Title: [145754] trunk/Source/WebCore
Revision 145754
Author infe...@chromium.org
Date 2013-03-13 14:38:19 -0700 (Wed, 13 Mar 2013)
Log Message
Crash in CompositeEditCommand::insertNodeAt.
https://bugs.webkit.org/show_bug.cgi?id=112280
Reviewed by Ryosuke Niwa.
*
Title: [145562] trunk/Source
Revision 145562
Author infe...@chromium.org
Date 2013-03-12 10:44:37 -0700 (Tue, 12 Mar 2013)
Log Message
Replace static_casts with to* functions.
https://bugs.webkit.org/show_bug.cgi?id=112072
Reviewed by Philip Rogers.
to* functions are preferred over
Title: [145596] trunk/Source
Revision 145596
Author infe...@chromium.org
Date 2013-03-12 15:21:28 -0700 (Tue, 12 Mar 2013)
Log Message
Replace static_casts with to* helper functions.
https://bugs.webkit.org/show_bug.cgi?id=112164
Reviewed by Philip Rogers.
to* helper functions are
Title: [145399] trunk/Source
Revision 145399
Author infe...@chromium.org
Date 2013-03-11 13:57:44 -0700 (Mon, 11 Mar 2013)
Log Message
Add ASSERT_WITH_SECURITY_IMPLICATION to catch bad casts.
https://bugs.webkit.org/show_bug.cgi?id=112060
Reviewed by Eric Seidel.
Source/WebCore:
*
Title: [145444] trunk/Source
Revision 145444
Author infe...@chromium.org
Date 2013-03-11 17:50:46 -0700 (Mon, 11 Mar 2013)
Log Message
Replace static_cast with to* helper functions.
https://bugs.webkit.org/show_bug.cgi?id=112045
Reviewed by Eric Seidel.
Source/WebCore:
*
Title: [145462] trunk/Source
Revision 145462
Author infe...@chromium.org
Date 2013-03-11 18:59:09 -0700 (Mon, 11 Mar 2013)
Log Message
Replace static_casts with to* functions.
https://bugs.webkit.org/show_bug.cgi?id=112072
Reviewed by Philip Rogers.
to* functions are preferred over
Title: [145013] trunk/Source/WebCore
Revision 145013
Author infe...@chromium.org
Date 2013-03-06 17:24:42 -0800 (Wed, 06 Mar 2013)
Log Message
Crash in SVGViewSpec::viewTarget
https://bugs.webkit.org/show_bug.cgi?id=111648
Reviewed by Philip Rogers.
* svg/SVGViewSpec.cpp:
Title: [142922] trunk
Revision 142922
Author infe...@chromium.org
Date 2013-02-14 14:34:44 -0800 (Thu, 14 Feb 2013)
Log Message
Bad cast in RenderBlock::splitBlocks.
https://bugs.webkit.org/show_bug.cgi?id=108691
Reviewed by Levi Weintraub.
Source/WebCore:
Test:
Title: [142816] trunk
Revision 142816
Author infe...@chromium.org
Date 2013-02-13 15:44:59 -0800 (Wed, 13 Feb 2013)
Log Message
ASSERTION FAILED: !object || object-isBox(), Bad cast in RenderBox::computeLogicalHeight
https://bugs.webkit.org/show_bug.cgi?id=107748
Reviewed by Levi
Title: [142642] trunk/Source/WebCore
Revision 142642
Author infe...@chromium.org
Date 2013-02-12 10:49:38 -0800 (Tue, 12 Feb 2013)
Log Message
Heap-use-after-free in WebCore::DeleteButtonController::enable
https://bugs.webkit.org/show_bug.cgi?id=109447
Reviewed by Ryosuke Niwa.
RefPtr
Title: [141516] trunk/Source/WebCore
Revision 141516
Author infe...@chromium.org
Date 2013-01-31 17:39:31 -0800 (Thu, 31 Jan 2013)
Log Message
Use ASSERT_WITH_SECURITY_IMPLICATION to catch bad casts in DOM
https://bugs.webkit.org/show_bug.cgi?id=108490
Reviewed by Eric Seidel.
*
Title: [140848] trunk
Revision 140848
Author infe...@chromium.org
Date 2013-01-25 10:45:23 -0800 (Fri, 25 Jan 2013)
Log Message
Regression(r139836): Crash in WTF::equalIgnoringCase
https://bugs.webkit.org/show_bug.cgi?id=107703
Reviewed by Eric Seidel.
