REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCo...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 May 2013 19:21:52 +0000 (19:21 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 May 2013 19:21:52 +0000 (19:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=110622

Reviewed by David Hyatt.

Source/WebCore:

Merge https://chromium.googlesource.com/chromium/blink/+/998ad358eed702b873dd54697b3fa3f952e0feb7

Inserting an element before the fullscreened element could crash if it caused a containing inline to be split,
since the splitting logic doesn't expect the fullscreened element to be wrapped in a RenderFullScreen. This patch changes
inline splitting to be aware of RenderFullScreen.

Test: fullscreen/full-screen-inline-split-crash.html

* rendering/RenderInline.cpp:
(WebCore::RenderInline::splitInlines):

LayoutTests:

Add a regression test.

* fullscreen/full-screen-inline-split-crash-expected.txt: Added.
* fullscreen/full-screen-inline-split-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@150531 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt [new file with mode: 0644]
LayoutTests/fullscreen/full-screen-inline-split-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderInline.cpp

index f78a4d6..39585af 100644 (file)
@@ -1,3 +1,15 @@
+2013-05-22  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes
+        https://bugs.webkit.org/show_bug.cgi?id=110622
+
+        Reviewed by David Hyatt.
+
+        Add a regression test.
+
+        * fullscreen/full-screen-inline-split-crash-expected.txt: Added.
+        * fullscreen/full-screen-inline-split-crash.html: Added.
+
 2013-05-22  Simon Fraser  <simon.fraser@apple.com>
 
         New Flickr doesn't get fast scrolling but should
diff --git a/LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt b/LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt
new file mode 100644 (file)
index 0000000..6a4a933
--- /dev/null
@@ -0,0 +1,3 @@
+Test that inserting a node before a full-screened element doesn't cause a crash.
+END OF TEST
+
diff --git a/LayoutTests/fullscreen/full-screen-inline-split-crash.html b/LayoutTests/fullscreen/full-screen-inline-split-crash.html
new file mode 100644 (file)
index 0000000..8180802
--- /dev/null
@@ -0,0 +1,18 @@
+<script src="full-screen-test.js"></script>
+<body>
+    Test that inserting a node before a full-screened element doesn't cause a crash.
+    <span><span id="toBeMadeFullScreen"></span></span>
+</body>
+<script>
+
+// Use window.eventSender to fake a user-action, allowing full-screen.
+document.addEventListener("keypress", function() {
+    toBeMadeFullScreen.webkitRequestFullScreen();
+}, false);
+eventSender.keyDown(" ", []);
+
+document.addEventListener("webkitfullscreenchange", function() {
+    toBeMadeFullScreen.parentNode.insertBefore(document.createElement('div'), toBeMadeFullScreen);
+    setTimeout(endTest(), 0);
+}, false);
+</script>
index b9e7f9f..56deecc 100644 (file)
@@ -1,3 +1,21 @@
+2013-05-22  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes
+        https://bugs.webkit.org/show_bug.cgi?id=110622
+
+        Reviewed by David Hyatt.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/998ad358eed702b873dd54697b3fa3f952e0feb7
+
+        Inserting an element before the fullscreened element could crash if it caused a containing inline to be split,
+        since the splitting logic doesn't expect the fullscreened element to be wrapped in a RenderFullScreen. This patch changes
+        inline splitting to be aware of RenderFullScreen.
+
+        Test: fullscreen/full-screen-inline-split-crash.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::splitInlines):
+
 2013-05-22  Simon Fraser  <simon.fraser@apple.com>
 
         Fix issues with focus rings on search fields
index 2c5426c..3204dd1 100644 (file)
@@ -32,6 +32,7 @@
 #include "RenderArena.h"
 #include "RenderBlock.h"
 #include "RenderFlowThread.h"
+#include "RenderFullScreen.h"
 #include "RenderGeometryMap.h"
 #include "RenderLayer.h"
 #include "RenderTheme.h"
@@ -347,6 +348,15 @@ void RenderInline::splitInlines(RenderBlock* fromBlock, RenderBlock* toBlock,
     RenderInline* cloneInline = clone();
     cloneInline->setContinuation(oldCont);
 
+    // If we're splitting the inline containing the fullscreened element,
+    // |beforeChild| may be the renderer for the fullscreened element. However,
+    // that renderer is wrapped in a RenderFullScreen, so |this| is not its
+    // parent. Since the splitting logic expects |this| to be the parent, set
+    // |beforeChild| to be the RenderFullScreen.
+    const Element* fullScreenElement = document()->webkitCurrentFullScreenElement();
+    if (fullScreenElement && beforeChild && beforeChild->node() == fullScreenElement)
+        beforeChild = document()->fullScreenRenderer();
+
     // Now take all of the children from beforeChild to the end and remove
     // them from |this| and place them in the clone.
     RenderObject* o = beforeChild;