Cleanup inline boxes when list marker gets blockified
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Mar 2019 16:21:34 +0000 (16:21 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Mar 2019 16:21:34 +0000 (16:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195746
<rdar://problem/48049175>

Reviewed by Antti Koivisto.

Source/WebCore:

Normally when an element gets blockified (inline -> block) we destroy its renderer and construct a new one (RenderInline -> RenderBlock).
During this process the associated inline boxtree gets destroyed as well. Since RenderListMarker is just a generic RenderBox, the blockifying
change does not require a new renderer.
This patch takes care of destroying the inline boxtree when the marker gains block display type.

Test: fast/block/float/list-marker-is-float-crash.html

* rendering/RenderListMarker.cpp:
(WebCore::RenderListMarker::styleDidChange):

LayoutTests:

* fast/block/float/list-marker-is-float-crash-expected.txt: Added.
* fast/block/float/list-marker-is-float-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242943 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/block/float/list-marker-is-float-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/block/float/list-marker-is-float-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderListMarker.cpp

index 8f08686..05b39d9 100644 (file)
@@ -1,3 +1,14 @@
+2019-03-14  Zalan Bujtas  <zalan@apple.com>
+
+        Cleanup inline boxes when list marker gets blockified
+        https://bugs.webkit.org/show_bug.cgi?id=195746
+        <rdar://problem/48049175>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/block/float/list-marker-is-float-crash-expected.txt: Added.
+        * fast/block/float/list-marker-is-float-crash.html: Added.
+
 2019-03-14  Ryan Haddad  <ryanhaddad@apple.com>
 
         Unreviewed test gardening, rebaseline tests after r241934.
diff --git a/LayoutTests/fast/block/float/list-marker-is-float-crash-expected.txt b/LayoutTests/fast/block/float/list-marker-is-float-crash-expected.txt
new file mode 100644 (file)
index 0000000..73409ae
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no crash.
+
diff --git a/LayoutTests/fast/block/float/list-marker-is-float-crash.html b/LayoutTests/fast/block/float/list-marker-is-float-crash.html
new file mode 100644 (file)
index 0000000..49810d9
--- /dev/null
@@ -0,0 +1,14 @@
+PASS if no crash.
+<li>
+<video src="data:video/mp4;base64,WFFNokI8saLT7Mt03UvGxwdAYkwe7UmwPZacue5goP6rQhBgGMjgK21nSHZWUcz5Y6Ec/wdCPp0Sxx/h6UsSneF9hINuvwAAAAhBmiJsQx92QAAAAAgBnkF5DH/EgQAAAzRtb292AAAAbG12aGQAAAAAAAAAAAAAAAAAAAPoAAAAZAABAAABAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAACXnRyYWsAAABcdGtoZAAAAAMAAAAAAAAAAAAAAAEAAAAAAAAAZAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAIAAAACAAAAAAACRlZHRzAAAAHGVsc3QAAAAAAAAAAQAAAGQAAAQAAAEAAAAAAdZtZGlhAAAAIG1kaGQAAAAAAAAAAAAAAAAAADwAAAAGAFXEAAAAAAAtaGRscgAAAAAAAAAAdmlkZQAAAAAAAAAAAAAAAFZpZGVvSGFuZGxlcgAAAAGBbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABQXN0YmwAAACVc3RzZAAAAAAAAAABAAAAhWF2YzEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAIAAgAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAAAvYXZjQwFkAAr/4QAWZ2QACqzZSWhAAAADAEAAAA8DxIllgAEABmjr48siwAAAABhzdHRzAAAAAAAAAAEAAAADAAACAAAAABRzdHNzAAAAAAAAAAEAAAABAAAAKGN0dHMAAAAAAAAAAwAAAAEAAAQAAAAAAQAABgAAAAABAAACAAAAABxzdHNjAAAAAAAAAAEAAAABAAAAAwAAAAEAAAAgc3RzegAAAAAAAAAAAAAAAwAAA3MAAAAMAAAADAAAABRzdGNvAAAAAAAAAAEAAAAwAAAAYnVkdGEAAABabWV0YQAAAAAAAAAhaGRscgAAAAAAAAAAbWRpcmFwcGwAAAAAAAAAAAAAAAAtaWxzdAAAACWpdG9vAAAAHWRhdGEAAAABAAAAAExhdmY1Ni40MC4xMDE=" controls="controls">
+<style>
+:matches(::marker, |*) { 
+       float: left;
+}
+</style>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.style.columnCount = "2";
+</script>
\ No newline at end of file
index 2d215e6..51513bf 100644 (file)
@@ -1,3 +1,21 @@
+2019-03-14  Zalan Bujtas  <zalan@apple.com>
+
+        Cleanup inline boxes when list marker gets blockified
+        https://bugs.webkit.org/show_bug.cgi?id=195746
+        <rdar://problem/48049175>
+
+        Reviewed by Antti Koivisto.
+
+        Normally when an element gets blockified (inline -> block) we destroy its renderer and construct a new one (RenderInline -> RenderBlock).
+        During this process the associated inline boxtree gets destroyed as well. Since RenderListMarker is just a generic RenderBox, the blockifying
+        change does not require a new renderer.
+        This patch takes care of destroying the inline boxtree when the marker gains block display type. 
+
+        Test: fast/block/float/list-marker-is-float-crash.html
+
+        * rendering/RenderListMarker.cpp:
+        (WebCore::RenderListMarker::styleDidChange):
+
 2019-03-14  Devin Rousso  <drousso@apple.com>
 
         Web Inspector: Audit: provide a way to get the contents of resources
index 45d0ac4..4c870a6 100644 (file)
@@ -1144,8 +1144,14 @@ void RenderListMarker::styleDidChange(StyleDifference diff, const RenderStyle* o
 {
     RenderBox::styleDidChange(diff, oldStyle);
 
-    if (oldStyle && (style().listStylePosition() != oldStyle->listStylePosition() || style().listStyleType() != oldStyle->listStyleType()))
-        setNeedsLayoutAndPrefWidthsRecalc();
+    if (oldStyle) {
+        if (style().listStylePosition() != oldStyle->listStylePosition() || style().listStyleType() != oldStyle->listStyleType())
+            setNeedsLayoutAndPrefWidthsRecalc();
+        if (oldStyle->isDisplayInlineType() && !style().isDisplayInlineType()) {
+            delete m_inlineBoxWrapper;
+            m_inlineBoxWrapper = nullptr;
+        }
+    }
 
     if (m_image != style().listStyleImage()) {
         if (m_image)