[webkit-changes] [145754] trunk/Source/WebCore

Title: [145754] trunk/Source/WebCore Revision 145754 Author infe...@chromium.org Date 2013-03-13 14:38:19 -0700 (Wed, 13 Mar 2013) Log Message Crash in CompositeEditCommand::insertNodeAt. https://bugs.webkit.org/show_bug.cgi?id=112280 Reviewed by Ryosuke Niwa. *

[webkit-changes] [145562] trunk/Source

Title: [145562] trunk/Source Revision 145562 Author infe...@chromium.org Date 2013-03-12 10:44:37 -0700 (Tue, 12 Mar 2013) Log Message Replace static_casts with to* functions. https://bugs.webkit.org/show_bug.cgi?id=112072 Reviewed by Philip Rogers. to* functions are preferred over

[webkit-changes] [145596] trunk/Source

Title: [145596] trunk/Source Revision 145596 Author infe...@chromium.org Date 2013-03-12 15:21:28 -0700 (Tue, 12 Mar 2013) Log Message Replace static_casts with to* helper functions. https://bugs.webkit.org/show_bug.cgi?id=112164 Reviewed by Philip Rogers. to* helper functions are

[webkit-changes] [145399] trunk/Source

Title: [145399] trunk/Source Revision 145399 Author infe...@chromium.org Date 2013-03-11 13:57:44 -0700 (Mon, 11 Mar 2013) Log Message Add ASSERT_WITH_SECURITY_IMPLICATION to catch bad casts. https://bugs.webkit.org/show_bug.cgi?id=112060 Reviewed by Eric Seidel. Source/WebCore: *

[webkit-changes] [145444] trunk/Source

Title: [145444] trunk/Source Revision 145444 Author infe...@chromium.org Date 2013-03-11 17:50:46 -0700 (Mon, 11 Mar 2013) Log Message Replace static_cast with to* helper functions. https://bugs.webkit.org/show_bug.cgi?id=112045 Reviewed by Eric Seidel. Source/WebCore: *

[webkit-changes] [145462] trunk/Source

Title: [145462] trunk/Source Revision 145462 Author infe...@chromium.org Date 2013-03-11 18:59:09 -0700 (Mon, 11 Mar 2013) Log Message Replace static_casts with to* functions. https://bugs.webkit.org/show_bug.cgi?id=112072 Reviewed by Philip Rogers. to* functions are preferred over

[webkit-changes] [145013] trunk/Source/WebCore

Title: [145013] trunk/Source/WebCore Revision 145013 Author infe...@chromium.org Date 2013-03-06 17:24:42 -0800 (Wed, 06 Mar 2013) Log Message Crash in SVGViewSpec::viewTarget https://bugs.webkit.org/show_bug.cgi?id=111648 Reviewed by Philip Rogers. * svg/SVGViewSpec.cpp:

[webkit-changes] [142922] trunk

Title: [142922] trunk Revision 142922 Author infe...@chromium.org Date 2013-02-14 14:34:44 -0800 (Thu, 14 Feb 2013) Log Message Bad cast in RenderBlock::splitBlocks. https://bugs.webkit.org/show_bug.cgi?id=108691 Reviewed by Levi Weintraub. Source/WebCore: Test:

[webkit-changes] [142816] trunk

Title: [142816] trunk Revision 142816 Author infe...@chromium.org Date 2013-02-13 15:44:59 -0800 (Wed, 13 Feb 2013) Log Message ASSERTION FAILED: !object || object-isBox(), Bad cast in RenderBox::computeLogicalHeight https://bugs.webkit.org/show_bug.cgi?id=107748 Reviewed by Levi

[webkit-changes] [142642] trunk/Source/WebCore

Title: [142642] trunk/Source/WebCore Revision 142642 Author infe...@chromium.org Date 2013-02-12 10:49:38 -0800 (Tue, 12 Feb 2013) Log Message Heap-use-after-free in WebCore::DeleteButtonController::enable https://bugs.webkit.org/show_bug.cgi?id=109447 Reviewed by Ryosuke Niwa. RefPtr

[webkit-changes] [141516] trunk/Source/WebCore

Title: [141516] trunk/Source/WebCore Revision 141516 Author infe...@chromium.org Date 2013-01-31 17:39:31 -0800 (Thu, 31 Jan 2013) Log Message Use ASSERT_WITH_SECURITY_IMPLICATION to catch bad casts in DOM https://bugs.webkit.org/show_bug.cgi?id=108490 Reviewed by Eric Seidel. *

[webkit-changes] [140848] trunk

Title: [140848] trunk Revision 140848 Author infe...@chromium.org Date 2013-01-25 10:45:23 -0800 (Fri, 25 Jan 2013) Log Message Regression(r139836): Crash in WTF::equalIgnoringCase https://bugs.webkit.org/show_bug.cgi?id=107703 Reviewed by Eric Seidel. Source/WebCore: Check |a| is a

