Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Dec 2016 23:48:53 +0000 (23:48 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Dec 2016 23:48:53 +0000 (23:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=166436
rdar://problem/29772233

Reviewed by Simon Fraser.

Source/WebCore:

When as the result of certain style change, the generated anonymous block is not needed anymore, we
move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc.

Test: fast/regions/flow-fragment-as-anonymous-block-crash.html

* rendering/RenderObject.h:
(WebCore::RenderObject::isAnonymousBlock):

LayoutTests:

* fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
* fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210120 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderObject.h

index 5a4cab3..d9be1c0 100644 (file)
@@ -1,3 +1,14 @@
+2016-12-22  Zalan Bujtas  <zalan@apple.com>
+
+        Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+        https://bugs.webkit.org/show_bug.cgi?id=166436
+        rdar://problem/29772233
+
+        Reviewed by Simon Fraser.
+
+        * fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt: Added.
+        * fast/regions/flow-fragment-as-anonymous-block-crash.html: Added.
+
 2016-12-22  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         CSS Scroll Snap does not work if scrollbar is hidden
diff --git a/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt b/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash-expected.txt
new file mode 100644 (file)
index 0000000..3cd69de
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+
diff --git a/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html b/LayoutTests/fast/regions/flow-fragment-as-anonymous-block-crash.html
new file mode 100644 (file)
index 0000000..2fe1ca7
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we don't destroy the fragment anonymous block while cleaning up the render tree.</title> 
+<style>
+li { 
+  -webkit-flow-from: foobar;
+}
+
+q {
+  display: list-item;
+  -webkit-flow-from: foobar;
+}
+
+.fuzz0::before{
+  display: block;
+}
+</style>
+</head>
+<body>
+PASS if no crash or assert.
+<li></li><q></q>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+document.body.offsetHeight;
+document.getElementsByTagName("q")[0].className = "fuzz0";
+document.body.offsetHeight;
+</script>
+</body>
+</html>
index 33680d7..5258fde 100644 (file)
@@ -1,3 +1,20 @@
+2016-12-22  Zalan Bujtas  <zalan@apple.com>
+
+        Do not destroy the RenderNamedFlowFragment as leftover anonymous block.
+        https://bugs.webkit.org/show_bug.cgi?id=166436
+        rdar://problem/29772233
+
+        Reviewed by Simon Fraser.
+
+        When as the result of certain style change, the generated anonymous block is not needed anymore, we
+        move its descendants up to the parent and destroy the generated box. While RenderNamedFlowFragment is a generated
+        block, the cleanup code should just ignore it the same way we ignore boxes like multicolumn, mathml etc. 
+
+        Test: fast/regions/flow-fragment-as-anonymous-block-crash.html
+
+        * rendering/RenderObject.h:
+        (WebCore::RenderObject::isAnonymousBlock):
+
 2016-12-22  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         CSS Scroll Snap does not work if scrollbar is hidden
index 7d38b94..813c296 100644 (file)
@@ -410,7 +410,7 @@ public:
         // RenderBlock::createAnonymousBlock(). This includes creating an anonymous
         // RenderBlock having a BLOCK or BOX display. Other classes such as RenderTextFragment
         // are not RenderBlocks and will return false. See https://bugs.webkit.org/show_bug.cgi?id=56709. 
-        return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderMultiColumnSet() && !isRenderView()
+        return isAnonymous() && (style().display() == BLOCK || style().display() == BOX) && style().styleType() == NOPSEUDO && isRenderBlock() && !isListMarker() && !isRenderFlowThread() && !isRenderNamedFlowFragment() && !isRenderMultiColumnSet() && !isRenderView()
 #if ENABLE(FULLSCREEN_API)
             && !isRenderFullScreen()
             && !isRenderFullScreenPlaceholder()