<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[166078] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/166078">166078</a></dd>
<dt>Author</dt> <dd>hyatt@apple.com</dd>
<dt>Date</dt> <dd>2014-03-21 11:13:24 -0700 (Fri, 21 Mar 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks.
https://bugs.webkit.org/show_bug.cgi?id=129948
<rdar://problem/16074072>
Reviewed by Simon Fraser.
Source/WebCore:
When the marker was placed for multi-column list items, it was being inserted
into the list item itself. Even though the add code in RenderBlock did the right
thing and put the marker inside the multi-column flow thread, the list item code
passed in a beforeChild that was computed using the incorrect parent. This resulted
in the flow thread being used both as the parent of the marker and the sibling of
the marker.
The fix is to add some code to RenderListItem to make sure it uses the multi-column
flow thread if it exists both as the parent of the marker and as the basis for the
computation of the sibling that the marker should be placed in front of.
Added fast/multicol/multicol-li-crash.html
* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
LayoutTests:
* fast/multicol/multicol-li-crash-expected.txt: Added.
* fast/multicol/multicol-li-crash.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderListItemcpp">trunk/Source/WebCore/rendering/RenderListItem.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastmulticolmulticollicrashexpectedtxt">trunk/LayoutTests/fast/multicol/multicol-li-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastmulticolmulticollicrashhtml">trunk/LayoutTests/fast/multicol/multicol-li-crash.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (166077 => 166078)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-03-21 18:02:35 UTC (rev 166077)
+++ trunk/LayoutTests/ChangeLog 2014-03-21 18:13:24 UTC (rev 166078)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2014-03-21 David Hyatt <hyatt@apple.com>
+
+ Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks.
+ https://bugs.webkit.org/show_bug.cgi?id=129948
+ <rdar://problem/16074072>
+
+ Reviewed by Simon Fraser.
+
+ * fast/multicol/multicol-li-crash-expected.txt: Added.
+ * fast/multicol/multicol-li-crash.html: Added.
+
</ins><span class="cx"> 2014-03-21 Sergio Villar Senin <svillar@igalia.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed. Rebaseline expectations after r165651.
</span></span></pre></div>
<a id="trunkLayoutTestsfastmulticolmulticollicrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/multicol/multicol-li-crash-expected.txt (0 => 166078)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/multicol/multicol-li-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/multicol-li-crash-expected.txt 2014-03-21 18:13:24 UTC (rev 166078)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+This test passes if it doesn't crash.
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastmulticolmulticollicrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/multicol/multicol-li-crash.html (0 => 166078)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/multicol/multicol-li-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/multicol-li-crash.html 2014-03-21 18:13:24 UTC (rev 166078)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<script>
+if (window.internals)
+ internals.settings.setRegionBasedColumnsEnabled(true);
+if (window.testRunner)
+ testRunner.dumpAsText()
+</script>
+This test passes if it doesn't crash.
+<li style="overflow: -webkit-paged-x;"></li>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (166077 => 166078)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2014-03-21 18:02:35 UTC (rev 166077)
+++ trunk/Source/WebCore/ChangeLog 2014-03-21 18:13:24 UTC (rev 166078)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2014-03-21 David Hyatt <hyatt@apple.com>
+
+ Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks.
+ https://bugs.webkit.org/show_bug.cgi?id=129948
+ <rdar://problem/16074072>
+
+ Reviewed by Simon Fraser.
+
+ When the marker was placed for multi-column list items, it was being inserted
+ into the list item itself. Even though the add code in RenderBlock did the right
+ thing and put the marker inside the multi-column flow thread, the list item code
+ passed in a beforeChild that was computed using the incorrect parent. This resulted
+ in the flow thread being used both as the parent of the marker and the sibling of
+ the marker.
+
+ The fix is to add some code to RenderListItem to make sure it uses the multi-column
+ flow thread if it exists both as the parent of the marker and as the basis for the
+ computation of the sibling that the marker should be placed in front of.
+
+ Added fast/multicol/multicol-li-crash.html
+
+ * rendering/RenderListItem.cpp:
+ (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
+
</ins><span class="cx"> 2014-03-20 Andreas Kling <akling@apple.com>
</span><span class="cx">
</span><span class="cx"> Stop pulling in JSCInlines.h all over the place.
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderListItemcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderListItem.cpp (166077 => 166078)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderListItem.cpp 2014-03-21 18:02:35 UTC (rev 166077)
+++ trunk/Source/WebCore/rendering/RenderListItem.cpp 2014-03-21 18:13:24 UTC (rev 166078)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> #include "InlineElementBox.h"
</span><span class="cx"> #include "PseudoElement.h"
</span><span class="cx"> #include "RenderListMarker.h"
</span><ins>+#include "RenderMultiColumnFlowThread.h"
</ins><span class="cx"> #include "RenderView.h"
</span><span class="cx"> #include "StyleInheritedData.h"
</span><span class="cx"> #include <wtf/StackStats.h>
</span><span class="lines">@@ -279,7 +280,10 @@
</span><span class="cx"> // in this case.
</span><span class="cx"> if (currentParent && currentParent->isAnonymousBlock())
</span><span class="cx"> return;
</span><del>- newParent = this;
</del><ins>+ if (multiColumnFlowThread())
+ newParent = multiColumnFlowThread();
+ else
+ newParent = this;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (newParent != currentParent) {
</span></span></pre>
</div>
</div>
</body>
</html>