<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[182429] releases/WebKitGTK/webkit-2.8</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/182429">182429</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-04-06 09:30:57 -0700 (Mon, 06 Apr 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/182051">r182051</a> - Inline continuation code should not take anonymous containing wrapper granted.
https://bugs.webkit.org/show_bug.cgi?id=133312
Reviewed by Dave Hyatt.
It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
is an anonymous wrapper and its sibling might be a block level renderer.
When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
anonymous wrappers)
Source/WebCore:
Test: fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html
* rendering/RenderInline.cpp:
(WebCore::updateStyleOfAnonymousBlockContinuations):
(WebCore::RenderInline::styleDidChange):
LayoutTests:
* fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt: Added.
* fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorerenderingRenderInlinecpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastinlinecrashwhenpositionpropertyischangedandnolongerincontinuationexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastinlinecrashwhenpositionpropertyischangedandnolongerincontinuationhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (182428 => 182429)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-04-06 16:28:52 UTC (rev 182428)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-04-06 16:30:57 UTC (rev 182429)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2015-03-26 Zalan Bujtas <zalan@apple.com>
+
+ Inline continuation code should not take anonymous containing wrapper granted.
+ https://bugs.webkit.org/show_bug.cgi?id=133312
+
+ Reviewed by Dave Hyatt.
+
+ It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
+ is an anonymous wrapper and its sibling might be a block level renderer.
+ When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
+ is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
+ anonymous wrappers)
+
+ * fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt: Added.
+ * fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html: Added.
+
</ins><span class="cx"> 2015-03-24 Yoav Weiss <yoav@yoav.ws>
</span><span class="cx">
</span><span class="cx"> Stop image from displaying when src attribute is removed or emptied
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsfastinlinecrashwhenpositionpropertyischangedandnolongerincontinuationexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt (0 => 182429)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation-expected.txt 2015-04-06 16:30:57 UTC (rev 182429)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+PASS if no crash or assert in debug.
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsfastinlinecrashwhenpositionpropertyischangedandnolongerincontinuationhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html (0 => 182429)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html 2015-04-06 16:30:57 UTC (rev 182429)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <title>This tests that position property can be changed on a inline element once it is not part of an active continuation.</title>
+</head>
+<body>
+PASS if no crash or assert in debug.
+<div style="position: absolute">
+ <span id=foo>
+ <div id=removethis></div>
+ </span>
+</div>
+<span></span>
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ setTimeout(function() {
+ var blockToRemove = document.getElementById("removethis");
+ blockToRemove.parentNode.removeChild(blockToRemove);
+ document.getElementById("foo").style.position="relative";
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (182428 => 182429)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-04-06 16:28:52 UTC (rev 182428)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-04-06 16:30:57 UTC (rev 182429)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2015-03-26 Zalan Bujtas <zalan@apple.com>
+
+ Inline continuation code should not take anonymous containing wrapper granted.
+ https://bugs.webkit.org/show_bug.cgi?id=133312
+
+ Reviewed by Dave Hyatt.
+
+ It's wrong to assume that when RenderInline is part of an inline continuation, its containing block
+ is an anonymous wrapper and its sibling might be a block level renderer.
+ When the inline continuation is no longer needed, for example when the block level renderer that initiated the continuation
+ is detached from the render tree, the inline renderes still continue to form continuation.(however they no longer require
+ anonymous wrappers)
+
+ Test: fast/inline/crash-when-position-property-is-changed-and-no-longer-in-continuation.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::updateStyleOfAnonymousBlockContinuations):
+ (WebCore::RenderInline::styleDidChange):
+
</ins><span class="cx"> 2015-03-24 Yoav Weiss <yoav@yoav.ws>
</span><span class="cx">
</span><span class="cx"> Stop image from displaying when src attribute is removed or emptied
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorerenderingRenderInlinecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp (182428 => 182429)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp 2015-04-06 16:28:52 UTC (rev 182428)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp 2015-04-06 16:30:57 UTC (rev 182429)
</span><span class="lines">@@ -138,9 +138,9 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static void updateStyleOfAnonymousBlockContinuations(RenderBox* box, const RenderStyle* newStyle, const RenderStyle* oldStyle)
</del><ins>+static void updateStyleOfAnonymousBlockContinuations(RenderBlock& block, const RenderStyle* newStyle, const RenderStyle* oldStyle)
</ins><span class="cx"> {
</span><del>- for (;box && box->isAnonymousBlock(); box = box->nextSiblingBox()) {
</del><ins>+ for (RenderBox* box = &block; box && box->isAnonymousBlock(); box = box->nextSiblingBox()) {
</ins><span class="cx"> if (box->style().position() == newStyle->position())
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="lines">@@ -174,23 +174,25 @@
</span><span class="cx"> // need to pass its style on to anyone else.
</span><span class="cx"> RenderStyle& newStyle = style();
</span><span class="cx"> RenderInline* continuation = inlineElementContinuation();
</span><del>- for (RenderInline* currCont = continuation; currCont; currCont = currCont->inlineElementContinuation()) {
- RenderBoxModelObject* nextCont = currCont->continuation();
- currCont->setContinuation(nullptr);
- currCont->setStyle(newStyle);
- currCont->setContinuation(nextCont);
</del><ins>+ if (continuation) {
+ for (RenderInline* currCont = continuation; currCont; currCont = currCont->inlineElementContinuation()) {
+ RenderBoxModelObject* nextCont = currCont->continuation();
+ currCont->setContinuation(nullptr);
+ currCont->setStyle(newStyle);
+ currCont->setContinuation(nextCont);
+ }
+ // If an inline's in-flow positioning has changed and it is part of an active continuation as a descendant of an anonymous containing block,
+ // then any descendant blocks will need to change their in-flow positioning accordingly.
+ // Do this by updating the position of the descendant blocks' containing anonymous blocks - there may be more than one.
+ if (containingBlock()->isAnonymousBlock() && oldStyle && newStyle.position() != oldStyle->position() && (newStyle.hasInFlowPosition() || oldStyle->hasInFlowPosition())) {
+ // If any descendant blocks exist then they will be in the next anonymous block and its siblings.
+ ASSERT(containingBlock()->nextSibling());
+ RenderBlock& block = downcast<RenderBlock>(*containingBlock()->nextSibling());
+ ASSERT(block.isAnonymousBlock());
+ updateStyleOfAnonymousBlockContinuations(block, &newStyle, oldStyle);
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- // If an inline's in-flow positioning has changed then any descendant blocks will need to change their in-flow positioning accordingly.
- // Do this by updating the position of the descendant blocks' containing anonymous blocks - there may be more than one.
- if (continuation && oldStyle && newStyle.position() != oldStyle->position()
- && (newStyle.hasInFlowPosition() || oldStyle->hasInFlowPosition())) {
- // If any descendant blocks exist then they will be in the next anonymous block and its siblings.
- RenderObject* block = containingBlock()->nextSibling();
- ASSERT(block && block->isAnonymousBlock());
- updateStyleOfAnonymousBlockContinuations(downcast<RenderBlock>(block), &newStyle, oldStyle);
- }
-
</del><span class="cx"> if (!alwaysCreateLineBoxes()) {
</span><span class="cx"> bool alwaysCreateLineBoxes = hasSelfPaintingLayer() || hasBoxDecorations() || newStyle.hasPadding() || newStyle.hasMargin() || hasOutline();
</span><span class="cx"> if (oldStyle && alwaysCreateLineBoxes) {
</span></span></pre>
</div>
</div>
</body>
</html>