[webkit-changes] [105769] trunk

Tue, 24 Jan 2012 12:04:59 -0800

Title: [105769] trunk
Revision
105769
Author
[email protected]
Date
2012-01-24 12:04:52 -0800 (Tue, 24 Jan 2012)

Log Message

Crash when rendering -webkit-column-span.
https://bugs.webkit.org/show_bug.cgi?id=73265

Reviewed by David Hyatt.

Source/WebCore: 

This patch addresses 2 problems causing crashes in multi-column layout
1. Trying to render -webkit-column-span for :before, :after caused
   re-entrancy in updateBeforeAfterContent while working on splitFlow.
2. Cloning a block which has its :before, :after content not added yet,
   caused issues because cloneBlock will definitely have its :before,
   :after content created when setStyle() is called. So, we would
   overwrite cloneBlock with a wrong childrenInline value.

Tests: fast/multicol/clone-block-children-inline-mismatch-crash.html
       fast/multicol/span/generated-child-split-flow-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::clone):
(WebCore::RenderBlock::columnsBlockForSpanningElement):

LayoutTests: 

* fast/multicol/clone-block-children-inline-mismatch-crash-expected.txt: Added.
* fast/multicol/clone-block-children-inline-mismatch-crash.html: Added.
* fast/multicol/span/generated-child-split-flow-crash.html: Added.
* platform/mac-snowleopard/fast/multicol/span: Added.
* platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.png: Added.
* platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.txt: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (105768 => 105769)


--- trunk/LayoutTests/ChangeLog	2012-01-24 19:52:10 UTC (rev 105768)
+++ trunk/LayoutTests/ChangeLog	2012-01-24 20:04:52 UTC (rev 105769)
@@ -1,3 +1,17 @@
+2012-01-24  Abhishek Arya  <[email protected]>
+
+        Crash when rendering -webkit-column-span.
+        https://bugs.webkit.org/show_bug.cgi?id=73265
+
+        Reviewed by David Hyatt.
+
+        * fast/multicol/clone-block-children-inline-mismatch-crash-expected.txt: Added.
+        * fast/multicol/clone-block-children-inline-mismatch-crash.html: Added.
+        * fast/multicol/span/generated-child-split-flow-crash.html: Added.
+        * platform/mac-snowleopard/fast/multicol/span: Added.
+        * platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.png: Added.
+        * platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.txt: Added.
+
 2012-01-22  Robert Hogan  <[email protected]>
 
         Incorrect positioning of floating pseudo-elements in table captions

Added: trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash-expected.txt (0 => 105769)


--- trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash-expected.txt	2012-01-24 20:04:52 UTC (rev 105769)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash.html (0 => 105769)


--- trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/clone-block-children-inline-mismatch-crash.html	2012-01-24 20:04:52 UTC (rev 105769)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+#div1 { -webkit-column-count: 2; }
+#q1 { display: block; }
+#q1::before { display: table-row; }
+#div2 { -webkit-column-span: all; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function runTest() 
+{
+    div1 = document.createElement('div');
+    div1.setAttribute('id', 'div1'); 
+    document.body.appendChild(div1); 
+    q1 = document.createElement('q'); 
+    q1.setAttribute('id', 'q1');
+    div1.appendChild(q1);
+    div2 = document.createElement('div');
+    div2.setAttribute('id', 'div2'); 
+    q1.appendChild(div2); 
+}
+
+window._onload_ = runTest;
+</script>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/fast/multicol/span/generated-child-split-flow-crash.html (0 => 105769)


--- trunk/LayoutTests/fast/multicol/span/generated-child-split-flow-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/generated-child-split-flow-crash.html	2012-01-24 20:04:52 UTC (rev 105769)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html style="font-family: ahem; -webkit-font-smoothing: none;">
+<style>
+    #div1 { 
+        -webkit-column-count: 2;
+    }
+    #span1:after 
+    {
+        display: block;
+        content: counter(c);
+        color: green;
+        -webkit-column-span: all;
+    }
+</style>
+<div id="div1">
+A<span id="span1" style="color: blue">B</span>C
+</div>
+<script>
+function runTest()
+{
+    span1 = document.getElementById('span1');
+    span1.style.display = 'block';
+    document.body.offsetTop;
+    document.body.style.zoom = 2;
+}
+
+window._onload_ = runTest;
+</script>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.png