[webkit-changes] [140552] branches/chromium/1391

Title: [140552] branches/chromium/1391 Revision 140552 Author infe...@chromium.org Date 2013-01-23 10:52:26 -0800 (Wed, 23 Jan 2013) Log Message Revert 140206 Modified Paths branches/chromium/1391/Source/WebCore/rendering/RenderBox.cpp Removed Paths

[webkit-changes] [140633] trunk/Source

Title: [140633] trunk/Source Revision 140633 Author infe...@chromium.org Date 2013-01-23 18:55:32 -0800 (Wed, 23 Jan 2013) Log Message Add support for ASSERT_WITH_SECURITY_IMPLICATION. https://bugs.webkit.org/show_bug.cgi?id=107699 Reviewed by Eric Seidel. Source/WebCore: *

[webkit-changes] [140435] trunk

Title: [140435] trunk Revision 140435 Author infe...@chromium.org Date 2013-01-22 10:17:37 -0800 (Tue, 22 Jan 2013) Log Message Heap-use-after-free in WebCore::RenderObject::isDescendantOf https://bugs.webkit.org/show_bug.cgi?id=107226 Reviewed by Emil A Eklund. Source/WebCore: Test:

[webkit-changes] [140206] trunk

Title: [140206] trunk Revision 140206 Author infe...@chromium.org Date 2013-01-18 14:12:53 -0800 (Fri, 18 Jan 2013) Log Message Heap-use-after-free in WebCore::RenderObject::isDescendantOf https://bugs.webkit.org/show_bug.cgi?id=107226 Reviewed by David Hyatt. Source/WebCore: Test:

[webkit-changes] [140069] trunk

Title: [140069] trunk Revision 140069 Author infe...@chromium.org Date 2013-01-17 16:22:41 -0800 (Thu, 17 Jan 2013) Log Message Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine https://bugs.webkit.org/show_bug.cgi?id=90802 Reviewed by Julien Chaffraix.

[webkit-changes] [139470] trunk/Source/WebCore

Title: [139470] trunk/Source/WebCore Revision 139470 Author infe...@chromium.org Date 2013-01-11 11:35:31 -0800 (Fri, 11 Jan 2013) Log Message Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths https://bugs.webkit.org/show_bug.cgi?id=95901 Reviewed by Simon

[webkit-changes] [139213] trunk/Source/WebCore

Title: [139213] trunk/Source/WebCore Revision 139213 Author infe...@chromium.org Date 2013-01-09 11:08:58 -0800 (Wed, 09 Jan 2013) Log Message Mitigate out-of-bounds access in InlineIterator https://bugs.webkit.org/show_bug.cgi?id=104812 Reviewed by Levi Weintraub. Share code between

[webkit-changes] [138969] branches/chromium/1312

Title: [138969] branches/chromium/1312 Revision 138969 Author infe...@chromium.org Date 2013-01-07 11:36:45 -0800 (Mon, 07 Jan 2013) Log Message Revert 137759 Review URL: https://codereview.chromium.org/11784026 Modified Paths

[webkit-changes] [138974] trunk

on ClusterFuzz (Requested by inferno-sec on #webkit). Patch by Sheriff Bot webkit.review@gmail.com on 2013-01-07 Source/WebCore: * rendering/RenderBlock.cpp: (WebCore::RenderBlock::startDelayUpdateScrollInfo): (WebCore::RenderBlock::finishDelayUpdateScrollInfo): LayoutTests: * mathml/mo-stretch

[webkit-changes] [138988] trunk

Title: [138988] trunk Revision 138988 Author infe...@chromium.org Date 2013-01-07 14:07:45 -0800 (Mon, 07 Jan 2013) Log Message Heap-buffer-overflow in WebCore::RenderBlock::clone. https://bugs.webkit.org/show_bug.cgi?id=101984 Reviewed by Julien Chaffraix. Source/WebCore: Add a

[webkit-changes] [138918] trunk

Title: [138918] trunk Revision 138918 Author infe...@chromium.org Date 2013-01-06 10:53:15 -0800 (Sun, 06 Jan 2013) Log Message Heap-use-after-free in WebCore::Document::implicitClose https://bugs.webkit.org/show_bug.cgi?id=105655 Reviewed by Eric Seidel. Source/WebCore: Test:

[webkit-changes] [138926] trunk

Title: [138926] trunk Revision 138926 Author infe...@chromium.org Date 2013-01-06 23:15:33 -0800 (Sun, 06 Jan 2013) Log Message Heap-use-after-free in DocumentLoader::stopLoading https://bugs.webkit.org/show_bug.cgi?id=103656 Reviewed by Eric Seidel. Source/WebCore: Test:

[webkit-changes] [138850] trunk

Title: [138850] trunk Revision 138850 Author infe...@chromium.org Date 2013-01-04 13:37:46 -0800 (Fri, 04 Jan 2013) Log Message Crash in WebCore::RenderBlock::willBeDestroyed https://bugs.webkit.org/show_bug.cgi?id=103455 Reviewed by Eric Seidel. Source/WebCore: It is not required to

[webkit-changes] [138863] trunk/Source/WebCore

Title: [138863] trunk/Source/WebCore Revision 138863 Author infe...@chromium.org Date 2013-01-04 15:47:58 -0800 (Fri, 04 Jan 2013) Log Message Heap-use-after-free in WebCore::XMLDocumentParser::doEnd https://bugs.webkit.org/show_bug.cgi?id=100152 Reviewed by Adam Barth.

