[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
mitz at apple.com
mitz at apple.com
Wed Apr 7 23:25:41 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit cb85c5ac6509a481451be986764078fe62989240
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Nov 8 17:32:07 2009 +0000
<rdar://problem/7363434> Crash inside RenderObject::localToAbsolute
below FrameView::layout
https://bugs.webkit.org/show_bug.cgi?id=31093
Reviewed by Simon Fraser.
WebCore:
Test: fast/block/positioning/relative-positioned-inline-container.html
In <http://trac.webkit.org/changeset/19148>, setStaticY() was changed
to mark the object for layout, doing so without marking its ancestors.
However, RenderBlock::skipLeadingWhitespace and
RenderBlock::skipTrailingWhitespace() call setStaticY() on a relative-
positioned inline container, causing it to be marked for layout without
ever going back to give it layout, and thus layout could end with a
dirty object still in the tree, leading to all sorts of badness.
The fix is to revert setStaticY() to not marking the object dirty, and
instead do it in the call sites that require it, which are in
RenderBlock and RenderFlexibleBox.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::adjustPositionedBlock):
* rendering/RenderFlexibleBox.cpp:
(WebCore::RenderFlexibleBox::layoutHorizontalBox):
(WebCore::RenderFlexibleBox::layoutVerticalBox):
* rendering/RenderLayer.cpp:
* rendering/RenderLayer.h:
(WebCore::RenderLayer::setStaticY):
LayoutTests:
* fast/block/positioning/relative-positioned-inline-container-expected.checksum: Added.
* fast/block/positioning/relative-positioned-inline-container-expected.png: Added.
* fast/block/positioning/relative-positioned-inline-container-expected.txt: Added.
* fast/block/positioning/relative-positioned-inline-container.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50623 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f6bdfb2..2fe0270 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-11-08 Dan Bernstein <mitz at apple.com>
+
+ Reviewed by Simon Fraser.
+
+ <rdar://problem/7363434> Crash inside RenderObject::localToAbsolute
+ below FrameView::layout
+ https://bugs.webkit.org/show_bug.cgi?id=31093
+
+ * fast/block/positioning/relative-positioned-inline-container-expected.checksum: Added.
+ * fast/block/positioning/relative-positioned-inline-container-expected.png: Added.
+ * fast/block/positioning/relative-positioned-inline-container-expected.txt: Added.
+ * fast/block/positioning/relative-positioned-inline-container.html: Added.
+
2009-11-07 Dirk Pranke <dpranke at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.checksum b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.checksum
new file mode 100644
index 0000000..80fe55d
--- /dev/null
+++ b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.checksum
@@ -0,0 +1 @@
+90f975ad703fd9648fe8c4a1826cd063
\ No newline at end of file
diff --git a/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.png b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.png
new file mode 100644
index 0000000..05fee1d
Binary files /dev/null and b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.png differ
diff --git a/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.txt b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.txt
new file mode 100644
index 0000000..3c9a481
--- /dev/null
+++ b/LayoutTests/fast/block/positioning/relative-positioned-inline-container-expected.txt
@@ -0,0 +1,16 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600 layerType: background only
+layer at (8,26) size 100x100
+ RenderBlock (positioned) zI: -1 {DIV} at (0,18) size 100x100 [bgcolor=#008000]
+layer at (0,0) size 800x600 layerType: foreground only
+ RenderBlock {HTML} at (0,0) size 800x600
+ RenderBody {BODY} at (8,8) size 784x584
+ RenderBlock {DIV} at (0,0) size 400x18
+ RenderText {#text} at (0,0) size 0x0
+layer at (8,8) size 100x22
+ RenderInline (relative positioned) {SPAN} at (0,0) size 100x22
+ RenderText {#text} at (0,0) size 0x0
+ RenderBR {BR} at (0,0) size 0x18
+ RenderBlock {DIV} at (0,18) size 100x0 [bgcolor=#FF0000]
+ RenderText {#text} at (0,0) size 0x0
diff --git a/LayoutTests/fast/block/positioning/relative-positioned-inline-container.html b/LayoutTests/fast/block/positioning/relative-positioned-inline-container.html
new file mode 100644
index 0000000..357b5f7
--- /dev/null
+++ b/LayoutTests/fast/block/positioning/relative-positioned-inline-container.html
@@ -0,0 +1,15 @@
+<body>
+ <div id="container" style="width: 400px; display: none;">
+ <span style="position: relative">
+ <br>
+ <div style="z-index: -1; position: absolute; width: 100px; height: 100px; background-color: green;"></div>
+ <div id="target" style="display: inline-block; width: 100px; height: 100px; background-color: red;"></div>
+ </span>
+ </div>
+ <script>
+ document.body.offsetTop;
+ document.getElementById("container").style.removeProperty("display");
+ document.body.offsetTop;
+ document.getElementById("target").style.height = "0";
+ </script>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 05e4026..b71da61 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,34 @@
+2009-11-08 Dan Bernstein <mitz at apple.com>
+
+ Reviewed by Simon Fraser.
