Crash in RenderBlock::splitBlocks.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 22:05:21 +0000 (22:05 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Mar 2012 22:05:21 +0000 (22:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=81926

Reviewed by Julien Chaffraix.

Source/WebCore:

We are updating the :after content before calling splitFlow. The :after content
gets blown away since it will go to the continuation. beforeChild was earlier
set to the first child. Being the last anonymous block, its children gets pulled
up in collapseAnonymousBoxChild and it gets destroyed. So, we need to update
beforeChild value.

Test: fast/multicol/span/update-after-content-before-child-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):

LayoutTests:

* fast/multicol/span/update-after-content-before-child-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@111912 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/multicol/span/update-after-content-before-child-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/span/update-after-content-before-child-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp

index 428519efeaec552dc7a63dbbc626b140e2c211c9..138ab9b0be96a111ceda43e6f7086b024f9eb37c 100644 (file)
@@ -1,3 +1,12 @@
+2012-03-23  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderBlock::splitBlocks.
+        https://bugs.webkit.org/show_bug.cgi?id=81926
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/multicol/span/update-after-content-before-child-crash.html: Added.
+
 2012-03-23  Dave Tharp  <dtharp@codeaurora.org>
 
         Integrate IETC CSS : textshadow tests
diff --git a/LayoutTests/fast/multicol/span/update-after-content-before-child-crash-expected.txt b/LayoutTests/fast/multicol/span/update-after-content-before-child-crash-expected.txt
new file mode 100644 (file)
index 0000000..2afa0bf
--- /dev/null
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/multicol/span/update-after-content-before-child-crash.html b/LayoutTests/fast/multicol/span/update-after-content-before-child-crash.html
new file mode 100755 (executable)
index 0000000..8572a42
--- /dev/null
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+#columnContainer { -webkit-column-count: 600; }
+#divBlock::after { display: block; content: ''; }
+#columnSpanBlock:nth-last-child(even) { -webkit-column-span: all; }
+#table { float: right; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+onload = function() {
+    columnContainer = document.createElement('div');
+    columnContainer.setAttribute('id', 'columnContainer');
+    document.body.appendChild(columnContainer);
+    divBlock = document.createElement('div');
+    divBlock.setAttribute('id', 'divBlock');
+    columnContainer.appendChild(divBlock);
+    columnSpanBlock = document.createElement('div');
+    columnSpanBlock.setAttribute('id', 'columnSpanBlock');
+    divBlock.appendChild(columnSpanBlock);
+    span = document.createElement('span');
+    divBlock.appendChild(span);
+    span.appendChild(document.createTextNode('A'));
+    table = document.createElement('table');
+    table.setAttribute('id', 'table');
+    divBlock.appendChild(table);
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('inserttext', '');
+    document.body.offsetTop;
+    document.body.innerHTML = "PASS. WebKit didn't crash.";
+}
+</script>
+</body>
+</html>
index 3cf940b64e4fbf99e1d77da783a7f34f30674217..6e19823f3a0a36dd1ffecc921078c38cc7c36e76 100644 (file)
@@ -1,3 +1,21 @@
+2012-03-23  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderBlock::splitBlocks.
+        https://bugs.webkit.org/show_bug.cgi?id=81926
+
+        Reviewed by Julien Chaffraix.
+
+        We are updating the :after content before calling splitFlow. The :after content
+        gets blown away since it will go to the continuation. beforeChild was earlier
+        set to the first child. Being the last anonymous block, its children gets pulled
+        up in collapseAnonymousBoxChild and it gets destroyed. So, we need to update
+        beforeChild value. 
+
+        Test: fast/multicol/span/update-after-content-before-child-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+
 2012-03-23  Dana Jansens  <danakj@chromium.org>
 
         [chromium] Improved composited debug borders
index 9c7203d11a72308bcc818955034854754cffc151..d739f18c9f44d70de732375ccc1781ce83d2fc5b 100755 (executable)
@@ -927,12 +927,19 @@ void RenderBlock::addChildIgnoringAnonymousColumnBlocks(RenderObject* newChild,
             // Someone may have put a <p> inside a <q>, causing a split.  When this happens, the :after content
             // has to move into the inline continuation.  Call updateBeforeAfterContent to ensure that our :after
             // content gets properly destroyed.
+            bool isFirstChild = (beforeChild == firstChild());
             bool isLastChild = (beforeChild == lastChild());
             if (document()->usesBeforeAfterRules())
                 children()->updateBeforeAfterContent(this, AFTER);
-            if (isLastChild && beforeChild != lastChild())
-                beforeChild = 0; // We destroyed the last child, so now we need to update our insertion
-                                 // point to be 0.  It's just a straight append now.
+            if (isLastChild && beforeChild != lastChild()) {
+                // We destroyed the last child, so now we need to update our insertion
+                // point to be 0. It's just a straight append now.
+                beforeChild = 0;
+            } else if (isFirstChild && beforeChild != firstChild()) {
+                // If beforeChild was the last anonymous block that collapsed,
+                // then we need to update its value.
+                beforeChild = firstChild();
+            }
 
             splitFlow(beforeChild, newBox, newChild, oldContinuation);
             return;