Source/WebCore:
Check |a| is a
Title: [140552] branches/chromium/1391
Revision 140552
Author infe...@chromium.org
Date 2013-01-23 10:52:26 -0800 (Wed, 23 Jan 2013)
Log Message
Revert 140206
Modified Paths
branches/chromium/1391/Source/WebCore/rendering/RenderBox.cpp
Removed Paths
Title: [140633] trunk/Source
Revision 140633
Author infe...@chromium.org
Date 2013-01-23 18:55:32 -0800 (Wed, 23 Jan 2013)
Log Message
Add support for ASSERT_WITH_SECURITY_IMPLICATION.
https://bugs.webkit.org/show_bug.cgi?id=107699
Reviewed by Eric Seidel.
Source/WebCore:
*
Title: [140435] trunk
Revision 140435
Author infe...@chromium.org
Date 2013-01-22 10:17:37 -0800 (Tue, 22 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderObject::isDescendantOf
https://bugs.webkit.org/show_bug.cgi?id=107226
Reviewed by Emil A Eklund.
Source/WebCore:
Test:
Title: [140206] trunk
Revision 140206
Author infe...@chromium.org
Date 2013-01-18 14:12:53 -0800 (Fri, 18 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderObject::isDescendantOf
https://bugs.webkit.org/show_bug.cgi?id=107226
Reviewed by David Hyatt.
Source/WebCore:
Test:
Title: [140069] trunk
Revision 140069
Author infe...@chromium.org
Date 2013-01-17 16:22:41 -0800 (Thu, 17 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
https://bugs.webkit.org/show_bug.cgi?id=90802
Reviewed by Julien Chaffraix.
Title: [139470] trunk/Source/WebCore
Revision 139470
Author infe...@chromium.org
Date 2013-01-11 11:35:31 -0800 (Fri, 11 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=95901
Reviewed by Simon
Title: [139213] trunk/Source/WebCore
Revision 139213
Author infe...@chromium.org
Date 2013-01-09 11:08:58 -0800 (Wed, 09 Jan 2013)
Log Message
Mitigate out-of-bounds access in InlineIterator
https://bugs.webkit.org/show_bug.cgi?id=104812
Reviewed by Levi Weintraub.
Share code between
Title: [138969] branches/chromium/1312
Revision 138969
Author infe...@chromium.org
Date 2013-01-07 11:36:45 -0800 (Mon, 07 Jan 2013)
Log Message
Revert 137759
Review URL: https://codereview.chromium.org/11784026
Modified Paths
on ClusterFuzz (Requested by
inferno-sec on #webkit).
Patch by Sheriff Bot webkit.review@gmail.com on 2013-01-07
Source/WebCore:
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::startDelayUpdateScrollInfo):
(WebCore::RenderBlock::finishDelayUpdateScrollInfo):
LayoutTests:
* mathml/mo-stretch
Title: [138988] trunk
Revision 138988
Author infe...@chromium.org
Date 2013-01-07 14:07:45 -0800 (Mon, 07 Jan 2013)
Log Message
Heap-buffer-overflow in WebCore::RenderBlock::clone.
https://bugs.webkit.org/show_bug.cgi?id=101984
Reviewed by Julien Chaffraix.
Source/WebCore:
Add a
Title: [138918] trunk
Revision 138918
Author infe...@chromium.org
Date 2013-01-06 10:53:15 -0800 (Sun, 06 Jan 2013)
Log Message
Heap-use-after-free in WebCore::Document::implicitClose
https://bugs.webkit.org/show_bug.cgi?id=105655
Reviewed by Eric Seidel.
Source/WebCore:
Test:
Title: [138926] trunk
Revision 138926
Author infe...@chromium.org
Date 2013-01-06 23:15:33 -0800 (Sun, 06 Jan 2013)
Log Message
Heap-use-after-free in DocumentLoader::stopLoading
https://bugs.webkit.org/show_bug.cgi?id=103656
Reviewed by Eric Seidel.
Source/WebCore:
Test:
Title: [138850] trunk
Revision 138850
Author infe...@chromium.org
Date 2013-01-04 13:37:46 -0800 (Fri, 04 Jan 2013)
Log Message
Crash in WebCore::RenderBlock::willBeDestroyed
https://bugs.webkit.org/show_bug.cgi?id=103455
Reviewed by Eric Seidel.