[webkit-changes] [138657] trunk/Source/WebCore

Title: [138657] trunk/Source/WebCore Revision 138657 Author infe...@chromium.org Date 2013-01-02 15:03:24 -0800 (Wed, 02 Jan 2013) Log Message Crash in WebCore::Element::cloneElementWithoutChildren. https://bugs.webkit.org/show_bug.cgi?id=105949 Reviewed by Ryosuke Niwa. RefPtr

[webkit-changes] [136739] branches/chromium/1312/Source/WebKit/chromium/features.gypi

Title: [136739] branches/chromium/1312/Source/WebKit/chromium/features.gypi Revision 136739 Author infe...@chromium.org Date 2012-12-05 12:46:59 -0800 (Wed, 05 Dec 2012) Log Message Turn off MATHML for Chromium m24 BUG=164454 Review URL: https://codereview.chromium.org/11437027 Modified

[webkit-changes] [136560] trunk

Title: [136560] trunk Revision 136560 Author infe...@chromium.org Date 2012-12-04 13:50:18 -0800 (Tue, 04 Dec 2012) Log Message Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue https://bugs.webkit.org/show_bug.cgi?id=100621 Reviewed by Eric Seidel. Source/WebCore: r115639

[webkit-changes] [136619] trunk/Source/WebCore

Title: [136619] trunk/Source/WebCore Revision 136619 Author infe...@chromium.org Date 2012-12-04 20:18:36 -0800 (Tue, 04 Dec 2012) Log Message Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode https://bugs.webkit.org/show_bug.cgi?id=103515 Reviewed by Ryosuke Niwa.

[webkit-changes] [136253] trunk

Title: [136253] trunk Revision 136253 Author infe...@chromium.org Date 2012-11-30 10:14:48 -0800 (Fri, 30 Nov 2012) Log Message Crash due to intruding float not removed after writing mode changed. https://bugs.webkit.org/show_bug.cgi?id=100149 Reviewed by Levi Weintraub.

[webkit-changes] [136060] trunk

Title: [136060] trunk Revision 136060 Author infe...@chromium.org Date 2012-11-28 14:46:59 -0800 (Wed, 28 Nov 2012) Log Message Source/WebCore: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL LayoutTests: Heap-use-after-free in

[webkit-changes] [136062] trunk/Source/WebCore

Title: [136062] trunk/Source/WebCore Revision 136062 Author infe...@chromium.org Date 2012-11-28 14:53:55 -0800 (Wed, 28 Nov 2012) Log Message Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent https://bugs.webkit.org/show_bug.cgi?id=101098 Reviewed by Adam Barth.

[webkit-changes] [136093] branches/chromium/1312/Source/WebCore/platform/graphics/skia/ SimpleFontDataSkia.cpp

Title: [136093] branches/chromium/1312/Source/WebCore/platform/graphics/skia/SimpleFontDataSkia.cpp Revision 136093 Author infe...@chromium.org Date 2012-11-28 21:27:38 -0800 (Wed, 28 Nov 2012) Log Message Merge 133494 - Implement SimpleFontData::platformBoundsForGlyph on skia BUG=152430

[webkit-changes] [136094] branches/chromium/1312/Source/WebCore/rendering/mathml

Title: [136094] branches/chromium/1312/Source/WebCore/rendering/mathml Revision 136094 Author infe...@chromium.org Date 2012-11-28 21:29:54 -0800 (Wed, 28 Nov 2012) Log Message Merge 133221 - REGRESSION (r128837): mathml/presentation/subsup.xhtml became flaky BUG=152430 Review URL:

[webkit-changes] [135740] trunk

Title: [135740] trunk Revision 135740 Author infe...@chromium.org Date 2012-11-26 10:58:27 -0800 (Mon, 26 Nov 2012) Log Message Crash in Frame::dispatchVisibilityStateChangeEvent. https://bugs.webkit.org/show_bug.cgi?id=102053 Reviewed by Adam Barth. Source/WebCore: Child frame can go

[webkit-changes] [135303] trunk

Title: [135303] trunk Revision 135303 Author infe...@chromium.org Date 2012-11-20 11:46:29 -0800 (Tue, 20 Nov 2012) Log Message Crash in FrameLoader::stopLoading. https://bugs.webkit.org/show_bug.cgi?id=99504 Reviewed by Nate Chapin. Source/WebCore: Frame can be blown away in unload

