Title: [98935] trunk
- Revision
- 98935
- Author
- [email protected]
- Date
- 2011-10-31 21:24:08 -0700 (Mon, 31 Oct 2011)
Log Message
Source/WebCore: Fix a crash relating to anonymous block merging in
RenderFullScreen::unwrapRenderer.
https://bugs.webkit.org/show_bug.cgi?id=70705
Patch by Jeremy Apthorp <[email protected]> on 2011-10-31
Reviewed by Simon Fraser.
Test: fullscreen/anonymous-block-merge-crash.html
* rendering/RenderFullScreen.cpp:
(RenderFullScreen::unwrapRenderer):
LayoutTests: Test case for a crash relating to merging of anonymous blocks in
RenderFullScreen::unwrapRenderer.
https://bugs.webkit.org/show_bug.cgi?id=70705
Patch by Jeremy Apthorp <[email protected]> on 2011-10-31
Reviewed by Simon Fraser.
* fullscreen/anonymous-block-merge-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (98934 => 98935)
--- trunk/LayoutTests/ChangeLog 2011-11-01 03:37:51 UTC (rev 98934)
+++ trunk/LayoutTests/ChangeLog 2011-11-01 04:24:08 UTC (rev 98935)
@@ -1,3 +1,13 @@
+2011-10-31 Jeremy Apthorp <[email protected]>
+
+ Test case for a crash relating to merging of anonymous blocks in
+ RenderFullScreen::unwrapRenderer.
+ https://bugs.webkit.org/show_bug.cgi?id=70705
+
+ Reviewed by Simon Fraser.
+
+ * fullscreen/anonymous-block-merge-crash.html: Added.
+
2011-10-31 John Gregg <[email protected]>
Unreviewed gardening; bind-script-to-resource.html times out on chromium mac.
Added: trunk/LayoutTests/fullscreen/anonymous-block-merge-crash-expected.txt (0 => 98935)
--- trunk/LayoutTests/fullscreen/anonymous-block-merge-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fullscreen/anonymous-block-merge-crash-expected.txt 2011-11-01 04:24:08 UTC (rev 98935)
@@ -0,0 +1,2 @@
+PASS
+
Added: trunk/LayoutTests/fullscreen/anonymous-block-merge-crash.html (0 => 98935)
--- trunk/LayoutTests/fullscreen/anonymous-block-merge-crash.html (rev 0)
+++ trunk/LayoutTests/fullscreen/anonymous-block-merge-crash.html 2011-11-01 04:24:08 UTC (rev 98935)
@@ -0,0 +1,16 @@
+<span><object><div>PASS</div></span>
+<script src=""
+<script>
+ if (Element.prototype.webkitRequestFullScreen == undefined) {
+ } else {
+ var span = document.getElementsByTagName('span')[0];
+
+ document._onwebkitfullscreenchange_ = function(event) {
+ document.body.appendChild(document.createElement('div'));
+ document.webkitCancelFullScreen();
+ layoutTestController.notifyDone();
+ };
+
+ runWithKeyDown(function(){span.webkitRequestFullScreen()});
+ }
+</script>
Modified: trunk/Source/WebCore/ChangeLog (98934 => 98935)
--- trunk/Source/WebCore/ChangeLog 2011-11-01 03:37:51 UTC (rev 98934)
+++ trunk/Source/WebCore/ChangeLog 2011-11-01 04:24:08 UTC (rev 98935)
@@ -1,3 +1,16 @@
+2011-10-31 Jeremy Apthorp <[email protected]>
+
+ Fix a crash relating to anonymous block merging in
+ RenderFullScreen::unwrapRenderer.
+ https://bugs.webkit.org/show_bug.cgi?id=70705
+
+ Reviewed by Simon Fraser.
+
+ Test: fullscreen/anonymous-block-merge-crash.html
+
+ * rendering/RenderFullScreen.cpp:
+ (RenderFullScreen::unwrapRenderer):
+
2011-10-31 Dave Michael <[email protected]>
V8MessageEvent::dataAccessorGetter does not return a reference to its caller
Modified: trunk/Source/WebCore/rendering/RenderFullScreen.cpp (98934 => 98935)
--- trunk/Source/WebCore/rendering/RenderFullScreen.cpp 2011-11-01 03:37:51 UTC (rev 98934)
+++ trunk/Source/WebCore/rendering/RenderFullScreen.cpp 2011-11-01 04:24:08 UTC (rev 98935)
@@ -125,14 +125,11 @@
void RenderFullScreen::unwrapRenderer()
{
RenderObject* holder = placeholder() ? placeholder() : this;
- RenderObject* parent = holder->parent();
- if (parent) {
- RenderObject* child = firstChild();
- while (child) {
- RenderObject* nextChild = child->nextSibling();
+ if (holder->parent()) {
+ RenderObject* child;
+ while ((child = firstChild())) {
child->remove();
- parent->addChild(child, holder);
- child = nextChild;
+ holder->parent()->addChild(child, holder);
}
}
remove();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
