Google Git
Sign in
webkit / WebKit / d1e8363aac18ecbbe54746b71715a2b378bd3663^! / .
commitd1e8363aac18ecbbe54746b71715a2b378bd3663[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Dec 07 20:01:27 2011 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Dec 07 20:01:27 2011 +0000
tree0b1bcadd35c54dff605f799ae3ce22dcc7167d0b
parent19dcf6c3117b94085dee3b479ab5aa3ba4360744 [diff]
Crash from multicol spans with layers
https://bugs.webkit.org/show_bug.cgi?id=68030

Patch by Ken Buchanan <kenrb@chromium.org> on 2011-12-07
Reviewed by David Hyatt.

Source/WebCore:

The layer tree diverges from the render tree when a span is being split
between columns. This patch causes the layer tree to be updated when necessary.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::splitFlow)
(WebCore::RenderBlock::splitBlocks)

LayoutTests:

New test for fix to crash on bug 68030.

* fast/multicol/span/removal-of-multicol-span-crash-expected.txt: Added
* fast/multicol/span/removal-of-multicol-span-crash.html: Added

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@102263 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
old mode 100644
new mode 100755
index ff5cbab..7a5aa4b
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2011-12-07  Ken Buchanan <kenrb@chromium.org>
+
+        Crash from multicol spans with layers
+        https://bugs.webkit.org/show_bug.cgi?id=68030
+
+        Reviewed by David Hyatt.
+
+        New test for fix to crash on bug 68030.
+
+        * fast/multicol/span/removal-of-multicol-span-crash-expected.txt: Added
+        * fast/multicol/span/removal-of-multicol-span-crash.html: Added
+
 2011-12-07  Alexey Proskuryakov  <ap@apple.com>
 
         Handling of !important in inline style sets is broken

diff --git a/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash-expected.txt b/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash-expected.txt
new file mode 100755
index 0000000..b3ead00
--- /dev/null
+++ b/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash-expected.txt

@@ -0,0 +1 @@
+PASS, if no exception or crash

diff --git a/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash.html b/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash.html
new file mode 100755
index 0000000..fca19f5
--- /dev/null
+++ b/LayoutTests/fast/multicol/span/removal-of-multicol-span-crash.html

@@ -0,0 +1,24 @@
+<style>
+body { -webkit-column-width: 0; }
+#container { position: relative; }
+.hardware:last-of-type { -webkit-column-span: all; }
+</style>
+
+<script>
+    function clear() {
+        document.documentElement.removeChild(document.body);
+        document.documentElement.innerHTML='PASS, if no exception or crash';
+        if (window.layoutTestController) {
+            layoutTestController.notifyDone();
+        }
+    }
+    setTimeout("clear();", 0);
+    if (window.layoutTestController) {
+        layoutTestController.waitUntilDone();
+        layoutTestController.dumpAsText();
+    }
+</script>
+<body>
+<div id="container">
+    <div class="hardware box">
+</body>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
old mode 100644
new mode 100755
index f720bba..3ce4060
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,17 @@
+2011-12-07  Ken Buchanan <kenrb@chromium.org>
+
+        Crash from multicol spans with layers
+        https://bugs.webkit.org/show_bug.cgi?id=68030
+
+        Reviewed by David Hyatt.
+
+        The layer tree diverges from the render tree when a span is being split
+        between columns. This patch causes the layer tree to be updated when necessary.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::splitFlow)
+        (WebCore::RenderBlock::splitBlocks)
+
 2011-12-07  Alexey Proskuryakov  <ap@apple.com>
 
         Handling of !important in inline style sets is broken

diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
index 4c71440..10f9f7f 100755
--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp

@@ -464,7 +464,7 @@
     // them from |this| and place them in the clone.
     if (!beforeChild && isAfterContent(lastChild()))
         beforeChild = lastChild();
-    moveChildrenTo(cloneBlock, beforeChild, 0);
+    moveChildrenTo(cloneBlock, beforeChild, 0, true);
     
     // Hook |clone| up as the continuation of the middle block.
     if (!cloneBlock->isAnonymousBlock())
@@ -506,8 +506,7 @@
 
         // Now we need to take all of the children starting from the first child
         // *after* currChild and append them all to the clone.
-        RenderObject* afterContent = isAfterContent(cloneBlock->lastChild()) ? cloneBlock->lastChild() : 0;
-        blockCurr->moveChildrenTo(cloneBlock, currChild->nextSibling(), 0, afterContent);
+        blockCurr->moveChildrenTo(cloneBlock, currChild->nextSibling(), 0, true);
 
         // Keep walking up the chain.
         currChild = curr;
@@ -519,7 +518,7 @@
 
     // Now take all the children after currChild and remove them from the fromBlock
     // and put them in the toBlock.
-    fromBlock->moveChildrenTo(toBlock, currChild->nextSibling(), 0);
+    fromBlock->moveChildrenTo(toBlock, currChild->nextSibling(), 0, true);
 }
 
 void RenderBlock::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox,
@@ -555,7 +554,7 @@
     block->setChildrenInline(false);
     
     if (madeNewBeforeBlock)
-        block->moveChildrenTo(pre, boxFirst, 0);
+        block->moveChildrenTo(pre, boxFirst, 0, true);
 
     splitBlocks(pre, post, newBlockBox, beforeChild, oldCont);