Do not update selection rect on dirty lineboxes.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 04:19:09 +0000 (04:19 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 04:19:09 +0000 (04:19 +0000)
commit7f07e6e66564b4b8f30923da3ac5ea480fe2a18c
treed5e25abda924539cf7b561ecaf90a75eeaa37006
parent68a8c5370ff1df26ec97edd5d6e46c4efbd4fdea
Do not update selection rect on dirty lineboxes.
https://bugs.webkit.org/show_bug.cgi?id=163862
<rdar://problem/28813156>

Reviewed by Simon Fraser.

Source/WebCore:

In certain cases RenderBlock::updateFirstLetter() triggers
unwanted render tree mutation while the caller assumes intact renderers.
This patch ensures that no renderers gets destroyed while computing the preferred widths
when we are outside of layout context.

Test: fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::computePreferredLogicalWidths):
(WebCore::RenderBlock::updateFirstLetter):
* rendering/RenderBlock.h:
* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded):
* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::updateFirstLetter):
* rendering/RenderRubyRun.h:
* rendering/RenderTable.cpp:
(WebCore::RenderTable::updateFirstLetter):
* rendering/RenderTable.h:
* rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::updateFirstLetter):
* rendering/svg/RenderSVGText.h:

LayoutTests:

* fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt: Added.
* fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207804 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderBlock.h
Source/WebCore/rendering/RenderListItem.cpp
Source/WebCore/rendering/RenderRubyRun.cpp
Source/WebCore/rendering/RenderRubyRun.h
Source/WebCore/rendering/RenderTable.cpp
Source/WebCore/rendering/RenderTable.h
Source/WebCore/rendering/svg/RenderSVGText.cpp
Source/WebCore/rendering/svg/RenderSVGText.h