[webkit-changes] [92798] trunk

Wed, 10 Aug 2011 14:48:24 -0700

Title: [92798] trunk
Revision
92798
Author
[email protected]
Date
2011-08-10 14:48:18 -0700 (Wed, 10 Aug 2011)

Log Message

Source/WebCore: Check that we do not need layout before trying to dirty
m_originatingLine for our floats.
https://bugs.webkit.org/show_bug.cgi?id=65938

Reviewed by Dave Hyatt.

Test: fast/block/float/float-originating-line-deleted-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeFloatingObject):
(WebCore::RenderBlock::clearFloats):

LayoutTests: Tests that we do not crash when trying to access a removed
m_originatingLine for a float.
https://bugs.webkit.org/show_bug.cgi?id=65938

Reviewed by Dave Hyatt.

* fast/block/float/float-originating-line-deleted-crash-expected.txt: Added.
* fast/block/float/float-originating-line-deleted-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (92797 => 92798)


--- trunk/LayoutTests/ChangeLog	2011-08-10 21:42:26 UTC (rev 92797)
+++ trunk/LayoutTests/ChangeLog	2011-08-10 21:48:18 UTC (rev 92798)
@@ -1,3 +1,14 @@
+2011-08-10  Abhishek Arya  <[email protected]>
+
+        Tests that we do not crash when trying to access a removed
+        m_originatingLine for a float.
+        https://bugs.webkit.org/show_bug.cgi?id=65938
+
+        Reviewed by Dave Hyatt.
+
+        * fast/block/float/float-originating-line-deleted-crash-expected.txt: Added.
+        * fast/block/float/float-originating-line-deleted-crash.html: Added.
+
 2011-08-10  Mark Hahnenberg  <[email protected]>
 
         JSC should always throw when function arg list is too long

Added: trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash-expected.txt (0 => 92798)


--- trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash-expected.txt	2011-08-10 21:48:18 UTC (rev 92798)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash.html (0 => 92798)


--- trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-originating-line-deleted-crash.html	2011-08-10 21:48:18 UTC (rev 92798)
@@ -0,0 +1,26 @@
+<html>
+Test passes if it does not crash.
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+    child = document.getElementById('test');
+    child.parentNode.removeChild(child);
+
+	document.body.offsetTop;
+    
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+setTimeout("runTest();", 0);
+</script>
+<style id='test'>
+    p { float: left; }
+</style>
+<table><span><p></p><p></p></span></table>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (92797 => 92798)


--- trunk/Source/WebCore/ChangeLog	2011-08-10 21:42:26 UTC (rev 92797)
+++ trunk/Source/WebCore/ChangeLog	2011-08-10 21:48:18 UTC (rev 92798)
@@ -1,3 +1,17 @@
+2011-08-10  Abhishek Arya  <[email protected]>
+
+        Check that we do not need layout before trying to dirty
+        m_originatingLine for our floats.
+        https://bugs.webkit.org/show_bug.cgi?id=65938
+
+        Reviewed by Dave Hyatt.
+
+        Test: fast/block/float/float-originating-line-deleted-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeFloatingObject):
+        (WebCore::RenderBlock::clearFloats):
+
 2011-08-10  David Hyatt  <[email protected]>
 
         Add missing regions/exclusions-related files to EFL.

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (92797 => 92798)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-08-10 21:42:26 UTC (rev 92797)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-08-10 21:48:18 UTC (rev 92798)
@@ -3253,8 +3253,10 @@
                     logicalBottom = max(logicalBottom, logicalTop + 1);
                 }
                 if (r->m_originatingLine) {
-                    ASSERT(r->m_originatingLine->renderer() == this);
-                    r->m_originatingLine->markDirty();
+                    if (!selfNeedsLayout()) {
+                        ASSERT(r->m_originatingLine->renderer() == this);
+                        r->m_originatingLine->markDirty();
+                    }
 #if !ASSERT_DISABLED
                     r->m_originatingLine = 0;
 #endif
@@ -3751,7 +3753,7 @@
                     }
 
                     floatMap.remove(f->m_renderer);
-                    if (oldFloatingObject->m_originatingLine) {
+                    if (oldFloatingObject->m_originatingLine && !selfNeedsLayout()) {
                         ASSERT(oldFloatingObject->m_originatingLine->renderer() == this);
                         oldFloatingObject->m_originatingLine->markDirty();
                     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to