Crash in RenderObjectChildList::destroyLeftOverChildren()
https://bugs.webkit.org/show_bug.cgi?id=64753
Reviewed by James Robinson.
Source/WebCore:
If any of the ancestors between column span element and containing
column's block is a continuation, then don't attempt to render the
column span by splitting the block into continuations.
Test: fast/multicol/column-span-parent-continuation-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::columnsBlockForSpanningElement):
LayoutTests:
anonymous-split-block-crash rendering was already wrong. The fix prevents
the tree to go bad and hence does not do the column-span rendering. same issue
with clone-anonymous-block-non-inline-child-crash test.
* fast/multicol/column-span-parent-continuation-crash-expected.txt: Added.
* fast/multicol/column-span-parent-continuation-crash.html: Added.
* platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png:
* platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt:
* platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png:
* platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94541 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f31bed8..d888346 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,21 @@
+2011-09-05 Abhishek Arya <inferno@chromium.org>
+
+ Crash in RenderObjectChildList::destroyLeftOverChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=64753
+
+ Reviewed by James Robinson.
+
+ anonymous-split-block-crash rendering was already wrong. The fix prevents
+ the tree to go bad and hence does not do the column-span rendering. same issue
+ with clone-anonymous-block-non-inline-child-crash test.
+
+ * fast/multicol/column-span-parent-continuation-crash-expected.txt: Added.
+ * fast/multicol/column-span-parent-continuation-crash.html: Added.
+ * platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png:
+ * platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt:
+ * platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png:
+ * platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt:
+
2011-09-05 John Knottenbelt <jknotten@chromium.org>
Take pageScaleFactor into account for MouseRelatedEvents.
diff --git a/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt b/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt
new file mode 100644
index 0000000..7ef22e9
--- /dev/null
+++ b/LayoutTests/fast/multicol/column-span-parent-continuation-crash-expected.txt
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html b/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html
new file mode 100644
index 0000000..0d6a40d
--- /dev/null
+++ b/LayoutTests/fast/multicol/column-span-parent-continuation-crash.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="console"></div>
+<style>
+div { -webkit-column-count: 1; }
+h2 { -webkit-column-span: all; }
+</style>
+<script src="../js/resources/js-test-pre.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+ document.body.offsetTop;
+ child = document.getElementById('test');
+ child.parentNode.removeChild(child);
+ child = document.getElementById('anything');
+ gc();
+ document.body.innerHTML = "PASS";
+
+ var successfullyParsed = true;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+setTimeout("runTest()", 0);
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+<div>
+<span id="test"><h2></span>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png b/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png
index c9224ea..1c31d2f 100644
--- a/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png
+++ b/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.png
Binary files differ
diff --git a/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt b/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt
index 6f39016..64210a4 100644
--- a/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt
+++ b/LayoutTests/platform/mac/fast/multicol/span/anonymous-split-block-crash-expected.txt
@@ -3,27 +3,26 @@
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,16) size 784x568
-layer at (8,16) size 784x184
- RenderBlock {DIV} at (0,0) size 784x184 [border: (5px solid #800000)]
- RenderBlock (anonymous multi-column span) at (5,113) size 774x66
- RenderBlock {H2} at (0,19) size 774x28 [bgcolor=#EEEEEE]
+layer at (8,16) size 784x151
+ RenderBlock {DIV} at (0,0) size 784x151 [border: (5px solid #800000)]
+ RenderBlock (anonymous) at (5,5) size 379x0
+ RenderInline {JUNK} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderBlock (anonymous) at (5,24) size 379x28
+ RenderBlock {H2} at (0,0) size 379x28 [bgcolor=#EEEEEE]
RenderText {#text} at (0,0) size 58x28
text run at (0,0) width 58: "PASS"
-layer at (13,21) size 774x108
- RenderBlock (anonymous multi-column) at (5,5) size 774x108
- RenderBlock (anonymous) at (0,0) size 379x198
- RenderInline {JUNK} at (0,0) size 369x198
- RenderText {#text} at (0,0) size 0x0
- RenderText {#text} at (0,0) size 369x198
+ RenderBlock (anonymous) at (5,71) size 379x201
+ RenderInline {JUNK} at (0,0) size 369x201
+ RenderText {#text} at (0,0) size 369x201
text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
text run at (0,54) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
- text run at (0,72) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
- text run at (0,90) width 318: "nonummy enim. Nullam bibendum lobortis neque."
- text run at (0,108) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
- text run at (0,126) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
- text run at (0,144) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
- text run at (0,162) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
- text run at (0,180) width 211: "amet, consectetuer adipiscing elit."
- RenderBlock (anonymous) at (0,198) size 379x0
+ text run at (0,75) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
+ text run at (0,93) width 318: "nonummy enim. Nullam bibendum lobortis neque."