[webkit-changes] [135193] trunk

Title: [135193] trunk Revision 135193 Author infe...@chromium.org Date 2012-11-19 13:43:28 -0800 (Mon, 19 Nov 2012) Log Message Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans. https://bugs.webkit.org/show_bug.cgi?id=100150 Reviewed by Ryosuke Niwa. Source/WebCore: RefPtr

[webkit-changes] [132110] branches/chromium/1271

Title: [132110] branches/chromium/1271 Revision 132110 Author infe...@chromium.org Date 2012-10-22 11:09:29 -0700 (Mon, 22 Oct 2012) Log Message Merge 130777 - Prevent animation when CSS attributeType is invalid. BUG=143648 Modified Paths

[webkit-changes] [132109] branches/chromium/1271/Source/WebCore/svg

Title: [132109] branches/chromium/1271/Source/WebCore/svg Revision 132109 Author infe...@chromium.org Date 2012-10-22 11:07:27 -0700 (Mon, 22 Oct 2012) Log Message Merge 129670 - Refactor SMILTimeContainer to maintain animation information instead of recalculating it every frame

[webkit-changes] [131762] branches/chromium/1271

Title: [131762] branches/chromium/1271 Revision 131762 Author infe...@chromium.org Date 2012-10-18 09:53:15 -0700 (Thu, 18 Oct 2012) Log Message Merge 129796 - Rewrite multithreaded filter job dispatching BUG=152104 Review URL: https://codereview.chromium.org/11192059 Modified Paths

[webkit-changes] [131763] branches/chromium/1271

Title: [131763] branches/chromium/1271 Revision 131763 Author infe...@chromium.org Date 2012-10-18 09:55:46 -0700 (Thu, 18 Oct 2012) Log Message Merge 129962 - REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient BUG=151424 Review URL:

[webkit-changes] [131764] branches/chromium/1271

Title: [131764] branches/chromium/1271 Revision 131764 Author infe...@chromium.org Date 2012-10-18 09:59:09 -0700 (Thu, 18 Oct 2012) Log Message Merge 153128 - Source/WebCore: [HarfBuzz] harfbuzz expects log_clusters to have same length as other buffers. BUG=155474 Review URL:

[webkit-changes] [131765] branches/chromium/1271/Source/WebCore/page/EventHandler.cpp

Title: [131765] branches/chromium/1271/Source/WebCore/page/EventHandler.cpp Revision 131765 Author infe...@chromium.org Date 2012-10-18 10:02:40 -0700 (Thu, 18 Oct 2012) Log Message Merge 130449 - Crash in EventHandler::mouseMoved(). BUG=153793 Review URL:

[webkit-changes] [131767] branches/chromium/1271

Title: [131767] branches/chromium/1271 Revision 131767 Author infe...@chromium.org Date 2012-10-18 10:10:14 -0700 (Thu, 18 Oct 2012) Log Message Merge 130777 - Prevent animation when CSS attributeType is invalid. BUG=143648 Review URL: https://codereview.chromium.org/11184044 Modified

[webkit-changes] [131770] branches/chromium/1271/Source/WebCore/inspector/InspectorDOMAgent. cpp

Title: [131770] branches/chromium/1271/Source/WebCore/inspector/InspectorDOMAgent.cpp Revision 131770 Author infe...@chromium.org Date 2012-10-18 10:18:08 -0700 (Thu, 18 Oct 2012) Log Message Merge 130910 - Web Inspector: protect node in the InspectorDOMNode::inspect BUG=154373 Review

[webkit-changes] [131771] branches/chromium/1271

Title: [131771] branches/chromium/1271 Revision 131771 Author infe...@chromium.org Date 2012-10-18 10:20:11 -0700 (Thu, 18 Oct 2012) Log Message Merge 130266 - AX: Heap-use-after-free when deleting a ContainerNode with an AX object BUG=129158 Review URL:

[webkit-changes] [131773] branches/chromium/1271

Title: [131773] branches/chromium/1271 Revision 131773 Author infe...@chromium.org Date 2012-10-18 10:31:07 -0700 (Thu, 18 Oct 2012) Log Message Merge 131077 - rdar://problem/12477191 Combined text reverts to full-width font after a style change BUG=150067 Review URL:

[webkit-changes] [131774] branches/chromium/1271

Title: [131774] branches/chromium/1271 Revision 131774 Author infe...@chromium.org Date 2012-10-18 10:42:54 -0700 (Thu, 18 Oct 2012) Log Message Revert 131767 - Merge 130777 - Prevent animation when CSS attributeType is invalid. BUG=143648 Review URL:

[webkit-changes] [130856] branches/chromium/1229/Source/WebCore/svg/SVGElementInstance.cpp

Title: [130856] branches/chromium/1229/Source/WebCore/svg/SVGElementInstance.cpp Revision 130856 Author infe...@chromium.org Date 2012-10-09 23:34:59 -0700 (Tue, 09 Oct 2012) Log Message Merge 130855 - Recursively detach SVGElementInstances Review URL:

[webkit-changes] [130858] branches/chromium/1229

Title: [130858] branches/chromium/1229 Revision 130858 Author infe...@chromium.org Date 2012-10-09 23:45:31 -0700 (Tue, 09 Oct 2012) Log Message Revert 130719 - Merge 130717 - HTMLSelectElement::typeAheadFind depends on implementation dependent behavior

[webkit-changes] [130859] branches/chromium/1229/Source/WebCore/inspector/front-end

Title: [130859] branches/chromium/1229/Source/WebCore/inspector/front-end Revision 130859 Author infe...@chromium.org Date 2012-10-09 23:46:08 -0700 (Tue, 09 Oct 2012) Log Message Revert 130484 - Merge 124886 - Web Inspector: Do not disable network tracking while profiling cpu.

