From 0bb3a858a567832c6310c2cb922ad9286cd5b39e Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Apr 06 2016 20:38:21 +0000
Subject: Add missing patch


---

diff --git a/webkitgtk-2.12.0-repaintOrMarkForLayout.patch b/webkitgtk-2.12.0-repaintOrMarkForLayout.patch
new file mode 100644
index 0000000..9d6494c
--- /dev/null
+++ b/webkitgtk-2.12.0-repaintOrMarkForLayout.patch
@@ -0,0 +1,236 @@
+From 43b6b949b80310c90d1628d660a8319c20f00246 Mon Sep 17 00:00:00 2001
+From: "zalan@apple.com" <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Fri, 25 Mar 2016 23:45:13 +0000
+Subject: [PATCH] RenderImage::repaintOrMarkForLayout fails when the renderer
+ is detached. https://bugs.webkit.org/show_bug.cgi?id=155885
+ <rdar://problem/25359164>
+
+Reviewed by Simon Fraser.
+
+Making containingBlockFor* functions standalone ensures that we don't
+call them on an invalid object.
+
+Covered by existing tests.
+
+* dom/Element.cpp:
+(WebCore::layoutOverflowRectContainsAllDescendants):
+* rendering/LogicalSelectionOffsetCaches.h:
+(WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches):
+* rendering/RenderElement.cpp:
+(WebCore::containingBlockForFixedPosition):
+(WebCore::containingBlockForAbsolutePosition):
+(WebCore::containingBlockForObjectInFlow):
+(WebCore::RenderElement::containingBlockForFixedPosition): Deleted.
+(WebCore::RenderElement::containingBlockForAbsolutePosition): Deleted.
+(WebCore::isNonRenderBlockInline): Deleted.
+(WebCore::RenderElement::containingBlockForObjectInFlow): Deleted.
+* rendering/RenderElement.h:
+* rendering/RenderInline.cpp:
+(WebCore::RenderInline::styleWillChange):
+* rendering/RenderObject.cpp:
+(WebCore::RenderObject::containingBlock):
+
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@198701 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ Source/WebCore/ChangeLog                           | 31 +++++++++
+ Source/WebCore/dom/Element.cpp                     |  2 +-
+ .../rendering/LogicalSelectionOffsetCaches.h       |  6 +-
+ Source/WebCore/rendering/RenderElement.cpp         | 79 ++++++++++------------
+ Source/WebCore/rendering/RenderElement.h           |  7 +-
+ Source/WebCore/rendering/RenderInline.cpp          |  2 +-
+ Source/WebCore/rendering/RenderObject.cpp          | 12 ++--
+ 7 files changed, 82 insertions(+), 57 deletions(-)
+
+diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
+index 75fe8f8..e904e9b 100644
+--- a/Source/WebCore/dom/Element.cpp
++++ b/Source/WebCore/dom/Element.cpp
+@@ -974,7 +974,7 @@ static bool layoutOverflowRectContainsAllDescendants(const RenderElement& render
+     }
+ 
+     // This renderer may have positioned descendants whose containing block is some ancestor.
+-    if (auto containingBlock = renderer.containingBlockForAbsolutePosition()) {
++    if (auto containingBlock = containingBlockForAbsolutePosition(&renderer)) {
+         if (auto positionedObjects = containingBlock->positionedObjects()) {
+             for (RenderBox* it : *positionedObjects) {
+                 if (it != &renderer && renderer.element()->contains(it->element()))
+diff --git a/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h b/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h
+index a3f8112..aefe107 100644
+--- a/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h
++++ b/Source/WebCore/rendering/LogicalSelectionOffsetCaches.h
+@@ -91,9 +91,9 @@ public:
+         auto parent = rootBlock.parent();
+ 
+         // LogicalSelectionOffsetCaches should not be used on an orphaned tree.