+
+ <rdar://problem/7363434> Crash inside RenderObject::localToAbsolute
+ below FrameView::layout
+ https://bugs.webkit.org/show_bug.cgi?id=31093
+
+ Test: fast/block/positioning/relative-positioned-inline-container.html
+
+ In <http://trac.webkit.org/changeset/19148>, setStaticY() was changed
+ to mark the object for layout, doing so without marking its ancestors.
+ However, RenderBlock::skipLeadingWhitespace and
+ RenderBlock::skipTrailingWhitespace() call setStaticY() on a relative-
+ positioned inline container, causing it to be marked for layout without
+ ever going back to give it layout, and thus layout could end with a
+ dirty object still in the tree, leading to all sorts of badness.
+
+ The fix is to revert setStaticY() to not marking the object dirty, and
+ instead do it in the call sites that require it, which are in
+ RenderBlock and RenderFlexibleBox.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::adjustPositionedBlock):
+ * rendering/RenderFlexibleBox.cpp:
+ (WebCore::RenderFlexibleBox::layoutHorizontalBox):
+ (WebCore::RenderFlexibleBox::layoutVerticalBox):
+ * rendering/RenderLayer.cpp:
+ * rendering/RenderLayer.h:
+ (WebCore::RenderLayer::setStaticY):
+
2009-11-07 Daniel Bates <dbates at webkit.org>
Reviewed by Darin Adler.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 2e31c1e..ce0ecf1 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -867,7 +867,11 @@ void RenderBlock::adjustPositionedBlock(RenderBox* child, const MarginInfo& marg
}
y += (collapsedTopPos - collapsedTopNeg) - marginTop;
}
- child->layer()->setStaticY(y);
+ RenderLayer* childLayer = child->layer();
+ if (childLayer->staticY() != y) {
+ child->layer()->setStaticY(y);
+ child->setChildNeedsLayout(true, false);
+ }
}
}
diff --git a/WebCore/rendering/RenderFlexibleBox.cpp b/WebCore/rendering/RenderFlexibleBox.cpp
index 63c72fd..df0b7ed 100644
--- a/WebCore/rendering/RenderFlexibleBox.cpp
+++ b/WebCore/rendering/RenderFlexibleBox.cpp
@@ -410,8 +410,13 @@ void RenderFlexibleBox::layoutHorizontalBox(bool relayoutChildren)
child->layer()->setStaticX(xPos);
else child->layer()->setStaticX(width() - xPos);
}
- if (child->style()->hasStaticY())
- child->layer()->setStaticY(yPos);
+ if (child->style()->hasStaticY()) {
+ RenderLayer* childLayer = child->layer();
+ if (childLayer->staticY() != yPos) {
+ child->layer()->setStaticY(yPos);
+ child->setChildNeedsLayout(true, false);
+ }
+ }
child = iterator.next();
continue;
}
@@ -769,8 +774,13 @@ void RenderFlexibleBox::layoutVerticalBox(bool relayoutChildren)
else
child->layer()->setStaticX(borderRight()+paddingRight());
}
- if (child->style()->hasStaticY())
- child->layer()->setStaticY(height());
+ if (child->style()->hasStaticY()) {
+ RenderLayer* childLayer = child->layer();
+ if (childLayer->staticY() != height()) {
+ child->layer()->setStaticY(height());
+ child->setChildNeedsLayout(true, false);
+ }
+ }
child = iterator.next();
continue;
}
diff --git a/WebCore/rendering/RenderLayer.cpp b/WebCore/rendering/RenderLayer.cpp
index fea61c9..c59ea97 100644
--- a/WebCore/rendering/RenderLayer.cpp
+++ b/WebCore/rendering/RenderLayer.cpp
@@ -243,14 +243,6 @@ bool RenderLayer::hasAcceleratedCompositing() const
#endif
}
-void RenderLayer::setStaticY(int staticY)
-{
- if (m_staticY == staticY)
- return;
- m_staticY = staticY;
- renderer()->setChildNeedsLayout(true, false);
-}
-
void RenderLayer::updateLayerPositions(UpdateLayerPositionsFlags flags)
{
if (flags & DoFullRepaint) {
diff --git a/WebCore/rendering/RenderLayer.h b/WebCore/rendering/RenderLayer.h
index a274638..9b7d5bc 100644
--- a/WebCore/rendering/RenderLayer.h
+++ b/WebCore/rendering/RenderLayer.h
@@ -390,7 +390,7 @@ public:
int staticX() const { return m_staticX; }
int staticY() const { return m_staticY; }
void setStaticX(int staticX) { m_staticX = staticX; }
- void setStaticY(int staticY);
+ void setStaticY(int staticY) { m_staticY = staticY; }
bool hasTransform() const { return renderer()->hasTransform(); }
// Note that this transform has the transform-origin baked in.
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list