[webkit-changes] [130860] branches/chromium/1229/Source/WebCore/inspector/front-end/ inspector.css

Title: [130860] branches/chromium/1229/Source/WebCore/inspector/front-end/inspector.css Revision 130860 Author infe...@chromium.org Date 2012-10-09 23:46:36 -0700 (Tue, 09 Oct 2012) Log Message Revert 130482 - Merge 125255 - Web Inspector: Search matches count view is flaky.

[webkit-changes] [129518] branches/chromium/1229

Title: [129518] branches/chromium/1229 Revision 129518 Author infe...@chromium.org Date 2012-09-25 09:37:25 -0700 (Tue, 25 Sep 2012) Log Message Merge 129469 - adoptNode() shouldn't reset ownerDocument if the source node failed to remove itself BUG=150966 Review URL:

[webkit-changes] [129583] trunk/Source/WebCore

Title: [129583] trunk/Source/WebCore Revision 129583 Author infe...@chromium.org Date 2012-09-25 19:14:07 -0700 (Tue, 25 Sep 2012) Log Message Mask RenderArena freelist entries. https://bugs.webkit.org/show_bug.cgi?id=97494 Patch by Justin Schuh jsc...@chromium.org on 2012-09-25

[webkit-changes] [129253] branches/chromium/1271/Source/WebKit/chromium/features.gypi

Title: [129253] branches/chromium/1271/Source/WebKit/chromium/features.gypi Revision 129253 Author infe...@chromium.org Date 2012-09-21 14:24:17 -0700 (Fri, 21 Sep 2012) Log Message Merge 125155 - Disable iframe seamless for m23. Review URL: https://codereview.chromium.org/10970046

[webkit-changes] [129271] branches/chromium/1229/Source/WebCore/dom/Document.cpp

Title: [129271] branches/chromium/1229/Source/WebCore/dom/Document.cpp Revision 129271 Author infe...@chromium.org Date 2012-09-21 16:22:18 -0700 (Fri, 21 Sep 2012) Log Message Merge 129270 - Crash in WebCore::Document::fullScreenChangeDelayTimerFired BUG=147700 Review URL:

[webkit-changes] [127071] trunk

Title: [127071] trunk Revision 127071 Author infe...@chromium.org Date 2012-08-29 17:42:04 -0700 (Wed, 29 Aug 2012) Log Message Crash in WebCore::StyleSheetContents::checkLoadCompleted. https://bugs.webkit.org/show_bug.cgi?id=95106 Reviewed by Antti Koivisto. Source/WebCore: RefPtr

[webkit-changes] [125751] trunk/Source/WebCore

on ClusterFuzz due to incorrect layout ordering change (Requested by inferno-sec on #webkit). Patch by Sheriff Bot webkit.review@gmail.com on 2012-08-16 * dom/CharacterData.cpp: (WebCore::CharacterData::setDataAndUpdate): * editing/FrameSelection.cpp: (WebCore::updatePositionAfterAdoptingTextReplacement

[webkit-changes] [125810] trunk

Title: [125810] trunk Revision 125810 Author infe...@chromium.org Date 2012-08-16 13:50:05 -0700 (Thu, 16 Aug 2012) Log Message Regression(r118248): Replaced element not layout https://bugs.webkit.org/show_bug.cgi?id=85804 Reviewed by Levi Weintraub. Source/WebCore: r118248 moved the

[webkit-changes] [125607] branches/chromium/1180

Title: [125607] branches/chromium/1180 Revision 125607 Author infe...@chromium.org Date 2012-08-14 14:33:21 -0700 (Tue, 14 Aug 2012) Log Message Merge 123822 - [Chromium] Regression: Global-buffer-overflow in WebCore::mediaControlElementType BUG=132270 Review URL:

[webkit-changes] [125353] trunk/Source/WebCore

Title: [125353] trunk/Source/WebCore Revision 125353 Author infe...@chromium.org Date 2012-08-11 09:07:22 -0700 (Sat, 11 Aug 2012) Log Message Unreviewed. Removing newly added assert in r125351 since it is exposing legitimate layout bugs in few tests. We will re-add the assert after