Source/WebCore:
It is not required to
Title: [138863] trunk/Source/WebCore
Revision 138863
Author infe...@chromium.org
Date 2013-01-04 15:47:58 -0800 (Fri, 04 Jan 2013)
Log Message
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
https://bugs.webkit.org/show_bug.cgi?id=100152
Reviewed by Adam Barth.
Title: [138657] trunk/Source/WebCore
Revision 138657
Author infe...@chromium.org
Date 2013-01-02 15:03:24 -0800 (Wed, 02 Jan 2013)
Log Message
Crash in WebCore::Element::cloneElementWithoutChildren.
https://bugs.webkit.org/show_bug.cgi?id=105949
Reviewed by Ryosuke Niwa.
RefPtr
Title: [136739] branches/chromium/1312/Source/WebKit/chromium/features.gypi
Revision 136739
Author infe...@chromium.org
Date 2012-12-05 12:46:59 -0800 (Wed, 05 Dec 2012)
Log Message
Turn off MATHML for Chromium m24
BUG=164454
Review URL: https://codereview.chromium.org/11437027
Modified
Title: [136560] trunk
Revision 136560
Author infe...@chromium.org
Date 2012-12-04 13:50:18 -0800 (Tue, 04 Dec 2012)
Log Message
Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue
https://bugs.webkit.org/show_bug.cgi?id=100621
Reviewed by Eric Seidel.
Source/WebCore:
r115639
Title: [136619] trunk/Source/WebCore
Revision 136619
Author infe...@chromium.org
Date 2012-12-04 20:18:36 -0800 (Tue, 04 Dec 2012)
Log Message
Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode
https://bugs.webkit.org/show_bug.cgi?id=103515
Reviewed by Ryosuke Niwa.
Title: [136253] trunk
Revision 136253
Author infe...@chromium.org
Date 2012-11-30 10:14:48 -0800 (Fri, 30 Nov 2012)
Log Message
Crash due to intruding float not removed after writing mode changed.
https://bugs.webkit.org/show_bug.cgi?id=100149
Reviewed by Levi Weintraub.
Title: [136060] trunk
Revision 136060
Author infe...@chromium.org
Date 2012-11-28 14:46:59 -0800 (Wed, 28 Nov 2012)
Log Message
Source/WebCore: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL
LayoutTests: Heap-use-after-free in
Title: [136062] trunk/Source/WebCore
Revision 136062
Author infe...@chromium.org
Date 2012-11-28 14:53:55 -0800 (Wed, 28 Nov 2012)
Log Message
Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent
https://bugs.webkit.org/show_bug.cgi?id=101098
Reviewed by Adam Barth.
Title: [136093] branches/chromium/1312/Source/WebCore/platform/graphics/skia/SimpleFontDataSkia.cpp
Revision 136093
Author infe...@chromium.org
Date 2012-11-28 21:27:38 -0800 (Wed, 28 Nov 2012)
Log Message
Merge 133494 - Implement SimpleFontData::platformBoundsForGlyph on skia
BUG=152430
Title: [136094] branches/chromium/1312/Source/WebCore/rendering/mathml
Revision 136094
Author infe...@chromium.org
Date 2012-11-28 21:29:54 -0800 (Wed, 28 Nov 2012)
Log Message
Merge 133221 - REGRESSION (r128837): mathml/presentation/subsup.xhtml became flaky
BUG=152430
Review URL:
Title: [135740] trunk
Revision 135740
Author infe...@chromium.org
Date 2012-11-26 10:58:27 -0800 (Mon, 26 Nov 2012)
Log Message
Crash in Frame::dispatchVisibilityStateChangeEvent.
https://bugs.webkit.org/show_bug.cgi?id=102053
Reviewed by Adam Barth.
Source/WebCore:
Child frame can go
Title: [135303] trunk
Revision 135303
Author infe...@chromium.org
Date 2012-11-20 11:46:29 -0800 (Tue, 20 Nov 2012)
Log Message
Crash in FrameLoader::stopLoading.
https://bugs.webkit.org/show_bug.cgi?id=99504
Reviewed by Nate Chapin.
Source/WebCore:
Frame can be blown away in unload
Title: [135193] trunk
Revision 135193
Author infe...@chromium.org
Date 2012-11-19 13:43:28 -0800 (Mon, 19 Nov 2012)
Log Message
Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.
https://bugs.webkit.org/show_bug.cgi?id=100150
Reviewed by Ryosuke Niwa.
Source/WebCore:
RefPtr
Title: [132110] branches/chromium/1271
Revision 132110
Author infe...@chromium.org
Date 2012-10-22 11:09:29 -0700 (Mon, 22 Oct 2012)
Log Message
Merge 130777 - Prevent animation when CSS attributeType is invalid.
BUG=143648
Modified Paths
Title: [132109] branches/chromium/1271/Source/WebCore/svg
Revision 132109
Author infe...@chromium.org
Date 2012-10-22 11:07:27 -0700 (Mon, 22 Oct 2012)
Log Message
Merge 129670 - Refactor SMILTimeContainer to maintain animation information instead of recalculating it every frame
Title: [131762] branches/chromium/1271
Revision 131762
Author infe...@chromium.org
Date 2012-10-18 09:53:15 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 129796 - Rewrite multithreaded filter job dispatching
BUG=152104
Review URL: https://codereview.chromium.org/11192059
Modified Paths
Title: [131763] branches/chromium/1271
Revision 131763
Author infe...@chromium.org
Date 2012-10-18 09:55:46 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 129962 - REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient
BUG=151424
Review URL:
Title: [131764] branches/chromium/1271
Revision 131764
Author infe...@chromium.org
Date 2012-10-18 09:59:09 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 153128 - Source/WebCore: [HarfBuzz] harfbuzz expects log_clusters to have same length as other buffers.
BUG=155474
Review URL:
Title: [131765] branches/chromium/1271/Source/WebCore/page/EventHandler.cpp
Revision 131765
Author infe...@chromium.org
Date 2012-10-18 10:02:40 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 130449 - Crash in EventHandler::mouseMoved().
BUG=153793
Review URL:
Title: [131767] branches/chromium/1271
Revision 131767
Author infe...@chromium.org
Date 2012-10-18 10:10:14 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 130777 - Prevent animation when CSS attributeType is invalid.
BUG=143648
Review URL: https://codereview.chromium.org/11184044
Modified
Title: [131770] branches/chromium/1271/Source/WebCore/inspector/InspectorDOMAgent.cpp
Revision 131770
Author infe...@chromium.org
Date 2012-10-18 10:18:08 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 130910 - Web Inspector: protect node in the InspectorDOMNode::inspect
BUG=154373
Review
Title: [131771] branches/chromium/1271
Revision 131771
Author infe...@chromium.org
Date 2012-10-18 10:20:11 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 130266 - AX: Heap-use-after-free when deleting a ContainerNode with an AX object
BUG=129158
Review URL:
Title: [131773] branches/chromium/1271
Revision 131773
Author infe...@chromium.org
Date 2012-10-18 10:31:07 -0700 (Thu, 18 Oct 2012)
Log Message
Merge 131077 - rdar://problem/12477191 Combined text reverts to full-width font after a style change
BUG=150067
Review URL:
Title: [131774] branches/chromium/1271
Revision 131774
Author infe...@chromium.org
Date 2012-10-18 10:42:54 -0700 (Thu, 18 Oct 2012)
Log Message
Revert 131767 - Merge 130777 - Prevent animation when CSS attributeType is invalid.
BUG=143648
Review URL:
Title: [130856] branches/chromium/1229/Source/WebCore/svg/SVGElementInstance.cpp
Revision 130856
Author infe...@chromium.org
Date 2012-10-09 23:34:59 -0700 (Tue, 09 Oct 2012)
Log Message
Merge 130855 - Recursively detach SVGElementInstances
Review URL:
Title: [130858] branches/chromium/1229
Revision 130858
Author infe...@chromium.org
Date 2012-10-09 23:45:31 -0700 (Tue, 09 Oct 2012)
Log Message
Revert 130719 - Merge 130717 - HTMLSelectElement::typeAheadFind depends on implementation dependent behavior
Title: [130859] branches/chromium/1229/Source/WebCore/inspector/front-end
Revision 130859
Author infe...@chromium.org
Date 2012-10-09 23:46:08 -0700 (Tue, 09 Oct 2012)
Log Message
Revert 130484 - Merge 124886 - Web Inspector: Do not disable network tracking while profiling cpu.
Title: [130860] branches/chromium/1229/Source/WebCore/inspector/front-end/inspector.css
Revision 130860
Author infe...@chromium.org
Date 2012-10-09 23:46:36 -0700 (Tue, 09 Oct 2012)
Log Message
Revert 130482 - Merge 125255 - Web Inspector: Search matches count view is flaky.
Title: [129518] branches/chromium/1229
Revision 129518
Author infe...@chromium.org
Date 2012-09-25 09:37:25 -0700 (Tue, 25 Sep 2012)
Log Message
Merge 129469 - adoptNode() shouldn't reset ownerDocument if the source node failed to remove itself
BUG=150966
Review URL:
Title: [129583] trunk/Source/WebCore
Revision 129583
Author infe...@chromium.org
Date 2012-09-25 19:14:07 -0700 (Tue, 25 Sep 2012)
Log Message
Mask RenderArena freelist entries.
https://bugs.webkit.org/show_bug.cgi?id=97494
Patch by Justin Schuh jsc...@chromium.org on 2012-09-25
Title: [129253] branches/chromium/1271/Source/WebKit/chromium/features.gypi
Revision 129253
Author infe...@chromium.org
Date 2012-09-21 14:24:17 -0700 (Fri, 21 Sep 2012)
Log Message
Merge 125155 - Disable iframe seamless for m23.
Review URL: https://codereview.chromium.org/10970046
Title: [129271] branches/chromium/1229/Source/WebCore/dom/Document.cpp
Revision 129271
Author infe...@chromium.org
Date 2012-09-21 16:22:18 -0700 (Fri, 21 Sep 2012)
Log Message
Merge 129270 - Crash in WebCore::Document::fullScreenChangeDelayTimerFired
BUG=147700
Review URL:
Title: [127071] trunk
Revision 127071
Author infe...@chromium.org
Date 2012-08-29 17:42:04 -0700 (Wed, 29 Aug 2012)
Log Message
Crash in WebCore::StyleSheetContents::checkLoadCompleted.
https://bugs.webkit.org/show_bug.cgi?id=95106
Reviewed by Antti Koivisto.
Source/WebCore:
RefPtr
on ClusterFuzz due to incorrect layout ordering
change (Requested by inferno-sec on #webkit).
Patch by Sheriff Bot webkit.review@gmail.com on 2012-08-16
* dom/CharacterData.cpp:
(WebCore::CharacterData::setDataAndUpdate):
* editing/FrameSelection.cpp:
(WebCore::updatePositionAfterAdoptingTextReplacement
Title: [125810] trunk
Revision 125810
Author infe...@chromium.org
Date 2012-08-16 13:50:05 -0700 (Thu, 16 Aug 2012)
Log Message
Regression(r118248): Replaced element not layout
https://bugs.webkit.org/show_bug.cgi?id=85804
Reviewed by Levi Weintraub.
Source/WebCore:
r118248 moved the
Title: [125607] branches/chromium/1180
Revision 125607
Author infe...@chromium.org
Date 2012-08-14 14:33:21 -0700 (Tue, 14 Aug 2012)
Log Message
Merge 123822 - [Chromium] Regression: Global-buffer-overflow in WebCore::mediaControlElementType
BUG=132270
Review URL:
Title: [125353] trunk/Source/WebCore
Revision 125353
Author infe...@chromium.org
Date 2012-08-11 09:07:22 -0700 (Sat, 11 Aug 2012)
Log Message
Unreviewed.
Removing newly added assert in r125351 since it is exposing
legitimate layout bugs in few tests. We will re-add the assert
after
Title: [125315] trunk/Source/WebCore
Revision 125315
Author infe...@chromium.org
Date 2012-08-10 12:41:20 -0700 (Fri, 10 Aug 2012)
Log Message
Crash on accessing a removed layout root in FrameView::scheduleRelayout.
https://bugs.webkit.org/show_bug.cgi?id=91368
Reviewed by Levi
Title: [125155] branches/chromium/1229/Source/WebKit/chromium/features.gypi
Revision 125155
Author infe...@chromium.org
Date 2012-08-08 23:39:05 -0700 (Wed, 08 Aug 2012)
Log Message
Revert 116356 - Disable Iframe seamless for m22.
BUG=138422
Review URL:
Title: [124888] trunk
Revision 124888
Author infe...@chromium.org
Date 2012-08-07 07:51:33 -0700 (Tue, 07 Aug 2012)
Log Message
Crash in InlineFlowBox::deleteLine.
https://bugs.webkit.org/show_bug.cgi?id=88795
Reviewed by Tony Chang.
Source/WebCore:
When we move the fullscreen object
Title: [124914] trunk
Revision 124914
Author infe...@chromium.org
Date 2012-08-07 13:21:11 -0700 (Tue, 07 Aug 2012)
Log Message
Crash in ContainerNode::cloneChildNodes.
https://bugs.webkit.org/show_bug.cgi?id=93378
Reviewed by Levi Weintraub.
Source/WebCore:
Re-enabling the editing
Title: [124776] trunk/Source/WebCore
Revision 124776
Author infe...@chromium.org
Date 2012-08-06 09:30:40 -0700 (Mon, 06 Aug 2012)
Log Message
Crash in FrameLoader::stopAllLoaders.
https://bugs.webkit.org/show_bug.cgi?id=90805
Reviewed by Nate Chapin.
Calling
Title: [124785] trunk/Tools
Revision 124785
Author infe...@chromium.org
Date 2012-08-06 11:15:15 -0700 (Mon, 06 Aug 2012)
Log Message
[Chromium] Re-expose layoutTestController as various fuzzers depend on it
https://bugs.webkit.org/show_bug.cgi?id=93282
Reviewed by Ryosuke Niwa.
Title: [124580] trunk/Source/WebCore
Revision 124580
Author infe...@chromium.org
Date 2012-08-03 01:15:35 -0700 (Fri, 03 Aug 2012)
Log Message
Regression(r124564): Wrong inlineChildrenBlock-hasLayer() computed in RenderBlock::removeChild.
https://bugs.webkit.org/show_bug.cgi?id=90800
://bugs.webkit.org/show_bug.cgi?id=93151
Causing assertion failures in table-section-node-at-point-
crash.html (Requested by inferno-sec on #webkit).
Patch by Sheriff Bot webkit.review@gmail.com on 2012-08-03
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::paint):
Modified Paths
trunk
Title: [124491] trunk
Revision 124491
Author infe...@chromium.org
Date 2012-08-02 13:44:31 -0700 (Thu, 02 Aug 2012)
Log Message
No isChildAllowed checked when adding RenderFullScreen as the child..
https://bugs.webkit.org/show_bug.cgi?id=92995
Reviewed by Eric Seidel.
Source/WebCore:
Title: [124564] trunk
Revision 124564
Author infe...@chromium.org
Date 2012-08-02 22:53:38 -0700 (Thu, 02 Aug 2012)
Log Message
Crash due to layer not removed from parent for anonymous block.
https://bugs.webkit.org/show_bug.cgi?id=90800
Reviewed by Kent Tamura.
Source/WebCore:
Title: [123528] branches/chromium/1180
Revision 123528
Author infe...@chromium.org
Date 2012-07-24 14:35:34 -0700 (Tue, 24 Jul 2012)
Log Message
Merge 123128 - Crash in WebCore::StyleResolver::collectMatchingRulesForList
https://bugs.webkit.org/show_bug.cgi?id=90803
BUG=136235
Review
Title: [123529] branches/chromium/1180/Source/WebCore/html/shadow/TextFieldDecorationElement.cpp
Revision 123529
Author infe...@chromium.org
Date 2012-07-24 14:37:27 -0700 (Tue, 24 Jul 2012)
Log Message
Merge 123187 - [Chromium] Fix an assertion failure in
Title: [123531] branches/chromium/1180
Revision 123531
Author infe...@chromium.org
Date 2012-07-24 14:48:39 -0700 (Tue, 24 Jul 2012)
Log Message
Merge 122918 - Fix an assertion failure in CalendarPickerElement::hostInput().
https://bugs.webkit.org/show_bug.cgi?id=91568
BUG=137671
Review
Title: [123534] branches/chromium/1180/Source/WebCore/html/shadow/TextFieldDecorationElement.cpp
Revision 123534
Author infe...@chromium.org
Date 2012-07-24 15:07:44 -0700 (Tue, 24 Jul 2012)
Log Message
Revert 123529 - Merge 123187 - [Chromium] Fix an assertion failure in
Title: [123076] trunk/Source/WebCore
Revision 123076
Author infe...@chromium.org
Date 2012-07-19 00:24:22 -0700 (Thu, 19 Jul 2012)
Log Message
Crash in FontCache::releaseFontData.
https://bugs.webkit.org/show_bug.cgi?id=91710
Reviewed by Tim Horton.
Revert back change made to
Title: [121031] trunk
Revision 121031
Author infe...@chromium.org
Date 2012-06-22 09:48:49 -0700 (Fri, 22 Jun 2012)
Log Message
Crash in DragController::concludeEditDrag.
https://bugs.webkit.org/show_bug.cgi?id=89762
Reviewed by Ryosuke Niwa.
Source/WebCore:
RefPtr the innerFrame
Title: [121001] trunk
Revision 121001
Author infe...@chromium.org
Date 2012-06-21 21:01:57 -0700 (Thu, 21 Jun 2012)
Log Message
Crash in RenderBlock::layoutPositionedObjects.
https://bugs.webkit.org/show_bug.cgi?id=89599
Reviewed by Julien Chaffraix.
Source/WebCore:
Test:
Title: [120857] branches/chromium/1180
Revision 120857
Author infe...@chromium.org
Date 2012-06-20 13:33:43 -0700 (Wed, 20 Jun 2012)
Log Message
Merge 120737 - Crash in RenderInline::willBeDestroyed.
BUG=103423
Review URL: https://chromiumcodereview.appspot.com/10575040
Modified Paths
Title: [120862] trunk
Revision 120862
Author infe...@chromium.org
Date 2012-06-20 14:20:29 -0700 (Wed, 20 Jun 2012)
Log Message
Crash on accessing a removed renderer from percent height descendant map.
https://bugs.webkit.org/show_bug.cgi?id=88017
Reviewed by Eric Seidel.
Title: [120731] trunk
Revision 120731
Author infe...@chromium.org
Date 2012-06-19 10:43:22 -0700 (Tue, 19 Jun 2012)
Log Message
Crash in WebCore::RenderSVGModelObject::checkIntersection
https://bugs.webkit.org/show_bug.cgi?id=89059
Reviewed by Rob Buis.
Source/WebCore:
getElementCTM
Title: [120732] trunk/Source/WebCore
Revision 120732
Author infe...@chromium.org
Date 2012-06-19 10:55:23 -0700 (Tue, 19 Jun 2012)
Log Message
Wrong repaintContainerSkipped in RenderObject::container()
when positioned objects are enclosed in a foreignObject.
Title: [120737] trunk
Revision 120737
Author infe...@chromium.org
Date 2012-06-19 11:05:58 -0700 (Tue, 19 Jun 2012)
Log Message
Crash in RenderInline::willBeDestroyed.
https://bugs.webkit.org/show_bug.cgi?id=89386
Reviewed by Julien Chaffraix.
Source/WebCore:
We were unable to find
Title: [120477] trunk
Revision 120477
Author infe...@chromium.org
Date 2012-06-15 10:57:57 -0700 (Fri, 15 Jun 2012)
Log Message
Cleanup empty anonymous block continuation.
https://bugs.webkit.org/show_bug.cgi?id=74976
Reviewed by Julien Chaffraix.
Source/WebCore:
Fix rendering on
Title: [120487] trunk/LayoutTests
Revision 120487
Author infe...@chromium.org
Date 2012-06-15 13:00:56 -0700 (Fri, 15 Jun 2012)
Log Message
Unreviewed. Rebaselines for r120477.
* platform/chromium-linux/fast/forms/formmove3-expected.txt:
*
Title: [120503] trunk/LayoutTests
Revision 120503
Author infe...@chromium.org
Date 2012-06-15 15:30:43 -0700 (Fri, 15 Jun 2012)
Log Message
Unreviewed. Forgot a rebaseline for r120477.
* platform/chromium-win/fast/forms/formmove3-expected.txt:
Modified Paths
Title: [119050] trunk
Revision 119050
Author infe...@chromium.org
Date 2012-05-30 21:25:01 -0700 (Wed, 30 May 2012)
Log Message
Crash in ContainerNode::parserAddChild.
https://bugs.webkit.org/show_bug.cgi?id=87903
Reviewed by Ryosuke Niwa.
Source/WebCore:
Call the
Title: [118816] trunk
Revision 118816
Author infe...@chromium.org
Date 2012-05-29 12:15:26 -0700 (Tue, 29 May 2012)
Log Message
Crash due to text fragment destruction when updating first-letter block.
https://bugs.webkit.org/show_bug.cgi?id=87751
Reviewed by Eric Seidel.
Title: [118592] trunk
Revision 118592
Author infe...@chromium.org
Date 2012-05-25 17:28:23 -0700 (Fri, 25 May 2012)
Log Message
Crash in RenderTableSection::paintCell.
https://bugs.webkit.org/show_bug.cgi?id=87445
Reviewed by Eric Seidel and Julien Chaffraix.
Source/WebCore:
Fix the
Title: [118236] trunk
Revision 118236
Author infe...@chromium.org
Date 2012-05-23 13:41:11 -0700 (Wed, 23 May 2012)
Log Message
ASSERT failure toRenderProgress in HTMLProgressElement::didElementStateChange
https://bugs.webkit.org/show_bug.cgi?id=87274
Reviewed by Darin Adler.
Title: [118248] trunk
Revision 118248
Author infe...@chromium.org
Date 2012-05-23 14:47:51 -0700 (Wed, 23 May 2012)
Log Message
Crash in RenderInline::linesVisualOverflowBoundingBox.
https://bugs.webkit.org/show_bug.cgi?id=85804
Reviewed by Dave Hyatt.
Source/WebCore:
Defer layout of
Title: [118249] trunk
Revision 118249
Author infe...@chromium.org
Date 2012-05-23 14:51:06 -0700 (Wed, 23 May 2012)
Log Message
Crash in run-ins with continuations while moving back to original position.
https://bugs.webkit.org/show_bug.cgi?id=87264
Reviewed by Julien Chaffraix.
Title: [118005] trunk
Revision 118005
Author infe...@chromium.org
Date 2012-05-22 11:11:35 -0700 (Tue, 22 May 2012)
Log Message
Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot()
https://bugs.webkit.org/show_bug.cgi?id=86500
Title: [117865] trunk
Revision 117865
Author infe...@chromium.org
Date 2012-05-21 18:36:43 -0700 (Mon, 21 May 2012)
Log Message
Regression(r117482): Run-in crashes relating to generated content and inline line box clearing.
https://bugs.webkit.org/show_bug.cgi?id=86879
Reviewed by
Title: [117880] trunk/LayoutTests
Revision 117880
Author infe...@chromium.org
Date 2012-05-21 19:57:55 -0700 (Mon, 21 May 2012)
Log Message
Unreviewed. Rebaseline for r117865.
* platform/chromium-linux/fast/runin/runin-between-list-marker-and-before-content-expected.png: Removed.
*
Title: [117896] trunk/LayoutTests
Revision 117896
Author infe...@chromium.org
Date 2012-05-21 21:05:48 -0700 (Mon, 21 May 2012)
Log Message
Unreviewed. Rebaseline for r117865.
* platform/chromium-mac/fast/runin/runin-between-list-marker-and-before-content-expected.png: Added.
Modified
Title: [117224] trunk
Revision 117224
Author infe...@chromium.org
Date 2012-05-15 23:45:05 -0700 (Tue, 15 May 2012)
Log Message
Crash in Document::nodeChildrenWillBeRemoved.
https://bugs.webkit.org/show_bug.cgi?id=85247
Reviewed by Hajime Morita.
Source/WebCore:
Reverse ordering of
Title: [117304] trunk
Revision 117304
Author infe...@chromium.org
Date 2012-05-16 10:22:38 -0700 (Wed, 16 May 2012)
Log Message
Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings.
https://bugs.webkit.org/show_bug.cgi?id=86627
Reviewed by Andreas Kling.
Title: [117161] trunk
Revision 117161
Author infe...@chromium.org
Date 2012-05-15 14:29:19 -0700 (Tue, 15 May 2012)
Log Message
Source/WebCore: Crash due shadow tree parent confusion in SVG.
https://bugs.webkit.org/show_bug.cgi?id=84248
Reviewed by Nikolas Zimmermann.
Test:
1 - 100 of 334 matches
Mail list logo