[webkit-changes] [90068] trunk

Wed, 29 Jun 2011 16:58:40 -0700

Title: [90068] trunk
Revision
90068
Author
[email protected]
Date
2011-06-29 16:58:25 -0700 (Wed, 29 Jun 2011)

Log Message

2011-06-23  Abhishek Arya  <[email protected]>

        Reviewed by James Robinson.

        In RenderBlock, RenderWidget and RenderReplaced destroy functions,
        call dirtyLinesFromChangedChild to tell our parent that we are going away.
        https://bugs.webkit.org/show_bug.cgi?id=60307

        Test: fast/block/child-not-removed-from-parent-lineboxes-crash.html
              fast/block/block-not-removed-from-parent-lineboxes-crash.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::destroy):
        * rendering/RenderReplaced.cpp:
        (WebCore::RenderReplaced::destroy):
        * rendering/RenderReplaced.h:
        * rendering/RenderWidget.cpp:
        (WebCore::RenderWidget::destroy):
2011-06-23  Abhishek Arya  <[email protected]>

        Reviewed by James Robinson.

        Tests that we do not crash when failing to remove the linebreak
        object(widget, block, replaced, etc) from parent block lineboxes. The
        testcase tries to fuzz over the list of html and svg tags.
        https://bugs.webkit.org/show_bug.cgi?id=60307

        * fast/block/block-not-removed-from-parent-lineboxes-crash-expected.txt: Added.
        * fast/block/block-not-removed-from-parent-lineboxes-crash.html: Added.
        * fast/block/child-not-removed-from-parent-lineboxes-crash-expected.txt: Added.
        * fast/block/child-not-removed-from-parent-lineboxes-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (90067 => 90068)


--- trunk/LayoutTests/ChangeLog	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/LayoutTests/ChangeLog	2011-06-29 23:58:25 UTC (rev 90068)
@@ -1,3 +1,17 @@
+2011-06-23  Abhishek Arya  <[email protected]>
+
+        Reviewed by James Robinson.
+
+        Tests that we do not crash when failing to remove the linebreak
+        object(widget, block, replaced, etc) from parent block lineboxes. The
+        testcase tries to fuzz over the list of html and svg tags.
+        https://bugs.webkit.org/show_bug.cgi?id=60307
+
+        * fast/block/block-not-removed-from-parent-lineboxes-crash-expected.txt: Added.
+        * fast/block/block-not-removed-from-parent-lineboxes-crash.html: Added.
+        * fast/block/child-not-removed-from-parent-lineboxes-crash-expected.txt: Added.
+        * fast/block/child-not-removed-from-parent-lineboxes-crash.html: Added.
+
 2011-06-29  Alan Stearns  <[email protected]>
 
         Reviewed by Tony Chang.

Added: trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash-expected.txt (0 => 90068)


--- trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash-expected.txt	2011-06-29 23:58:25 UTC (rev 90068)
@@ -0,0 +1 @@
+PASS: does not crash

Added: trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash.html (0 => 90068)


--- trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/block-not-removed-from-parent-lineboxes-crash.html	2011-06-29 23:58:25 UTC (rev 90068)
@@ -0,0 +1,18 @@
+<html>
+<body>
+<div style="width: 25px">
+<img style="width: 20px"><img id="test1" style="width: 50px; display: none;"><span id="test2" style="float: left;">AB</span>CD</div>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+    
+document.body.offsetTop;
+test1.style.display = "";
+document.body.offsetTop;
+test2.parentNode.removeChild(test2);
+
+document.body.offsetTop;
+document.body.innerHTML = "PASS: does not crash";
+</script>
+</body>
+</html>

Added: trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash-expected.txt (0 => 90068)


--- trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash-expected.txt	2011-06-29 23:58:25 UTC (rev 90068)
@@ -0,0 +1 @@
+PASS: does not crash

Added: trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash.html (0 => 90068)


--- trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/child-not-removed-from-parent-lineboxes-crash.html	2011-06-29 23:58:25 UTC (rev 90068)
@@ -0,0 +1,28 @@
+<html>
+<body>
+</body>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var tags = ['a', 'abbr', 'acronym', 'address', 'applet', 'area', 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdo', 'bgsound', 'big', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'command', 'datagrid', 'datalist', 'dcell', 'dcol', 'drow', 'dd', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'child', 'image', 'img', 'input', 'ins', 'isindex', 'kbd', 'keygen', 'label', 'layer', 'legend', 'li', 'link', 'listing', 'map', 'mark', 'marquee', 'menu', 'meta', 'meter', 'nav', 'nobr', 'noembed', 'noframes', 'nolayer', 'object', 'ol', 'optgroup', 'option', 'output', 'p', 'param', 'plaintext', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr', 'xmp', 'noscript', 'noscript', 'math', 'mfrac', 'mfenced', 'msubsup', 'mrow', 'mover', 'munder', 'munderover', 'msqrt', 'mroot', 'mi', 'mn', 'mo', 'mtext', 'msub', 'msup', 'ms', 'mglyph', 'malignmark', 'annotation-xml', 'a', 'access', 'anchor', 'br', 'card', 'do', 'fieldset', 'go', 'head', 'img', 'input', 'insertedLegend', 'meta', 'noop', 'onevent', 'optgroup', 'option', 'p', 'postfield', 'prev', 'refresh', 'select', 'setvar', 'table', 'td', 'template', 'timer', 'tr', 'a', 'altGlyph', 'altGlyphDef', 'altGlyphItem', 'animate', 'animateColor', 'animateMotion', 'animateTransform', 'set', 'circle', 'clipPath', 'color_profile', 'cursor', 'defs', 'desc', 'ellipse', 'feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence', 'filter', 'font', 'font_face', 'font_face_format', 'font_face_name', 'font_face_src', 'font_face_uri', 'foreignObject', 'g', 'glyph', 'glyphRef', 'hkern', 'image', 'line', 'linearGradient', 'marker', 'mask', 'metadata', 'missing_glyph', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialGradient', 'rect', 'script', 'stop', 'style', 'svg', 'switch', 'symbol', 'text', 'textPath', 'title', 'tref', 'tspan', 'use', 'view', 'vkern']
+
+for (i = 0; i < tags.length; i++)
+{
+    child = document.createElement(tags[i]);
+    child.style.position = 'absolute';
+    document.body.appendChild(document.createTextNode('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad'));
+    document.body.appendChild(child);
+    document.body.appendChild(document.createTextNode('aaaa'));
+    document.body.offsetTop;
+    child.setAttribute('style', '');
+    document.body.offsetTop;
+    document.body.removeChild(child);
+    document.body.offsetTop;
+    document.body.innerHTML = "";
+}
+
+document.body.innerHTML = "PASS: does not crash";
+</script>
+</html>
+

Modified: trunk/Source/WebCore/ChangeLog (90067 => 90068)


--- trunk/Source/WebCore/ChangeLog	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/Source/WebCore/ChangeLog	2011-06-29 23:58:25 UTC (rev 90068)
@@ -1,3 +1,22 @@
+2011-06-23  Abhishek Arya  <[email protected]>
+
+        Reviewed by James Robinson.
+
+        In RenderBlock, RenderWidget and RenderReplaced destroy functions,
+        call dirtyLinesFromChangedChild to tell our parent that we are going away.
+        https://bugs.webkit.org/show_bug.cgi?id=60307
+
+        Test: fast/block/child-not-removed-from-parent-lineboxes-crash.html
+              fast/block/block-not-removed-from-parent-lineboxes-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::destroy):
+        * rendering/RenderReplaced.cpp:
+        (WebCore::RenderReplaced::destroy):
+        * rendering/RenderReplaced.h:
+        * rendering/RenderWidget.cpp:
+        (WebCore::RenderWidget::destroy):
+
 2011-06-29  Brent Fulgham  <[email protected]>
 
         Speculative WinCE build correction.

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (90067 => 90068)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-06-29 23:58:25 UTC (rev 90068)
@@ -185,7 +185,8 @@
                         childBox->remove();
                 }
             }
-        }
+        } else if (parent())
+            parent()->dirtyLinesFromChangedChild(this);
     }
 
     m_lineBoxes.deleteLineBoxes(renderArena());

Modified: trunk/Source/WebCore/rendering/RenderReplaced.cpp (90067 => 90068)


--- trunk/Source/WebCore/rendering/RenderReplaced.cpp	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/Source/WebCore/rendering/RenderReplaced.cpp	2011-06-29 23:58:25 UTC (rev 90068)
@@ -57,6 +57,14 @@
 {
 }
 
+void RenderReplaced::destroy()
+{
+    if (!documentBeingDestroyed() && parent())
+        parent()->dirtyLinesFromChangedChild(this);
+
+    RenderBox::destroy();
+}
+
 void RenderReplaced::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
 {
     RenderBox::styleDidChange(diff, oldStyle);

Modified: trunk/Source/WebCore/rendering/RenderReplaced.h (90067 => 90068)


--- trunk/Source/WebCore/rendering/RenderReplaced.h	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/Source/WebCore/rendering/RenderReplaced.h	2011-06-29 23:58:25 UTC (rev 90068)
@@ -32,6 +32,8 @@
     RenderReplaced(Node*, const IntSize& intrinsicSize);
     virtual ~RenderReplaced();
 
+    virtual void destroy();
+
     virtual int computeReplacedLogicalWidth(bool includeMaxWidth = true) const;
     virtual int computeReplacedLogicalHeight() const;

Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (90067 => 90068)


--- trunk/Source/WebCore/rendering/RenderWidget.cpp	2011-06-29 23:54:37 UTC (rev 90067)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp	2011-06-29 23:58:25 UTC (rev 90068)
@@ -126,6 +126,10 @@
         document()->axObjectCache()->childrenChanged(this->parent());
         document()->axObjectCache()->remove(this);
     }
+
+    if (!documentBeingDestroyed() && parent()) 
+        parent()->dirtyLinesFromChangedChild(this);
+
     remove();
 
     if (m_hasCounterNodeMap)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to