Changeset 109142 in webkit

Timestamp:

Feb 28, 2012 1:00:02 PM (12 years ago)

Author:

inferno@chromium.org

Message:

Crash due to accessing removed continuation in multi-column layout.
​https://bugs.webkit.org/show_bug.cgi?id=78417

Reviewed by David Hyatt.

Source/WebCore:

This patch addresses two problems:

1. Run-in block got split due to addition of a column-span child.

The clone part was incorrectly intruding into the sibling block,
even when it was part of the continuation chain.

2. Like r73296, we don't need to set continuation on an

anonymous block since we haven't split a real element.

Test: fast/multicol/span/runin-continuation-crash.html

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
(WebCore::RenderBlock::handleRunInChild):

LayoutTests:

• fast/multicol/span/runin-continuation-crash-expected.txt: Added.
• fast/multicol/span/runin-continuation-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/multicol/span/runin-continuation-crash-expected.txt (added)
• LayoutTests/fast/multicol/span/runin-continuation-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-28  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed continuation in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=78417
+
+        Reviewed by David Hyatt.
+
+        * fast/multicol/span/runin-continuation-crash-expected.txt: Added.
+        * fast/multicol/span/runin-continuation-crash.html: Added.
+
 2012-02-28  Abhishek Arya  <inferno@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-28  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to accessing removed continuation in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=78417
+
+        Reviewed by David Hyatt.
+
+        This patch addresses two problems:
+        1. Run-in block got split due to addition of a column-span child.
+        The clone part was incorrectly intruding into the sibling block,
+        even when it was part of the continuation chain.
+        2. Like r73296, we don't need to set continuation on an
+        anonymous block since we haven't split a real element.
+
+        Test: fast/multicol/span/runin-continuation-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+        (WebCore::RenderBlock::handleRunInChild):
+
 2012-02-28  Abhishek Arya  <inferno@chromium.org>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -853 +853 @@
             // our block into continuations.
             RenderBoxModelObject* oldContinuation = continuation();
-            setContinuation(newBox);
+
+            // When we split an anonymous block, there's no need to do any continuation hookup,
+            // since we haven't actually split a real element.
+            if (!isAnonymousBlock())
+                setContinuation(newBox);
 
             // Someone may have put a <p> inside a <q>, causing a split.  When this happens, the :after content
@@ -1760 +1764 @@
     // FIXME: We don't handle non-block elements with run-in for now.
     if (!child->isRenderBlock())
+        return false;  
+    // Run-in child shouldn't intrude into the sibling block if it is part of a
+    // continuation chain. In that case, treat it as a normal block.
+    if (child->isElementContinuation() || child->virtualContinuation())
         return false;