From de4dabf284abd3eb4bbd78cc671e14508b1e2a6b Mon Sep 17 00:00:00 2001 From: "rniwa@webkit.org" Date: Wed, 22 May 2013 19:21:52 +0000 Subject: [PATCH] REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes https://bugs.webkit.org/show_bug.cgi?id=110622 Reviewed by David Hyatt. Source/WebCore: Merge https://chromium.googlesource.com/chromium/blink/+/998ad358eed702b873dd54697b3fa3f952e0feb7 Inserting an element before the fullscreened element could crash if it caused a containing inline to be split, since the splitting logic doesn't expect the fullscreened element to be wrapped in a RenderFullScreen. This patch changes inline splitting to be aware of RenderFullScreen. Test: fullscreen/full-screen-inline-split-crash.html * rendering/RenderInline.cpp: (WebCore::RenderInline::splitInlines): LayoutTests: Add a regression test. * fullscreen/full-screen-inline-split-crash-expected.txt: Added. * fullscreen/full-screen-inline-split-crash.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@150531 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 12 ++++++++++++ ...full-screen-inline-split-crash-expected.txt | 3 +++ .../full-screen-inline-split-crash.html | 18 ++++++++++++++++++ Source/WebCore/ChangeLog | 18 ++++++++++++++++++ Source/WebCore/rendering/RenderInline.cpp | 10 ++++++++++ 5 files changed, 61 insertions(+) create mode 100644 LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt create mode 100644 LayoutTests/fullscreen/full-screen-inline-split-crash.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index f78a4d6bcf3e..39585aff1253 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,15 @@ +2013-05-22 Ryosuke Niwa + + REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes + https://bugs.webkit.org/show_bug.cgi?id=110622 + + Reviewed by David Hyatt. + + Add a regression test. + + * fullscreen/full-screen-inline-split-crash-expected.txt: Added. + * fullscreen/full-screen-inline-split-crash.html: Added. + 2013-05-22 Simon Fraser New Flickr doesn't get fast scrolling but should diff --git a/LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt b/LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt new file mode 100644 index 000000000000..6a4a933eaa3b --- /dev/null +++ b/LayoutTests/fullscreen/full-screen-inline-split-crash-expected.txt @@ -0,0 +1,3 @@ +Test that inserting a node before a full-screened element doesn't cause a crash. +END OF TEST + diff --git a/LayoutTests/fullscreen/full-screen-inline-split-crash.html b/LayoutTests/fullscreen/full-screen-inline-split-crash.html new file mode 100644 index 000000000000..8180802de8c9 --- /dev/null +++ b/LayoutTests/fullscreen/full-screen-inline-split-crash.html @@ -0,0 +1,18 @@ + + + Test that inserting a node before a full-screened element doesn't cause a crash. + + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index b9e7f9f4fd31..56deecc84720 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,21 @@ +2013-05-22 Ryosuke Niwa + + REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes + https://bugs.webkit.org/show_bug.cgi?id=110622 + + Reviewed by David Hyatt. + + Merge https://chromium.googlesource.com/chromium/blink/+/998ad358eed702b873dd54697b3fa3f952e0feb7 + + Inserting an element before the fullscreened element could crash if it caused a containing inline to be split, + since the splitting logic doesn't expect the fullscreened element to be wrapped in a RenderFullScreen. This patch changes + inline splitting to be aware of RenderFullScreen. + + Test: fullscreen/full-screen-inline-split-crash.html + + * rendering/RenderInline.cpp: + (WebCore::RenderInline::splitInlines): + 2013-05-22 Simon Fraser Fix issues with focus rings on search fields diff --git a/Source/WebCore/rendering/RenderInline.cpp b/Source/WebCore/rendering/RenderInline.cpp index 2c5426c2e1aa..3204dd18ad17 100644 --- a/Source/WebCore/rendering/RenderInline.cpp +++ b/Source/WebCore/rendering/RenderInline.cpp @@ -32,6 +32,7 @@ #include "RenderArena.h" #include "RenderBlock.h" #include "RenderFlowThread.h" +#include "RenderFullScreen.h" #include "RenderGeometryMap.h" #include "RenderLayer.h" #include "RenderTheme.h" @@ -347,6 +348,15 @@ void RenderInline::splitInlines(RenderBlock* fromBlock, RenderBlock* toBlock, RenderInline* cloneInline = clone(); cloneInline->setContinuation(oldCont); + // If we're splitting the inline containing the fullscreened element, + // |beforeChild| may be the renderer for the fullscreened element. However, + // that renderer is wrapped in a RenderFullScreen, so |this| is not its + // parent. Since the splitting logic expects |this| to be the parent, set + // |beforeChild| to be the RenderFullScreen. + const Element* fullScreenElement = document()->webkitCurrentFullScreenElement(); + if (fullScreenElement && beforeChild && beforeChild->node() == fullScreenElement) + beforeChild = document()->fullScreenRenderer(); + // Now take all of the children from beforeChild to the end and remove // them from |this| and place them in the clone. RenderObject* o = beforeChild; -- 2.36.0