[webkit-changes] [125315] trunk/Source/WebCore

Title: [125315] trunk/Source/WebCore Revision 125315 Author infe...@chromium.org Date 2012-08-10 12:41:20 -0700 (Fri, 10 Aug 2012) Log Message Crash on accessing a removed layout root in FrameView::scheduleRelayout. https://bugs.webkit.org/show_bug.cgi?id=91368 Reviewed by Levi

[webkit-changes] [125155] branches/chromium/1229/Source/WebKit/chromium/features.gypi

Title: [125155] branches/chromium/1229/Source/WebKit/chromium/features.gypi Revision 125155 Author infe...@chromium.org Date 2012-08-08 23:39:05 -0700 (Wed, 08 Aug 2012) Log Message Revert 116356 - Disable Iframe seamless for m22. BUG=138422 Review URL:

[webkit-changes] [124888] trunk

Title: [124888] trunk Revision 124888 Author infe...@chromium.org Date 2012-08-07 07:51:33 -0700 (Tue, 07 Aug 2012) Log Message Crash in InlineFlowBox::deleteLine. https://bugs.webkit.org/show_bug.cgi?id=88795 Reviewed by Tony Chang. Source/WebCore: When we move the fullscreen object

[webkit-changes] [124914] trunk

Title: [124914] trunk Revision 124914 Author infe...@chromium.org Date 2012-08-07 13:21:11 -0700 (Tue, 07 Aug 2012) Log Message Crash in ContainerNode::cloneChildNodes. https://bugs.webkit.org/show_bug.cgi?id=93378 Reviewed by Levi Weintraub. Source/WebCore: Re-enabling the editing

[webkit-changes] [124776] trunk/Source/WebCore

Title: [124776] trunk/Source/WebCore Revision 124776 Author infe...@chromium.org Date 2012-08-06 09:30:40 -0700 (Mon, 06 Aug 2012) Log Message Crash in FrameLoader::stopAllLoaders. https://bugs.webkit.org/show_bug.cgi?id=90805 Reviewed by Nate Chapin. Calling

[webkit-changes] [124785] trunk/Tools

Title: [124785] trunk/Tools Revision 124785 Author infe...@chromium.org Date 2012-08-06 11:15:15 -0700 (Mon, 06 Aug 2012) Log Message [Chromium] Re-expose layoutTestController as various fuzzers depend on it https://bugs.webkit.org/show_bug.cgi?id=93282 Reviewed by Ryosuke Niwa.

[webkit-changes] [124580] trunk/Source/WebCore

Title: [124580] trunk/Source/WebCore Revision 124580 Author infe...@chromium.org Date 2012-08-03 01:15:35 -0700 (Fri, 03 Aug 2012) Log Message Regression(r124564): Wrong inlineChildrenBlock-hasLayer() computed in RenderBlock::removeChild. https://bugs.webkit.org/show_bug.cgi?id=90800

[webkit-changes] [124641] trunk/Source/WebCore

://bugs.webkit.org/show_bug.cgi?id=93151 Causing assertion failures in table-section-node-at-point- crash.html (Requested by inferno-sec on #webkit). Patch by Sheriff Bot webkit.review@gmail.com on 2012-08-03 * rendering/RenderTableSection.cpp: (WebCore::RenderTableSection::paint): Modified Paths trunk

[webkit-changes] [124491] trunk

Title: [124491] trunk Revision 124491 Author infe...@chromium.org Date 2012-08-02 13:44:31 -0700 (Thu, 02 Aug 2012) Log Message No isChildAllowed checked when adding RenderFullScreen as the child.. https://bugs.webkit.org/show_bug.cgi?id=92995 Reviewed by Eric Seidel. Source/WebCore:

[webkit-changes] [124564] trunk

Title: [124564] trunk Revision 124564 Author infe...@chromium.org Date 2012-08-02 22:53:38 -0700 (Thu, 02 Aug 2012) Log Message Crash due to layer not removed from parent for anonymous block. https://bugs.webkit.org/show_bug.cgi?id=90800 Reviewed by Kent Tamura. Source/WebCore:

[webkit-changes] [123528] branches/chromium/1180

Title: [123528] branches/chromium/1180 Revision 123528 Author infe...@chromium.org Date 2012-07-24 14:35:34 -0700 (Tue, 24 Jul 2012) Log Message Merge 123128 - Crash in WebCore::StyleResolver::collectMatchingRulesForList https://bugs.webkit.org/show_bug.cgi?id=90803 BUG=136235 Review

[webkit-changes] [123529] branches/chromium/1180/Source/WebCore/html/shadow/ TextFieldDecorationElement.cpp

Title: [123529] branches/chromium/1180/Source/WebCore/html/shadow/TextFieldDecorationElement.cpp Revision 123529 Author infe...@chromium.org Date 2012-07-24 14:37:27 -0700 (Tue, 24 Jul 2012) Log Message Merge 123187 - [Chromium] Fix an assertion failure in

