Skip to site navigation (Press enter)

[webkit-changes] [104183] trunk

commit-queue Thu, 05 Jan 2012 11:24:55 -0800

Title: [104183] trunk

Revision: 104183
Author: [email protected]
Date: 2012-01-05 11:24:49 -0800 (Thu, 05 Jan 2012)

Log Message

Source/WebCore: Crash due to reparenting of relpositioned object under anonymous block
https://bugs.webkit.org/show_bug.cgi?id=70848


The associated test case creates a condition where a relative
positioned renderer is a descendant of an anonymous block for a
table column. The anonymous block is the containingBlock() for the
relpositioned renderer. Removal of a div causes the anonymous blocks to
be merged, and the renderer becomes a descendant of a different block.
Since the new containingBlock() has an empty positionedObject list,
the relpositioned renderer does not get layout after being dirtied.

This patch changes containingBlock() so that it returns the container
of an anonymous block for positioned objects, not the anonymous
block itself. It also adds an ASSERT to insertPositionedObject()
to flag any other cases where something is trying to create a
positioned object list on an anonymous block.

Patch by Ken Buchanan <[email protected]> on 2012-01-05
Reviewed by David Hyatt.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::insertPositionedObject):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::containingBlock):

LayoutTests: Crash due to reparenting of relpositioned object in table
https://bugs.webkit.org/show_bug.cgi?id=70848

Adding test that exercises the crash condition in bug 70848.

Patch by Ken Buchanan <[email protected]> on 2012-01-05
Reviewed by David Hyatt.

* fast/css/relative-position-replaced-in-table-display-crash-expected.txt: Added
* fast/css/relative-position-replaced-in-table-display-crash.html: Added

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp
trunk/Source/WebCore/rendering/RenderObject.cpp

Added Paths

trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt
trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html

Property Changed

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog

Diff

Modified: trunk/LayoutTests/ChangeLog (104182 => 104183)


--- trunk/LayoutTests/ChangeLog	2012-01-05 19:15:28 UTC (rev 104182)
+++ trunk/LayoutTests/ChangeLog	2012-01-05 19:24:49 UTC (rev 104183)
@@ -1,3 +1,15 @@
+2012-01-05  Ken Buchanan <[email protected]>
+
+        Crash due to reparenting of relpositioned object in table
+        https://bugs.webkit.org/show_bug.cgi?id=70848
+
+        Adding test that exercises the crash condition in bug 70848.
+
+        Reviewed by David Hyatt.
+
+        * fast/css/relative-position-replaced-in-table-display-crash-expected.txt: Added
+        * fast/css/relative-position-replaced-in-table-display-crash.html: Added
+
 2012-01-05  Dmitry Lomov  <[email protected]>
 
         Unreviewed: filed WK75633 and updated expectations
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt (0 => 104183)


--- trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt	2012-01-05 19:24:49 UTC (rev 104183)
@@ -0,0 +1,2 @@
+PASS, if no exception or crash in debug
+ 
Property changes on: trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html (0 => 104183)


--- trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html	2012-01-05 19:24:49 UTC (rev 104183)
@@ -0,0 +1,32 @@
+<html>
+<style type="text/css">
+.firstDivStyle + .secondDivStyle { display: table-footer-group;  }
+.rubyStyle { position: relative; }
+.secondDivStyle { -webkit-appearance: button; }
+.posAbsolute { position: absolute; }
+</style>
+<script type="text/_javascript_">
+function dumpTest() {
+    layoutTestController.notifyDone();
+}
+function runTest() {
+    document.getElementById('ruby').innerHTML = '<audio controls="controls" id="aud" src="" class="posAbsolute"></audio>';
+    height = document.body.clientHeight; // Force layout
+    document.body.removeChild(document.getElementById('remove')); // Cause anonymous blocks containing 'secondDivStyle' and 'ruby' to be merged
+    document.getElementById('aud').style.color = "blue"; // Force style recalc
+    setTimeout('dumpTest()', 10);
+    if (window.layoutTestController) {
+        layoutTestController.waitUntilDone();
+	layoutTestController.dumpAsText();
+    }
+}
+window._onload_ = runTest;
+</script>
+<body>
+PASS, if no exception or crash in debug
+  <div class="firstDivStyle"></div>
+  <div class="secondDivStyle"></div>
+  <div id="remove"></div>
+  <ruby id="ruby" class="rubyStyle"></ruby>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (104182 => 104183)


--- trunk/Source/WebCore/ChangeLog	2012-01-05 19:15:28 UTC (rev 104182)
+++ trunk/Source/WebCore/ChangeLog	2012-01-05 19:24:49 UTC (rev 104183)
@@ -1,3 +1,29 @@
+2012-01-05  Ken Buchanan <[email protected]>
+
+        Crash due to reparenting of relpositioned object under anonymous block
+        https://bugs.webkit.org/show_bug.cgi?id=70848
+
+        The associated test case creates a condition where a relative
+        positioned renderer is a descendant of an anonymous block for a
+        table column. The anonymous block is the containingBlock() for the
+        relpositioned renderer. Removal of a div causes the anonymous blocks to
+        be merged, and the renderer becomes a descendant of a different block.
+        Since the new containingBlock() has an empty positionedObject list,
+        the relpositioned renderer does not get layout after being dirtied.
+
+        This patch changes containingBlock() so that it returns the container
+        of an anonymous block for positioned objects, not the anonymous
+        block itself. It also adds an ASSERT to insertPositionedObject()
+        to flag any other cases where something is trying to create a
+        positioned object list on an anonymous block.
+
+        Reviewed by David Hyatt.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::insertPositionedObject):
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::containingBlock):
+
 2012-01-05  Jian Li  <[email protected]>
 
         FileReader needs addEventListener
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (104182 => 104183)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 19:15:28 UTC (rev 104182)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 19:24:49 UTC (rev 104183)
@@ -3230,6 +3230,8 @@
 
 void RenderBlock::insertPositionedObject(RenderBox* o)
 {
+    ASSERT(!isAnonymousBlock());
+
     if (o->isRenderFlowThread())
         return;

Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (104182 => 104183)


--- trunk/Source/WebCore/rendering/RenderObject.cpp	2012-01-05 19:15:28 UTC (rev 104182)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp	2012-01-05 19:24:49 UTC (rev 104183)
@@ -710,13 +710,17 @@
             o = o->parent();
     } else if (!isText() && m_style->position() == AbsolutePosition) {
         while (o && (o->style()->position() == StaticPosition || (o->isInline() && !o->isReplaced())) && !o->isRenderView() && !(o->hasTransform() && o->isRenderBlock())) {
-            // For relpositioned inlines, we return the nearest enclosing block.  We don't try
+            // For relpositioned inlines, we return the nearest non-anonymous enclosing block. We don't try
             // to return the inline itself.  This allows us to avoid having a positioned objects
             // list in all RenderInlines and lets us return a strongly-typed RenderBlock* result
             // from this method.  The container() method can actually be used to obtain the
             // inline directly.
-            if (o->style()->position() == RelativePosition && o->isInline() && !o->isReplaced())
-                return o->containingBlock();
+            if (o->style()->position() == RelativePosition && o->isInline() && !o->isReplaced()) {
+                RenderBlock* relPositionedInlineContainingBlock = o->containingBlock();
+                while (relPositionedInlineContainingBlock->isAnonymousBlock())
+                    relPositionedInlineContainingBlock = relPositionedInlineContainingBlock->containingBlock();
+                return relPositionedInlineContainingBlock;
+            }
 #if ENABLE(SVG)
             if (o->isSVGForeignObject()) //foreignObject is the containing block for contents inside it
                 break;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes