Context Navigation

← Previous Changeset
Next Changeset →

Changeset 230434 in webkit

Timestamp:

Apr 9, 2018 8:47:10 AM (6 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r230313 - Folding anonymous blocks should not result in deleting content.
https://bugs.webkit.org/show_bug.cgi?id=184339
<rdar://problem/37327428>

Reviewed by Antti Koivisto.

Source/WebCore:

While folding multiple anonymous blocks (moving the children from next sibling over to previous sibling)
we should ensure that the block we are about to destroy does not gain new descendants.
In case of 4 sibling anonymous blocks (A B C D), while destroying B

we move C's children to A and destroy C.
While destroying C, we notice B and C as sibling anonymous blocks and we move

D's children over to B (even though B is going to be destroyed as we climb back on the stack).

In this patch, B is detached from the tree before we start moving renderers around so that a subsequent folding won't
find B anymore as a candidate.

Test: fast/block/crash-while-folding-anonymous-blocks.html

rendering/updating/RenderTreeBuilderBlock.cpp:

(WebCore::RenderTreeBuilder::Block::detach):

LayoutTests:

fast/block/crash-when-subtree-is-still-attached-expected.txt: Progressing. This test does not

intend to remove "foobar" text at all.

fast/block/crash-while-folding-anonymous-blocks-expected.txt: Added.
fast/block/crash-while-folding-anonymous-blocks.html: Added.

Location:

releases/WebKitGTK/webkit-2.20

Files:

: 2 added
: 4 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/block/crash-when-subtree-is-still-attached-expected.txt (modified) (1 diff)
LayoutTests/fast/block/crash-while-folding-anonymous-blocks-expected.txt (added)
LayoutTests/fast/block/crash-while-folding-anonymous-blocks.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog

-                      r230417
+                      r230434
+-04-05  Zalan Bujtas  <zalan@apple.com>
+        Folding anonymous blocks should not result in deleting content.
+        https://bugs.webkit.org/show_bug.cgi?id=184339
+        <rdar://problem/37327428>
+        Reviewed by Antti Koivisto.
+        * fast/block/crash-when-subtree-is-still-attached-expected.txt: Progressing. This test does not
+        intend to remove "foobar" text at all.
+        * fast/block/crash-while-folding-anonymous-blocks-expected.txt: Added.
+        * fast/block/crash-while-folding-anonymous-blocks.html: Added.
 -03-27  Fujii Hironori  <Hironori.Fujii@sony.com>

releases/WebKitGTK/webkit-2.20/LayoutTests/fast/block/crash-when-subtree-is-still-attached-expected.txt

r228803	r230434
1	1	PASS if
2	2	no crash.
	3	foobar
3	4

releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog

-                      r230427
+                      r230434
+-04-05  Zalan Bujtas  <zalan@apple.com>
+        Folding anonymous blocks should not result in deleting content.
+        https://bugs.webkit.org/show_bug.cgi?id=184339
+        <rdar://problem/37327428>
+        Reviewed by Antti Koivisto.
+        While folding multiple anonymous blocks (moving the children from next sibling over to previous sibling)
+        we should ensure that the block we are about to destroy does not gain new descendants.
+        In case of 4 sibling anonymous blocks (A B C D), while destroying B
+. we move C's children to A and destroy C.
+. While destroying C, we notice B and C as sibling anonymous blocks and we move
+        D's children over to B (even though B is going to be destroyed as we climb back on the stack).
+        In this patch, B is detached from the tree before we start moving renderers around so that a subsequent folding won't
+        find B anymore as a candidate.
+        Test: fast/block/crash-while-folding-anonymous-blocks.html
+        * rendering/updating/RenderTreeBuilderBlock.cpp:
+        (WebCore::RenderTreeBuilder::Block::detach):
 -04-03  Chris Dumez  <cdumez@apple.com>

releases/WebKitGTK/webkit-2.20/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp

-                      r229225
+                      r230434
     // If this child is a block, and if our previous and next siblings are both anonymous blocks
     // with inline content, then we can fold the inline content back together.
+    RenderObject* prev = oldChild.previousSibling();
+    RenderObject* next = oldChild.nextSibling();
+    bool canMergeAnonymousBlocks = canMergeContiguousAnonymousBlocks(oldChild, prev, next);
+    auto prev = makeWeakPtr(oldChild.previousSibling());
+    auto next = makeWeakPtr(oldChild.nextSibling());
+    bool canMergeAnonymousBlocks = canMergeContiguousAnonymousBlocks(oldChild, prev.get(), next.get());
+    parent.invalidateLineLayoutPath();
+    auto takenChild = m_builder.detachFromRenderElement(parent, oldChild);
     if (canMergeAnonymousBlocks && prev && next) {
         prev->setNeedsLayoutAndPrefWidthsRecalc();
 …
             nextBlock.deleteLines();
             m_builder.destroy(nextBlock);
+            next = nullptr;
+        }
+    }
+    parent.invalidateLineLayoutPath();
+    auto takenChild = m_builder.detachFromRenderElement(parent, oldChild);
+    RenderObject* child = prev ? prev : next;
+        }
+    }
+    RenderObject* child = prev ? prev.get() : next.get();
     if (canMergeAnonymousBlocks && child && !child->previousSibling() && !child->nextSibling() && parent.canDropAnonymousBlockChild()) {
         // The removal has knocked us down to containing only a single anonymous

Note: See TracChangeset for help on using the changeset viewer.