Title: [143507] branches/chromium/1364
- Revision
- 143507
- Author
- cev...@google.com
- Date
- 2013-02-20 14:24:20 -0800 (Wed, 20 Feb 2013)
Log Message
Merge 142922
BUG-170679
Review URL: https://codereview.chromium.org/12310023
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt (from rev 142922, trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt) (0 => 143507)
--- branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash-expected.txt 2013-02-20 22:24:20 UTC (rev 143507)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Copied: branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash.html (from rev 142922, trunk/LayoutTests/fast/multicol/remove-child-split-flow-crash.html) (0 => 143507)
--- branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash.html (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/multicol/remove-child-split-flow-crash.html 2013-02-20 22:24:20 UTC (rev 143507)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+.class1 { -webkit-column-span: all; }
+.class2 { -webkit-column-width: 1px; }
+.class3 { display: inline-block; }
+.class4 { section; -webkit-column-span: all; }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function crash() {
+ i1 = document.createElement('i');
+ document.documentElement.appendChild(i1);
+ i2 = document.createElement('i');
+ i1.appendChild(i2);
+ div1 = document.createElement('div');
+ div2 = document.createElement('div');
+ div2.setAttribute('class', 'class3');
+ i3 = document.createElement('i');
+ div3 = document.createElement('div');
+ div3.setAttribute('class', 'class1');
+ div4 = document.createElement('div');
+ div4.setAttribute('class', 'class4');
+ i2.appendChild(div2);
+ div2.appendChild(div1);
+ div1.appendChild(div4);
+ document.documentElement.offsetTop;
+ div1.setAttribute('class', 'class2');
+ div4.appendChild(div3);
+ document.documentElement.offsetTop;
+ i3.appendChild(div3);
+}
+window._onload_ = crash;
+</script>
+</html>
\ No newline at end of file
Modified: branches/chromium/1364/Source/WebCore/rendering/RenderBlock.cpp (143506 => 143507)
--- branches/chromium/1364/Source/WebCore/rendering/RenderBlock.cpp 2013-02-20 22:16:55 UTC (rev 143506)
+++ branches/chromium/1364/Source/WebCore/rendering/RenderBlock.cpp 2013-02-20 22:24:20 UTC (rev 143507)
@@ -118,7 +118,7 @@
static int gDelayUpdateScrollInfo = 0;
static DelayedUpdateScrollInfoSet* gDelayedUpdateScrollInfoSet = 0;
-static bool gIsInColumnFlowSplit = false;
+static bool gColumnFlowSplitEnabled = true;
bool RenderBlock::s_canPropagateFloatIntoSibling = false;
@@ -832,10 +832,10 @@
beforeChild = beforeChild->nextSibling();
// Check for a spanning element in columns.
- if (!gIsInColumnFlowSplit) {
+ if (gColumnFlowSplitEnabled) {
RenderBlock* columnsBlockAncestor = columnsBlockForSpanningElement(newChild);
if (columnsBlockAncestor) {
- TemporaryChange<bool> isInColumnFlowSplit(gIsInColumnFlowSplit, true);
+ TemporaryChange<bool> columnFlowSplitEnabled(gColumnFlowSplitEnabled, false);
// We are placing a column-span element inside a block.
RenderBlock* newBox = createAnonymousColumnSpanBlock();
@@ -1143,6 +1143,9 @@
return;
}
+ // This protects against column split flows when anonymous blocks are getting merged.
+ TemporaryChange<bool> columnFlowSplitEnabled(gColumnFlowSplitEnabled, false);
+
// If this child is a block, and if our previous and next siblings are
// both anonymous blocks with inline content, then we can go ahead and
// fold the inline content back together.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