[webkit-changes] [123531] branches/chromium/1180

Title: [123531] branches/chromium/1180 Revision 123531 Author infe...@chromium.org Date 2012-07-24 14:48:39 -0700 (Tue, 24 Jul 2012) Log Message Merge 122918 - Fix an assertion failure in CalendarPickerElement::hostInput(). https://bugs.webkit.org/show_bug.cgi?id=91568 BUG=137671 Review

[webkit-changes] [123534] branches/chromium/1180/Source/WebCore/html/shadow/ TextFieldDecorationElement.cpp

Title: [123534] branches/chromium/1180/Source/WebCore/html/shadow/TextFieldDecorationElement.cpp Revision 123534 Author infe...@chromium.org Date 2012-07-24 15:07:44 -0700 (Tue, 24 Jul 2012) Log Message Revert 123529 - Merge 123187 - [Chromium] Fix an assertion failure in

[webkit-changes] [123076] trunk/Source/WebCore

Title: [123076] trunk/Source/WebCore Revision 123076 Author infe...@chromium.org Date 2012-07-19 00:24:22 -0700 (Thu, 19 Jul 2012) Log Message Crash in FontCache::releaseFontData. https://bugs.webkit.org/show_bug.cgi?id=91710 Reviewed by Tim Horton. Revert back change made to

[webkit-changes] [121031] trunk

Title: [121031] trunk Revision 121031 Author infe...@chromium.org Date 2012-06-22 09:48:49 -0700 (Fri, 22 Jun 2012) Log Message Crash in DragController::concludeEditDrag. https://bugs.webkit.org/show_bug.cgi?id=89762 Reviewed by Ryosuke Niwa. Source/WebCore: RefPtr the innerFrame

[webkit-changes] [121001] trunk

Title: [121001] trunk Revision 121001 Author infe...@chromium.org Date 2012-06-21 21:01:57 -0700 (Thu, 21 Jun 2012) Log Message Crash in RenderBlock::layoutPositionedObjects. https://bugs.webkit.org/show_bug.cgi?id=89599 Reviewed by Julien Chaffraix. Source/WebCore: Test:

[webkit-changes] [120857] branches/chromium/1180

Title: [120857] branches/chromium/1180 Revision 120857 Author infe...@chromium.org Date 2012-06-20 13:33:43 -0700 (Wed, 20 Jun 2012) Log Message Merge 120737 - Crash in RenderInline::willBeDestroyed. BUG=103423 Review URL: https://chromiumcodereview.appspot.com/10575040 Modified Paths

[webkit-changes] [120862] trunk

Title: [120862] trunk Revision 120862 Author infe...@chromium.org Date 2012-06-20 14:20:29 -0700 (Wed, 20 Jun 2012) Log Message Crash on accessing a removed renderer from percent height descendant map. https://bugs.webkit.org/show_bug.cgi?id=88017 Reviewed by Eric Seidel.

[webkit-changes] [120731] trunk

Title: [120731] trunk Revision 120731 Author infe...@chromium.org Date 2012-06-19 10:43:22 -0700 (Tue, 19 Jun 2012) Log Message Crash in WebCore::RenderSVGModelObject::checkIntersection https://bugs.webkit.org/show_bug.cgi?id=89059 Reviewed by Rob Buis. Source/WebCore: getElementCTM

[webkit-changes] [120732] trunk/Source/WebCore

Title: [120732] trunk/Source/WebCore Revision 120732 Author infe...@chromium.org Date 2012-06-19 10:55:23 -0700 (Tue, 19 Jun 2012) Log Message Wrong repaintContainerSkipped in RenderObject::container() when positioned objects are enclosed in a foreignObject.

[webkit-changes] [120737] trunk

Title: [120737] trunk Revision 120737 Author infe...@chromium.org Date 2012-06-19 11:05:58 -0700 (Tue, 19 Jun 2012) Log Message Crash in RenderInline::willBeDestroyed. https://bugs.webkit.org/show_bug.cgi?id=89386 Reviewed by Julien Chaffraix. Source/WebCore: We were unable to find

[webkit-changes] [120477] trunk

Title: [120477] trunk Revision 120477 Author infe...@chromium.org Date 2012-06-15 10:57:57 -0700 (Fri, 15 Jun 2012) Log Message Cleanup empty anonymous block continuation. https://bugs.webkit.org/show_bug.cgi?id=74976 Reviewed by Julien Chaffraix. Source/WebCore: Fix rendering on

[webkit-changes] [120487] trunk/LayoutTests

Title: [120487] trunk/LayoutTests Revision 120487 Author infe...@chromium.org Date 2012-06-15 13:00:56 -0700 (Fri, 15 Jun 2012) Log Message Unreviewed. Rebaselines for r120477. * platform/chromium-linux/fast/forms/formmove3-expected.txt: *

[webkit-changes] [120503] trunk/LayoutTests

Title: [120503] trunk/LayoutTests Revision 120503 Author infe...@chromium.org Date 2012-06-15 15:30:43 -0700 (Fri, 15 Jun 2012) Log Message Unreviewed. Forgot a rebaseline for r120477. * platform/chromium-win/fast/forms/formmove3-expected.txt: Modified Paths

