Changeset 167001 in webkit

Timestamp:

Apr 8, 2014 11:18:00 PM (10 years ago)

Author:

mihnea@adobe.com

Message:

[CSSRegions] Crash when video in region exits fullscreen
​https://bugs.webkit.org/show_bug.cgi?id=131366

Reviewed by Andrei Bucur.

Source/WebCore:

After fix for ​https://bugs.webkit.org/show_bug.cgi?id=130392, we compute the region ranges
information for inline elements collected in named flows with associated region chains.
The algorithm for this computation, implemented in RenderFlowThread::getRegionRangeForBox,
walks up the render tree trying to find the top-most unsplittable box under the named flow
in the case where the region ranges information is not available.

As this traversal works properly only when the starting box is not detached from the render tree,
i changed the named flow information clearing in RenderBlock::collapseAnonymousBoxChild
to occur before the child to be collapsed is removed from the render tree.

Test: fast/regions/full-screen-video-in-region-crash.html

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::collapseAnonymousBoxChild):

• rendering/RenderFlowThread.cpp:

(WebCore::RenderFlowThread::getRegionRangeForBox):

LayoutTests:

• fast/regions/full-screen-video-in-region-crash-expected.txt: Added.
• fast/regions/full-screen-video-in-region-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/regions/full-screen-video-in-region-crash-expected.txt (added)
• LayoutTests/fast/regions/full-screen-video-in-region-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (2 diffs)
• Source/WebCore/rendering/RenderFlowThread.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-04-08  Mihnea Ovidenie  <mihnea@adobe.com>
+
+        [CSSRegions] Crash when video in region exits fullscreen
+        https://bugs.webkit.org/show_bug.cgi?id=131366
+
+        Reviewed by Andrei Bucur.
+
+        * fast/regions/full-screen-video-in-region-crash-expected.txt: Added.
+        * fast/regions/full-screen-video-in-region-crash.html: Added.
+
 2014-04-08  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-04-08  Mihnea Ovidenie  <mihnea@adobe.com>
+
+        [CSSRegions] Crash when video in region exits fullscreen
+        https://bugs.webkit.org/show_bug.cgi?id=131366
+
+        Reviewed by Andrei Bucur.
+
+        After fix for https://bugs.webkit.org/show_bug.cgi?id=130392, we compute the region ranges
+        information for inline elements collected in named flows with associated region chains.
+        The algorithm for this computation, implemented in RenderFlowThread::getRegionRangeForBox,
+        walks up the render tree trying to find the top-most unsplittable box under the named flow
+        in the case where the region ranges information is not available.
+
+        As this traversal works properly only when the starting box is not detached from the render tree,
+        i changed the named flow information clearing in RenderBlock::collapseAnonymousBoxChild
+        to occur before the child to be collapsed is removed from the render tree.
+
+        Test: fast/regions/full-screen-video-in-region-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::collapseAnonymousBoxChild):
+        * rendering/RenderFlowThread.cpp:
+        (WebCore::RenderFlowThread::getRegionRangeForBox):
+
 2014-04-08  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -1037 +1037 @@
     RenderFlowThread* childFlowThread = child->flowThreadContainingBlock();
     CurrentRenderFlowThreadMaintainer flowThreadMaintainer(childFlowThread);
+    if (childFlowThread && childFlowThread->isRenderNamedFlowThread())
+        toRenderNamedFlowThread(childFlowThread)->removeFlowChildInfo(child);
 
     parent->removeChildInternal(*child, child->hasLayer() ? NotifyChildren : DontNotifyChildren);
@@ -1042 +1044 @@
     // Delete the now-empty block's lines and nuke it.
     child->deleteLines();
-    if (childFlowThread && childFlowThread->isRenderNamedFlowThread())
-        toRenderNamedFlowThread(childFlowThread)->removeFlowChildInfo(child);
     child->destroy();
 }

trunk/Source/WebCore/rendering/RenderFlowThread.cpp

@@ -780 +780 @@
         if (cb->isUnsplittableForPagination())
             topMostUnsplittable = cb;
+        ASSERT(cb->parent());
         cb = cb->parent()->enclosingBox();
+        ASSERT(cb);
     } while (!cb->isRenderFlowThread());