Bug 1419762 - Return the inline continuation of an IB split when appending. r=mats, a=jcristau
authorEmilio Cobos Álvarez <emilio@crisal.io>
Thu, 23 Nov 2017 01:01:34 +0100
changeset 445301 df5c32622c0aad4a465951b0ec248138f9113a0b
parent 445300 4186bb70043e1c56d2211d83273d47d631963891
child 445302 aa78bfc225318b8e86f07ac56d8b65055e6d4f82
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmats, jcristau
bugs1419762
milestone58.0
Bug 1419762 - Return the inline continuation of an IB split when appending. r=mats, a=jcristau The only reason not to do that is when there's after content in there. We know that there isn't really any ::after content, since it would've been handled by FindNextSibling, so we know we're performing a real append. MozReview-Commit-ID: ExoPolZy4gG
layout/base/crashtests/1419762.html
layout/base/crashtests/crashtests.list
layout/base/nsCSSFrameConstructor.cpp
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1419762.html
@@ -0,0 +1,15 @@
+<style id='style_1'>
+  :first-child { display: table-column-group; }
+</style>
+<script>
+  try { o1 = document.createElement('isindex') } catch(e) { }
+  try { o2 = document.createElement('input') } catch(e) { }
+  try { o3 = document.createElement('optgroup') } catch(e) { }
+  try { o4 = document.createElement('col') } catch(e) { }
+  try { document.documentElement.appendChild(o1) } catch(e) { }
+  try { o1.appendChild(o2) } catch(e) { }
+  try { o1.appendChild(o3) } catch(e) { }
+  try { document.documentElement.offsetTop; } catch (e) { }
+  try { document.documentElement.appendChild(o4) } catch(e) { }
+  try { document.styleSheets[0].insertRule('optgroup::first-line { list-style-type: japanese-formal; }', 0); } catch(e) { }
+</script>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -510,8 +510,9 @@ load 1401739.html
 load 1401840.html
 load 1402476.html
 load 1404789-1.html
 load 1404789-2.html
 load 1406562.html
 load 1409088.html
 load 1409147.html
 load 1411138.html
+load 1419762.html
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -7074,20 +7074,21 @@ nsCSSFrameConstructor::GetInsertionPrevS
     }
     if (nsIFrame* nextSibling = FindNextSibling(iter, childDisplay)) {
       aInsertion->mParentFrame = nextSibling->GetParent()->GetContentInsertionFrame();
     } else {
       // No previous or next sibling, so treat this like an appended frame.
       *aIsAppend = true;
       if (IsFramePartOfIBSplit(aInsertion->mParentFrame)) {
         // Since we're appending, we'll walk to the last anonymous frame
-        // that was created for the broken inline frame.  But don't walk
-        // to the trailing inline if it's empty; stop at the block.
+        // that was created for the broken inline frame. We can walk to the
+        // trailing inline, since we know this is a real append, and not an
+        // insert (that would've been handled by `FindNextSibling`).
         aInsertion->mParentFrame =
-          GetLastIBSplitSibling(aInsertion->mParentFrame, false);
+          GetLastIBSplitSibling(aInsertion->mParentFrame, true);
       }
       // Get continuation that parents the last child.
       aInsertion->mParentFrame =
         nsLayoutUtils::LastContinuationWithChild(aInsertion->mParentFrame);
       // Deal with fieldsets
       aInsertion->mParentFrame =
         ::GetAdjustedParentFrame(aInsertion->mParentFrame, aChild);
       prevSibling = ::FindAppendPrevSibling(aInsertion->mParentFrame, nullptr);