RESOLVED FIXED162832
[ListItems] Render tree should be all clean by the end of FrameView::layout(). 
https://bugs.webkit.org/show_bug.cgi?id=162832
Summary [ListItems] Render tree should be all clean by the end of FrameView::layout().
alan
Reported 2016-09-30 19:33:36 PDT
We fail to clean all the renderers while running the following test: LayoutTests/imported/blink/fast/lists/list-item-without-list-reparented-crash.html
Attachments
Test reduction (226 bytes, text/html)
2016-10-01 21:14 PDT, alan 		no flags
Details
Patch (2.46 KB, patch)
2016-10-03 16:21 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (2.53 KB, patch)
2016-10-03 20:02 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (2.52 KB, patch)
2016-10-03 20:03 PDT, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2016-10-01 21:14:46 PDT
Created attachment 290461 [details] Test reduction This happens when we start mutating the renderer tree while laying it out. <body> <span> <li> 1. floating <li> is being laid out by the body (<span> is the direct parent but the containing block is the body) 2. we insert a new renderer (list marker) and dirty the ancestor chain 3. we never get to lay out the <span>
alan
Comment 2 2016-10-03 14:42:33 PDT
(In reply to comment #1) > Created attachment 290461 [details] > Test reduction > > This happens when we start mutating the renderer tree while laying it out. > <body> > <span> > <li> > 1. floating <li> is being laid out by the body (<span> is the direct parent > but the containing block is the body) > 2. we insert a new renderer (list marker) and dirty the ancestor chain > 3. we never get to lay out the <span> Scratch the containing block part, it's just a floating renderer and not an out of flow positioned one.
alan
Comment 3 2016-10-03 16:21:38 PDT
Created attachment 290534 [details] Patch
alan
Comment 4 2016-10-03 16:23:25 PDT
Alternatively we could make RenderObject::markContainingBlocksForLayout smarter and figure out the floating case, but I am sure we don't have all the information at this point to make that decision.
Simon Fraser (smfr)
Comment 5 2016-10-03 16:24:11 PDT
Comment on attachment 290534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=290534&action=review > Source/WebCore/rendering/RenderListItem.cpp:290 > + // FIXME: We should stop mutating the renderer tree during layout. I think this comment would be better if it described why you added these lines. Something like "mark the parent dirty so that when the marker dirties ancestors, it stops at the parent."
alan
Comment 6 2016-10-03 20:02:39 PDT
Created attachment 290558 [details] Patch
alan
Comment 7 2016-10-03 20:03:31 PDT
Created attachment 290559 [details] Patch
WebKit Commit Bot
Comment 8 2016-10-03 20:36:24 PDT
Comment on attachment 290559 [details] Patch Clearing flags on attachment: 290559 Committed r206765: <http://trac.webkit.org/changeset/206765>
WebKit Commit Bot
Comment 9 2016-10-03 20:36:28 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.