Changeset 193773 in webkit

Timestamp:

Dec 8, 2015, 12:44:51 PM (10 years ago)

Author:

Alan Bujtas

Message:

Do not insert positioned renderers to multiple gPositionedDescendantsMap.
​https://bugs.webkit.org/show_bug.cgi?id=151878
rdar://problem/22229889

Reviewed by Simon Fraser.

We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
returns true for RenderElement::canContainAbsolutelyPositionedObjects().
canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
If this container's style changes so that it's no longer positioned and it has no transform anymore,
we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).

This patch addresses the case when the renderer does not have transforms anymore.

Source/WebCore:

Test: fast/block/positioning/crash-when-transform-is-removed.html

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::styleWillChange):

LayoutTests:

• fast/block/positioning/crash-when-transform-is-removed-expected.txt: Added.
• fast/block/positioning/crash-when-transform-is-removed.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/block/positioning/crash-when-transform-is-removed-expected.txt (added)
• LayoutTests/fast/block/positioning/crash-when-transform-is-removed.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-08  Zalan Bujtas  <zalan@apple.com>
+
+        Do not insert positioned renderers to multiple gPositionedDescendantsMap.
+        https://bugs.webkit.org/show_bug.cgi?id=151878
+        rdar://problem/22229889
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
+        returns true for RenderElement::canContainAbsolutelyPositionedObjects().
+        canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
+        If this container's style changes so that it's no longer positioned and it has no transform anymore,
+        we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).
+
+        This patch addresses the case when the renderer does not have transforms anymore.
+
+        * fast/block/positioning/crash-when-transform-is-removed-expected.txt: Added.
+        * fast/block/positioning/crash-when-transform-is-removed.html: Added.
+
 2015-12-08  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-12-08  Zalan Bujtas  <zalan@apple.com>
+
+        Do not insert positioned renderers to multiple gPositionedDescendantsMap.
+        https://bugs.webkit.org/show_bug.cgi?id=151878
+        rdar://problem/22229889
+
+        Reviewed by Simon Fraser.
+
+        We insert positioned renderers into a static map (RenderBlock::gPositionedDescendantsMap) to keep track of them.
+        This static map is at block level. A particular absolute positioned object is added to its closest ancestor that
+        returns true for RenderElement::canContainAbsolutelyPositionedObjects().
+        canContainAbsolutelyPositionedObjects() returns true if the ancestor is either positioned or has transform.
+        If this container's style changes so that it's no longer positioned and it has no transform anymore,
+        we need to clear its static map of positioned objects (they'll get re-inserted to another ancestor at next layout).
+
+        This patch addresses the case when the renderer does not have transforms anymore.
+
+        Test: fast/block/positioning/crash-when-transform-is-removed.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::styleWillChange):
+
 2015-12-08  Eric Carlson  <eric.carlson@apple.com>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -243 +243 @@
     setReplaced(newStyle.isDisplayInlineType());
 
+    if (oldStyle && oldStyle->hasTransformRelatedProperty() && !newStyle.hasTransformRelatedProperty())
+        removePositionedObjects(nullptr, NewContainingBlock);
+
     if (oldStyle && parent() && diff == StyleDifferenceLayout && oldStyle->position() != newStyle.position()) {
         if (newStyle.position() == StaticPosition)
             // Clear our positioned objects list. Our absolutely positioned descendants will be
             // inserted into our containing block's positioned objects list during layout.
-            removePositionedObjects(0, NewContainingBlock);
+            removePositionedObjects(nullptr, NewContainingBlock);
         else if (oldStyle->position() == StaticPosition) {
             // Remove our absolutely positioned descendants from their current containing block.