[webkit-changes] [92935] branches/safari-534.51-branch

Thu, 11 Aug 2011 23:01:37 -0700

Title: [92935] branches/safari-534.51-branch

Diff

Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92934 => 92935)


--- branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-12 05:58:45 UTC (rev 92934)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-12 06:01:29 UTC (rev 92935)
@@ -1,5 +1,33 @@
 2011-08-11  Lucas Forschler  <[email protected]>
 
+    Merged 91781
+
+    2011-07-26  David Hyatt  <[email protected]>
+
+            https://bugs.webkit.org/show_bug.cgi?id=60778
+
+            Use after free because of line box culling optimization regression.
+
+            In the case of a child with no line box being removed (typically
+            a <br> in quirks mode), if there is no previous sibling with a line
+            box, then we have a potential problem with the culling optimization.
+
+            The culled inline may still have other leaf line box children, but
+            they may follow the removed <br>. In this case we can't rely on
+            them, since we need a line box that comes before the <br>.
+
+            The fix is to simply recur up to the parent if we are a culled inline
+            and could not find a previous line box.
+
+            Reviewed by Dan Bernstein.
+
+            Added editing/execCommand/crash-line-break-after-outdent.html
+
+            * editing/execCommand/crash-line-break-after-outdent-expected.txt: Added.
+            * editing/execCommand/crash-line-break-after-outdent.html: Added.
+
+2011-08-11  Lucas Forschler  <[email protected]>
+
     Merged 91689
 
     2011-07-25  Daniel Bates  <[email protected]>

Copied: branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt (from rev 91781, trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt) (0 => 92935)


--- branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt	2011-08-12 06:01:29 UTC (rev 92935)
@@ -0,0 +1,3 @@
+Test for bug REGRESSION (83075): Crash in line break after outdent
+
+This test PASSED!

Copied: branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html (from rev 91781, trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html) (0 => 92935)


--- branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html	2011-08-12 06:01:29 UTC (rev 92935)
@@ -0,0 +1,29 @@
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function f() {
+    document.designMode="on";
+    document.execCommand("SelectAll");
+    document.execCommand("InsertImage",false);
+    document.execCommand("InsertImage",false);
+    document.execCommand("Indent");
+    document.execCommand("insertunorderedlist",false);
+    document.execCommand("InsertUnorderedList",false);
+    document.execCommand("Bold");
+    document.execCommand("InsertLineBreak");
+    document.execCommand("insertunorderedlist");
+    document.execCommand("insertimage",false);
+    document.execCommand("insertparagraph",false);
+    document.execCommand("insertunorderedlist");
+    document.execCommand("InsertUnorderedList");
+    document.execCommand("Outdent");
+    document.write("<p>Test for bug <a href="" (83075): Crash in line break after outdent</p>");
+    document.write("<p>This test PASSED!</p>");
+}
+ </script>
+</head>
+<body _onload_='f();'>
+    <pre id="x">x</pre>
+</body>
\ No newline at end of file

Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92934 => 92935)


--- branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-12 05:58:45 UTC (rev 92934)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-12 06:01:29 UTC (rev 92935)
@@ -1,5 +1,33 @@
 2011-08-11  Lucas Forschler  <[email protected]>
 
+    Merged 91781
+
+    2011-07-26  David Hyatt  <[email protected]>
+
+            https://bugs.webkit.org/show_bug.cgi?id=60778
+
+            Use after free because of line box culling optimization regression.
+
+            In the case of a child with no line box being removed (typically
+            a <br> in quirks mode), if there is no previous sibling with a line
+            box, then we have a potential problem with the culling optimization.
+
+            The culled inline may still have other leaf line box children, but
+            they may follow the removed <br>. In this case we can't rely on
+            them, since we need a line box that comes before the <br>.
+
+            The fix is to simply recur up to the parent if we are a culled inline
+            and could not find a previous line box.
+
+            Reviewed by Dan Bernstein.
+
+            Added editing/execCommand/crash-line-break-after-outdent.html
+
+            * rendering/RenderLineBoxList.cpp:
+            (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
+
+2011-08-11  Lucas Forschler  <[email protected]>
+
     Merged 91689
 
     2011-07-25  Daniel Bates  <[email protected]>

Modified: branches/safari-534.51-branch/Source/WebCore/rendering/RenderLineBoxList.cpp (92934 => 92935)


--- branches/safari-534.51-branch/Source/WebCore/rendering/RenderLineBoxList.cpp	2011-08-12 05:58:45 UTC (rev 92934)
+++ branches/safari-534.51-branch/Source/WebCore/rendering/RenderLineBoxList.cpp	2011-08-12 06:01:29 UTC (rev 92935)
@@ -357,8 +357,21 @@
         if (box)
             break;
     }
-    if (!box)
+    if (!box) {
+        if (inlineContainer && !inlineContainer->alwaysCreateLineBoxes()) {
+            // https://bugs.webkit.org/show_bug.cgi?id=60778
+            // We may have just removed a <br> with no line box that was our first child. In this case
+            // we won't find a previous sibling, but firstBox can be pointing to a following sibling.
+            // This isn't good enough, since we won't locate the root line box that encloses the removed
+            // <br>. We have to just over-invalidate a bit and go up to our parent.
+            if (!inlineContainer->parent()->selfNeedsLayout()) {
+                inlineContainer->parent()->dirtyLinesFromChangedChild(inlineContainer);
+                inlineContainer->setNeedsLayout(true); // Mark the container as needing layout to avoid dirtying the same lines again across multiple destroy() calls of the same subtree.
+            }
+            return;
+        }
         box = firstBox->root();
+    }
 
     // If we found a line box, then dirty it.
     if (box) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to