<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[163531] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/163531">163531</a></dd>
<dt>Author</dt> <dd>stavila@adobe.com</dd>
<dt>Date</dt> <dd>2014-02-06 06:42:02 -0800 (Thu, 06 Feb 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>[CSS Regions] Null dereference applying animation with CSS regions
https://bugs.webkit.org/show_bug.cgi?id=128218
Reviewed by Andrei Bucur.
Source/WebCore:
The first issue (the null dereference) was caused by the checkForZoomChange method
not guarding against a null parentStyle parameter, as the checkForGenericFamilyChange
method does, which in the crashing scenario is called just before the faulty
checkForZoomChange method.
The second issue was an assert which was caused by the fact that detaching is performed
in a certain situation if the element has a renderer or if it's inside a named flow.
However, when reattaching and asserting the element has no renderer, the
"inside named flow" condition was no longer considered.
Test: fast/regions/animation-element-in-region-flowed-to-other-thread.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::checkForZoomChange):
* style/StyleResolveTree.cpp:
(WebCore::Style::attachChildren):
LayoutTests:
Added test for crash caused by using animations with DOM children of regions flowed
into another flow thread.
* fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html: Added.
* fast/regions/animation-element-in-region-flowed-to-other-thread.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorecssStyleResolvercpp">trunk/Source/WebCore/css/StyleResolver.cpp</a></li>
<li><a href="#trunkSourceWebCorestyleStyleResolveTreecpp">trunk/Source/WebCore/style/StyleResolveTree.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastregionsanimationelementinregionflowedtootherthreadexpectedhtml">trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html</a></li>
<li><a href="#trunkLayoutTestsfastregionsanimationelementinregionflowedtootherthreadhtml">trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (163530 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/LayoutTests/ChangeLog 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2014-02-06 Radu Stavila <stavila@adobe.com>
+
+ [CSS Regions] Null dereference applying animation with CSS regions
+ https://bugs.webkit.org/show_bug.cgi?id=128218
+
+ Reviewed by Andrei Bucur.
+
+ Added test for crash caused by using animations with DOM children of regions flowed
+ into another flow thread.
+
+ * fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html: Added.
+ * fast/regions/animation-element-in-region-flowed-to-other-thread.html: Added.
+
</ins><span class="cx"> 2014-02-06 Grzegorz Czajkowski <g.czajkowski@samsung.com>
</span><span class="cx">
</span><span class="cx"> Verify copy/paste of misspellings asynchronously
</span></span></pre></div>
<a id="trunkLayoutTestsfastregionsanimationelementinregionflowedtootherthreadexpectedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html (0 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html (rev 0)
+++ trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread-expected.html 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+<p>This test passes if it doesn't crash or assert</p>
+<a href="https://bugs.webkit.org/show_bug.cgi?id=128218">Bug 128218 - [CSS Regions] Null dereference applying animation with CSS regions</a>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastregionsanimationelementinregionflowedtootherthreadhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html (0 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html (rev 0)
+++ trunk/LayoutTests/fast/regions/animation-element-in-region-flowed-to-other-thread.html 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<style>
+ div {
+ -webkit-animation-name: n;
+ -webkit-animation-duration: 1s;
+ }
+
+ @-webkit-keyframes n {
+ to { font-weight: bold; }
+ }
+</style>
+
+<p>This test passes if it doesn't crash or assert</p>
+<a href="https://bugs.webkit.org/show_bug.cgi?id=128218">Bug 128218 - [CSS Regions] Null dereference applying animation with CSS regions</a>
+<div id="div1" style="-webkit-flow-from: a;">
+ <div id="div2">
+ <div id="div3" style="-webkit-flow-into: b;">test</div>
+ </div>
+</div>
+
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (163530 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/ChangeLog 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2014-02-06 Radu Stavila <stavila@adobe.com>
+
+ [CSS Regions] Null dereference applying animation with CSS regions
+ https://bugs.webkit.org/show_bug.cgi?id=128218
+
+ Reviewed by Andrei Bucur.
+
+ The first issue (the null dereference) was caused by the checkForZoomChange method
+ not guarding against a null parentStyle parameter, as the checkForGenericFamilyChange
+ method does, which in the crashing scenario is called just before the faulty
+ checkForZoomChange method.
+ The second issue was an assert which was caused by the fact that detaching is performed
+ in a certain situation if the element has a renderer or if it's inside a named flow.
+ However, when reattaching and asserting the element has no renderer, the
+ "inside named flow" condition was no longer considered.
+
+ Test: fast/regions/animation-element-in-region-flowed-to-other-thread.html
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::checkForZoomChange):
+ * style/StyleResolveTree.cpp:
+ (WebCore::Style::attachChildren):
+
</ins><span class="cx"> 2014-02-06 László Langó <llango.u-szeged@partner.samsung.com>
</span><span class="cx">
</span><span class="cx"> Create a HTMLUnknownElement when using createElement('image')
</span></span></pre></div>
<a id="trunkSourceWebCorecssStyleResolvercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/StyleResolver.cpp (163530 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/StyleResolver.cpp 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -3122,6 +3122,9 @@
</span><span class="cx">
</span><span class="cx"> void StyleResolver::checkForZoomChange(RenderStyle* style, RenderStyle* parentStyle)
</span><span class="cx"> {
</span><ins>+ if (!parentStyle)
+ return;
+
</ins><span class="cx"> if (style->effectiveZoom() == parentStyle->effectiveZoom())
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorestyleStyleResolveTreecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/style/StyleResolveTree.cpp (163530 => 163531)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/style/StyleResolveTree.cpp 2014-02-06 13:41:46 UTC (rev 163530)
+++ trunk/Source/WebCore/style/StyleResolveTree.cpp 2014-02-06 14:42:02 UTC (rev 163531)
</span><span class="lines">@@ -452,7 +452,7 @@
</span><span class="cx"> attachDistributedChildren(toInsertionPoint(current));
</span><span class="cx">
</span><span class="cx"> for (Node* child = current.firstChild(); child; child = child->nextSibling()) {
</span><del>- ASSERT(!child->renderer() || current.shadowRoot() || isInsertionPoint(current));
</del><ins>+ ASSERT((!child->renderer() || child->inNamedFlow()) || current.shadowRoot() || isInsertionPoint(current));
</ins><span class="cx"> if (child->renderer())
</span><span class="cx"> continue;
</span><span class="cx"> if (child->isTextNode()) {
</span></span></pre>
</div>
</div>
</body>
</html>