[webkit-changes] [119050] trunk

Title: [119050] trunk Revision 119050 Author infe...@chromium.org Date 2012-05-30 21:25:01 -0700 (Wed, 30 May 2012) Log Message Crash in ContainerNode::parserAddChild. https://bugs.webkit.org/show_bug.cgi?id=87903 Reviewed by Ryosuke Niwa. Source/WebCore: Call the

[webkit-changes] [118816] trunk

Title: [118816] trunk Revision 118816 Author infe...@chromium.org Date 2012-05-29 12:15:26 -0700 (Tue, 29 May 2012) Log Message Crash due to text fragment destruction when updating first-letter block. https://bugs.webkit.org/show_bug.cgi?id=87751 Reviewed by Eric Seidel.

[webkit-changes] [118592] trunk

Title: [118592] trunk Revision 118592 Author infe...@chromium.org Date 2012-05-25 17:28:23 -0700 (Fri, 25 May 2012) Log Message Crash in RenderTableSection::paintCell. https://bugs.webkit.org/show_bug.cgi?id=87445 Reviewed by Eric Seidel and Julien Chaffraix. Source/WebCore: Fix the

[webkit-changes] [118236] trunk

Title: [118236] trunk Revision 118236 Author infe...@chromium.org Date 2012-05-23 13:41:11 -0700 (Wed, 23 May 2012) Log Message ASSERT failure toRenderProgress in HTMLProgressElement::didElementStateChange https://bugs.webkit.org/show_bug.cgi?id=87274 Reviewed by Darin Adler.

[webkit-changes] [118248] trunk

Title: [118248] trunk Revision 118248 Author infe...@chromium.org Date 2012-05-23 14:47:51 -0700 (Wed, 23 May 2012) Log Message Crash in RenderInline::linesVisualOverflowBoundingBox. https://bugs.webkit.org/show_bug.cgi?id=85804 Reviewed by Dave Hyatt. Source/WebCore: Defer layout of

[webkit-changes] [118249] trunk

Title: [118249] trunk Revision 118249 Author infe...@chromium.org Date 2012-05-23 14:51:06 -0700 (Wed, 23 May 2012) Log Message Crash in run-ins with continuations while moving back to original position. https://bugs.webkit.org/show_bug.cgi?id=87264 Reviewed by Julien Chaffraix.

[webkit-changes] [118005] trunk

Title: [118005] trunk Revision 118005 Author infe...@chromium.org Date 2012-05-22 11:11:35 -0700 (Tue, 22 May 2012) Log Message Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot() https://bugs.webkit.org/show_bug.cgi?id=86500

[webkit-changes] [117865] trunk

Title: [117865] trunk Revision 117865 Author infe...@chromium.org Date 2012-05-21 18:36:43 -0700 (Mon, 21 May 2012) Log Message Regression(r117482): Run-in crashes relating to generated content and inline line box clearing. https://bugs.webkit.org/show_bug.cgi?id=86879 Reviewed by

[webkit-changes] [117880] trunk/LayoutTests

Title: [117880] trunk/LayoutTests Revision 117880 Author infe...@chromium.org Date 2012-05-21 19:57:55 -0700 (Mon, 21 May 2012) Log Message Unreviewed. Rebaseline for r117865. * platform/chromium-linux/fast/runin/runin-between-list-marker-and-before-content-expected.png: Removed. *

[webkit-changes] [117896] trunk/LayoutTests

Title: [117896] trunk/LayoutTests Revision 117896 Author infe...@chromium.org Date 2012-05-21 21:05:48 -0700 (Mon, 21 May 2012) Log Message Unreviewed. Rebaseline for r117865. * platform/chromium-mac/fast/runin/runin-between-list-marker-and-before-content-expected.png: Added. Modified

[webkit-changes] [117224] trunk

Title: [117224] trunk Revision 117224 Author infe...@chromium.org Date 2012-05-15 23:45:05 -0700 (Tue, 15 May 2012) Log Message Crash in Document::nodeChildrenWillBeRemoved. https://bugs.webkit.org/show_bug.cgi?id=85247 Reviewed by Hajime Morita. Source/WebCore: Reverse ordering of

[webkit-changes] [117304] trunk

Title: [117304] trunk Revision 117304 Author infe...@chromium.org Date 2012-05-16 10:22:38 -0700 (Wed, 16 May 2012) Log Message Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings. https://bugs.webkit.org/show_bug.cgi?id=86627 Reviewed by Andreas Kling.

[webkit-changes] [117161] trunk

Title: [117161] trunk Revision 117161 Author infe...@chromium.org Date 2012-05-15 14:29:19 -0700 (Tue, 15 May 2012) Log Message Source/WebCore: Crash due shadow tree parent confusion in SVG. https://bugs.webkit.org/show_bug.cgi?id=84248 Reviewed by Nikolas Zimmermann. Test:

  1   2   3   4   >