+-        m_containingBlockForFixedPosition.setBlock(parent->containingBlockForFixedPosition(), nullptr);
+-        m_containingBlockForAbsolutePosition.setBlock(parent->containingBlockForAbsolutePosition(), nullptr);
+-        m_containingBlockForInflowPosition.setBlock(parent->containingBlockForObjectInFlow(), nullptr);
++        m_containingBlockForFixedPosition.setBlock(containingBlockForFixedPosition(parent), nullptr);
++        m_containingBlockForAbsolutePosition.setBlock(containingBlockForAbsolutePosition(parent), nullptr);
++        m_containingBlockForInflowPosition.setBlock(containingBlockForObjectInFlow(parent), nullptr);
+     }
+ 
+     LogicalSelectionOffsetCaches(RenderBlock& block, const LogicalSelectionOffsetCaches& cache)
+diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
+index a17b8f6..9c19f5c 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
++++ b/Source/WebCore/rendering/RenderElement.cpp
+@@ -1585,48 +1585,6 @@ PassRefPtr<RenderStyle> RenderElement::getUncachedPseudoStyle(const PseudoStyleR
+     return styleResolver.pseudoStyleForElement(*element(), pseudoStyleRequest, *parentStyle);
+ }
+ 
+-RenderBlock* RenderElement::containingBlockForFixedPosition() const
+-{
+-    const RenderElement* object = this;
+-    while (object && !object->canContainFixedPositionObjects())
+-        object = object->parent();
+-
+-    ASSERT(!object || !object->isAnonymousBlock());
+-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
+-}
+-
+-RenderBlock* RenderElement::containingBlockForAbsolutePosition() const
+-{
+-    const RenderElement* object = this;
+-    while (object && !object->canContainAbsolutelyPositionedObjects())
+-        object = object->parent();
+-
+-    // For a relatively positioned inline, return its nearest non-anonymous containing block,
+-    // not the inline itself, to avoid having a positioned objects list in all RenderInlines
+-    // and use RenderBlock* as RenderElement::containingBlock's return type.
+-    // Use RenderBlock::container() to obtain the inline.
+-    if (object && !is<RenderBlock>(*object))
+-        object = object->containingBlock();
+-
+-    while (object && object->isAnonymousBlock())
+-        object = object->containingBlock();
+-
+-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
+-}
+-
+-static inline bool isNonRenderBlockInline(const RenderElement& object)
+-{
+-    return (object.isInline() && !object.isReplaced()) || !object.isRenderBlock();
+-}
+-
+-RenderBlock* RenderElement::containingBlockForObjectInFlow() const
+-{
+-    const RenderElement* object = this;
+-    while (object && isNonRenderBlockInline(*object))
+-        object = object->parent();
+-    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
+-}
+-
+ Color RenderElement::selectionColor(int colorProperty) const
+ {
+     // If the element is unselectable, or we are only painting the selection,
+@@ -2210,4 +2168,41 @@ void RenderElement::updateOutlineAutoAncestor(bool hasOutlineAuto) const
+         downcast<RenderBoxModelObject>(*this).continuation()->updateOutlineAutoAncestor(hasOutlineAuto);
+ }
+ 
++RenderBlock* containingBlockForFixedPosition(const RenderElement* element)
++{
++    const auto* object = element;
++    while (object && !object->canContainFixedPositionObjects())
++        object = object->parent();
++
++    ASSERT(!object || !object->isAnonymousBlock());
++    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
++}
++
++RenderBlock* containingBlockForAbsolutePosition(const RenderElement* element)
++{
++    const auto* object = element;
++    while (object && !object->canContainAbsolutelyPositionedObjects())
++        object = object->parent();
++
++    // For a relatively positioned inline, return its nearest non-anonymous containing block,
++    // not the inline itself, to avoid having a positioned objects list in all RenderInlines
++    // and use RenderBlock* as RenderElement::containingBlock's return type.
++    // Use RenderBlock::container() to obtain the inline.
