlock* as RenderElement::containingBlock's return type.
+    // Use RenderBlock::container() to obtain the inline.
+    if (object && !is<RenderBlock>(*object))
+        object = object->containingBlock();
+
+    while (object && object->isAnonymousBlock())
+        object = object->containingBlock();
+
+    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
+}
+
+RenderBlock* containingBlockForObjectInFlow(const RenderElement* element)
+{
+    const auto* object = element;
+    while (object && ((object->isInline() && !object->isReplaced()) || !object->isRenderBlock()))
+        object = object->parent();
+    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
+}
+
+}

Modified: trunk/Source/WebCore/rendering/RenderElement.h (198700 => 198701)


--- trunk/Source/WebCore/rendering/RenderElement.h	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/rendering/RenderElement.h	2016-03-25 23:45:13 UTC (rev 198701)
@@ -71,10 +71,6 @@
     bool canContainFixedPositionObjects() const;
     bool canContainAbsolutelyPositionedObjects() const;
 
-    RenderBlock* containingBlockForFixedPosition() const;
-    RenderBlock* containingBlockForAbsolutePosition() const;
-    RenderBlock* containingBlockForObjectInFlow() const;
-
     Color selectionColor(int colorProperty) const;
     PassRefPtr<RenderStyle> selectionPseudoStyle() const;
 
@@ -495,6 +491,9 @@
     return adjustLayoutUnitForAbsoluteZoom(value, renderer.style());
 }
 
+RenderBlock* containingBlockForFixedPosition(const RenderElement*);
+RenderBlock* containingBlockForAbsolutePosition(const RenderElement*);
+RenderBlock* containingBlockForObjectInFlow(const RenderElement*);
 } // namespace WebCore
 
 SPECIALIZE_TYPE_TRAITS_RENDER_OBJECT(RenderElement, isRenderElement())

Modified: trunk/Source/WebCore/rendering/RenderInline.cpp (198700 => 198701)


--- trunk/Source/WebCore/rendering/RenderInline.cpp	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/rendering/RenderInline.cpp	2016-03-25 23:45:13 UTC (rev 198701)
@@ -171,7 +171,7 @@
     // Check if this inline can hold absolute positioned elmements even after the style change.
     if (canContainAbsolutelyPositionedObjects() && newStyle.position() == StaticPosition) {
         // RenderInlines forward their absolute positioned descendants to their (non-anonymous) containing block.
-        auto* container = containingBlockForAbsolutePosition();
+        auto* container = containingBlockForAbsolutePosition(this);
         if (container && !container->canContainAbsolutelyPositionedObjects())
             container->removePositionedObjects(nullptr, NewContainingBlock);
     }

Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (198700 => 198701)


--- trunk/Source/WebCore/rendering/RenderObject.cpp	2016-03-25 23:44:53 UTC (rev 198700)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp	2016-03-25 23:45:13 UTC (rev 198701)
@@ -706,15 +706,15 @@
 
     const RenderStyle& style = this->style();
     if (!is<RenderText>(*this) && style.position() == FixedPosition)
-        parent = parent->containingBlockForFixedPosition();
+        parent = containingBlockForFixedPosition(parent);
     else if (!is<RenderText>(*this) && style.position() == AbsolutePosition)
-        parent = parent->containingBlockForAbsolutePosition();
+        parent = containingBlockForAbsolutePosition(parent);
     else
-        parent = parent->containingBlockForObjectInFlow();
+        parent = containingBlockForObjectInFlow(parent);
 
-    if (!is<RenderBlock>(parent))
-        return nullptr; // This can still happen in case of an orphaned tree
-
+    // This can still happen in case of an detached tree
+    if (!parent)
+        return nullptr;
     return downcast<RenderBlock>(parent);
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to