+ text run at (0,111) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
+ text run at (0,129) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
+ text run at (0,147) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
+ text run at (0,165) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
+ text run at (0,183) width 211: "amet, consectetuer adipiscing elit."
diff --git a/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png b/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png
index 51e2cbf..eafc833 100644
--- a/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png
+++ b/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.png
Binary files differ
diff --git a/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt b/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt
index 902bc07..bfe98ea 100644
--- a/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt
+++ b/LayoutTests/platform/mac/fast/multicol/span/clone-anonymous-block-non-inline-child-crash-expected.txt
@@ -3,37 +3,32 @@
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,16) size 784x568
-layer at (8,16) size 784x202
- RenderBlock {DIV} at (0,0) size 784x202 [border: (5px solid #800000)]
- RenderBlock (anonymous multi-column span) at (5,23) size 774x66
- RenderBlock {H2} at (0,19) size 774x28 [bgcolor=#EEEEEE]
- RenderText {#text} at (0,0) size 58x28
- text run at (0,0) width 58: "PASS"
-layer at (13,21) size 774x18
- RenderBlock (anonymous multi-column) at (5,5) size 774x18
- RenderBlock (anonymous) at (0,0) size 379x18
+layer at (8,16) size 784x169
+ RenderBlock {DIV} at (0,0) size 784x169 [border: (5px solid #800000)]
+ RenderBlock (anonymous) at (5,5) size 379x18
RenderInline {LABEL} at (0,0) size 102x18
RenderText {#text} at (0,0) size 102x18
text run at (0,0) width 102: "Some inline text"
- RenderBlock (anonymous) at (0,18) size 379x18
- RenderSummary {SUMMARY} at (0,0) size 379x18
- RenderText {#text} at (0,0) size 102x18
- text run at (0,0) width 102: "Some block text"
-layer at (13,105) size 774x108
- RenderBlock (anonymous multi-column) at (5,89) size 774x108
- RenderBlock (anonymous) at (0,0) size 379x198
- RenderBlock {SUMMARY} at (0,0) size 379x198
- RenderText {#text} at (0,0) size 369x198
- text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
- text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
- text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
- text run at (0,54) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
- text run at (0,72) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
- text run at (0,90) width 318: "nonummy enim. Nullam bibendum lobortis neque."
- text run at (0,108) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
- text run at (0,126) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
- text run at (0,144) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
- text run at (0,162) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
- text run at (0,180) width 211: "amet, consectetuer adipiscing elit."
- RenderBlock (anonymous) at (0,198) size 379x0
+ RenderBlock (anonymous) at (5,23) size 379x285
+ RenderSummary {SUMMARY} at (0,0) size 379x285
+ RenderBlock (anonymous) at (0,0) size 379x18
+ RenderText {#text} at (0,0) size 102x18
+ text run at (0,0) width 102: "Some block text"
+ RenderBlock {H2} at (0,37) size 379x28 [bgcolor=#EEEEEE]
+ RenderText {#text} at (0,0) size 58x28
+ text run at (0,0) width 58: "PASS"
+ RenderBlock (anonymous) at (0,84) size 379x201
+ RenderText {#text} at (0,0) size 369x201
+ text run at (0,0) width 354: "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
+ text run at (0,18) width 351: "Nulla varius enim ac mi. Curabitur sollicitudin felis quis"
+ text run at (0,36) width 368: "lectus. Quisque adipiscing rhoncus sem. Proin nulla purus,"
+ text run at (0,57) width 368: "vulputate vel, varius ut, euismod et, nisi. Sed vitae felis vel"
+ text run at (0,75) width 358: "orci sagittis aliquam. Cras convallis adipiscing sem. Nam"
+ text run at (0,93) width 318: "nonummy enim. Nullam bibendum lobortis neque."
+ text run at (0,111) width 332: "Vestibulum velit orci, tempus euismod, pretium quis,"
+ text run at (0,129) width 309: "interdum vitae, nulla. Phasellus eget ante et tortor"
+ text run at (0,147) width 369: "condimentum vestibulum. Suspendisse hendrerit quam nec"
+ text run at (0,165) width 354: "felis. Sed varius turpis vitae pede. Lorem ipsum dolor sit"
+ text run at (0,183) width 211: "amet, consectetuer adipiscing elit."
+ RenderBlock (anonymous) at (5,308) size 379x0
RenderInline {LABEL} at (0,0) size 0x0
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index b07fe77..97e1049 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2011-09-05 Abhishek Arya <inferno@chromium.org>
+
+ Crash in RenderObjectChildList::destroyLeftOverChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=64753
+
+ Reviewed by James Robinson.
+
+ If any of the ancestors between column span element and containing
+ column's block is a continuation, then don't attempt to render the
+ column span by splitting the block into continuations.
+
+ Test: fast/multicol/column-span-parent-continuation-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::columnsBlockForSpanningElement):
+
2011-09-05 Sheriff Bot <webkit.review.bot@gmail.com>
Unreviewed, rolling out r94537.
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
index bbdbecf..9ef619e 100644
--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp
@@ -659,8 +659,22 @@
&& !newChild->isInline() && !isAnonymousColumnSpanBlock()) {
if (style()->specifiesColumns())
columnsBlockAncestor = this;
- else if (!isInline() && parent() && parent()->isRenderBlock())
+ else if (!isInline() && parent() && parent()->isRenderBlock()) {
columnsBlockAncestor = toRenderBlock(parent())->containingColumnsBlock(false);
+
+ if (columnsBlockAncestor) {
+ // Make sure that none of the parent ancestors have a continuation.
+ // If yes, we do not want split the block into continuations.
+ RenderObject* curr = this;
+ while (curr && curr != columnsBlockAncestor) {
+ if (curr->isRenderBlock() && toRenderBlock(curr)->continuation()) {
+ columnsBlockAncestor = 0;
+ break;
+ }
+ curr = curr->parent();
+ }
+ }
+ }
}
return columnsBlockAncestor;
}