(Binary files differ)
Property changes on: trunk/LayoutTests/platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.png ___________________________________________________________________

Added: svn:mime-type

Added: trunk/LayoutTests/platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.txt (0 => 105769)


--- trunk/LayoutTests/platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/mac-snowleopard/fast/multicol/span/generated-child-split-flow-crash-expected.txt	2012-01-24 20:04:52 UTC (rev 105769)
@@ -0,0 +1,20 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x96
+  RenderBlock {HTML} at (0,0) size 800x96
+    RenderBody {BODY} at (16,16) size 768x64
+layer at (16,16) size 768x64
+  RenderBlock {DIV} at (0,0) size 768x64
+    RenderBlock (anonymous) at (0,0) size 368x32
+      RenderText {#text} at (0,0) size 32x32
+        text run at (0,0) width 32: "A"
+    RenderBlock {SPAN} at (0,32) size 368x64 [color=#0000FF]
+      RenderBlock (anonymous) at (0,0) size 368x32
+        RenderText {#text} at (0,0) size 32x32
+          text run at (0,0) width 32: "B"
+      RenderBlock (generated) at (0,32) size 368x32 [color=#008000]
+        RenderCounter at (0,0) size 32x32
+          text run at (0,0) width 32: "0"
+    RenderBlock (anonymous) at (0,96) size 368x32
+      RenderText {#text} at (0,0) size 32x32
+        text run at (0,0) width 32: "C"

Modified: trunk/Source/WebCore/ChangeLog (105768 => 105769)


--- trunk/Source/WebCore/ChangeLog	2012-01-24 19:52:10 UTC (rev 105768)
+++ trunk/Source/WebCore/ChangeLog	2012-01-24 20:04:52 UTC (rev 105769)
@@ -1,3 +1,25 @@
+2012-01-24  Abhishek Arya  <[email protected]>
+
+        Crash when rendering -webkit-column-span.
+        https://bugs.webkit.org/show_bug.cgi?id=73265
+
+        Reviewed by David Hyatt.
+
+        This patch addresses 2 problems causing crashes in multi-column layout
+        1. Trying to render -webkit-column-span for :before, :after caused
+           re-entrancy in updateBeforeAfterContent while working on splitFlow.
+        2. Cloning a block which has its :before, :after content not added yet,
+           caused issues because cloneBlock will definitely have its :before,
+           :after content created when setStyle() is called. So, we would
+           overwrite cloneBlock with a wrong childrenInline value.
+
+        Tests: fast/multicol/clone-block-children-inline-mismatch-crash.html
+               fast/multicol/span/generated-child-split-flow-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::clone):
+        (WebCore::RenderBlock::columnsBlockForSpanningElement):
+
 2012-01-22  Robert Hogan  <[email protected]>
 
         Incorrect positioning of floating pseudo-elements in table captions

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (105768 => 105769)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-01-24 19:52:10 UTC (rev 105768)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-01-24 20:04:52 UTC (rev 105769)
@@ -452,6 +452,8 @@
     else {
         cloneBlock = new (renderArena()) RenderBlock(node());
         cloneBlock->setStyle(style());
+        if (!childrenInline() && cloneBlock->firstChild() && cloneBlock->firstChild()->isInline())
+            cloneBlock->makeChildrenNonInline();
     }
     cloneBlock->setChildrenInline(childrenInline());
     return cloneBlock;
@@ -665,8 +667,8 @@
     // cross the streams and have to cope with both types of continuations mixed together).
     // This function currently supports (1) and (2).
     RenderBlock* columnsBlockAncestor = 0;
-    if (!newChild->isText() && newChild->style()->columnSpan() && !newChild->isFloatingOrPositioned()
-        && !newChild->isInline() && !isAnonymousColumnSpanBlock()) {
+    if (!newChild->isText() && newChild->style()->columnSpan() && !newChild->isBeforeOrAfterContent()
+        && !newChild->isFloatingOrPositioned() && !newChild->isInline() && !isAnonymousColumnSpanBlock()) {
         if (style()->specifiesColumns())
             columnsBlockAncestor = this;
         else if (!isInline() && parent() && parent()->isRenderBlock()) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to