++    if (object && !is<RenderBlock>(*object))
++        object = object->containingBlock();
++
++    while (object && object->isAnonymousBlock())
++        object = object->containingBlock();
++
++    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
++}
++
++RenderBlock* containingBlockForObjectInFlow(const RenderElement* element)
++{
++    const auto* object = element;
++    while (object && ((object->isInline() && !object->isReplaced()) || !object->isRenderBlock()))
++        object = object->parent();
++    return const_cast<RenderBlock*>(downcast<RenderBlock>(object));
++}
++
+ }
+diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
+index ec15a67..02e5449 100644
+--- a/Source/WebCore/rendering/RenderElement.h
++++ b/Source/WebCore/rendering/RenderElement.h
+@@ -71,10 +71,6 @@ public:
+     bool canContainFixedPositionObjects() const;
+     bool canContainAbsolutelyPositionedObjects() const;
+ 
+-    RenderBlock* containingBlockForFixedPosition() const;
+-    RenderBlock* containingBlockForAbsolutePosition() const;
+-    RenderBlock* containingBlockForObjectInFlow() const;
+-
+     Color selectionColor(int colorProperty) const;
+     PassRefPtr<RenderStyle> selectionPseudoStyle() const;
+ 
+@@ -495,6 +491,9 @@ inline LayoutUnit adjustLayoutUnitForAbsoluteZoom(LayoutUnit value, const Render
+     return adjustLayoutUnitForAbsoluteZoom(value, renderer.style());
+ }
+ 
++RenderBlock* containingBlockForFixedPosition(const RenderElement*);
++RenderBlock* containingBlockForAbsolutePosition(const RenderElement*);
++RenderBlock* containingBlockForObjectInFlow(const RenderElement*);
+ } // namespace WebCore
+ 
+ SPECIALIZE_TYPE_TRAITS_RENDER_OBJECT(RenderElement, isRenderElement())
+diff --git a/Source/WebCore/rendering/RenderInline.cpp b/Source/WebCore/rendering/RenderInline.cpp
+index b6c6b54..38ed407 100644
+--- a/Source/WebCore/rendering/RenderInline.cpp
++++ b/Source/WebCore/rendering/RenderInline.cpp
+@@ -171,7 +171,7 @@ void RenderInline::styleWillChange(StyleDifference diff, const RenderStyle& newS
+     // Check if this inline can hold absolute positioned elmements even after the style change.
+     if (canContainAbsolutelyPositionedObjects() && newStyle.position() == StaticPosition) {
+         // RenderInlines forward their absolute positioned descendants to their (non-anonymous) containing block.
+-        auto* container = containingBlockForAbsolutePosition();
++        auto* container = containingBlockForAbsolutePosition(this);
+         if (container && !container->canContainAbsolutelyPositionedObjects())
+             container->removePositionedObjects(nullptr, NewContainingBlock);
+     }
+diff --git a/Source/WebCore/rendering/RenderObject.cpp b/Source/WebCore/rendering/RenderObject.cpp
+index 3b9548f..edb4f33 100644
+--- a/Source/WebCore/rendering/RenderObject.cpp
++++ b/Source/WebCore/rendering/RenderObject.cpp
+@@ -706,15 +706,15 @@ RenderBlock* RenderObject::containingBlock() const
+ 
+     const RenderStyle& style = this->style();
+     if (!is<RenderText>(*this) && style.position() == FixedPosition)
+-        parent = parent->containingBlockForFixedPosition();
++        parent = containingBlockForFixedPosition(parent);
+     else if (!is<RenderText>(*this) && style.position() == AbsolutePosition)
+-        parent = parent->containingBlockForAbsolutePosition();
++        parent = containingBlockForAbsolutePosition(parent);
+     else
+-        parent = parent->containingBlockForObjectInFlow();
+-
+-    if (!is<RenderBlock>(parent))
+-        return nullptr; // This can still happen in case of an orphaned tree
++        parent = containingBlockForObjectInFlow(parent);
+ 
++    // This can still happen in case of an detached tree
++    if (!parent)
++        return nullptr;
+     return downcast<RenderBlock>(parent);
+ }
+ 
+-- 
+2.5.5
+