[webkit-changes] [104203] branches/safari-534.54-branch

Thu, 05 Jan 2012 13:11:17 -0800

Title: [104203] branches/safari-534.54-branch

Diff

Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (104202 => 104203)


--- branches/safari-534.54-branch/LayoutTests/ChangeLog	2012-01-05 21:04:16 UTC (rev 104202)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog	2012-01-05 21:11:10 UTC (rev 104203)
@@ -1,5 +1,19 @@
 2011-1-5  Lucas Forschler  <[email protected]>
 
+    Merge 97786
+
+    2011-10-18  Julien Chaffraix  <[email protected]>
+
+            Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+            https://bugs.webkit.org/show_bug.cgi?id=70183
+
+            Reviewed by David Hyatt.
+
+            * fast/flexbox/layoutHorizontal-crash-expected.txt: Added.
+            * fast/flexbox/layoutHorizontal-crash.html: Added.
+
+2011-1-5  Lucas Forschler  <[email protected]>
+
     Merge 97524
 
     2011-10-14  Simon Fraser  <[email protected]>

Copied: branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt (from rev 97786, trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt) (0 => 104203)


--- branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash-expected.txt	2012-01-05 21:11:10 UTC (rev 104203)
@@ -0,0 +1,3 @@
+
+bug 70183: Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+If this test did not CRASH or show errors in valgrind, it has PASSED.

Copied: branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html (from rev 97786, trunk/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html) (0 => 104203)


--- branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/flexbox/layoutHorizontalBox-crash.html	2012-01-05 21:11:10 UTC (rev 104203)
@@ -0,0 +1,25 @@
+<style>
+.c6:first-letter { visibility: hidden; }
+.c6:nth-last-child(2n+10000000000000000) { text-align: -webkit-center; width: 10px; }
+.c26:first-letter { visibility: inherit; overflow: scroll; float: left;</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function runTest() {
+    var button = document.createElement('button');
+    button.setAttribute('class', 'c6');
+    document.documentElement.appendChild(button);
+    document.documentElement.appendChild(document.createElement('dfn'));
+    var figCaption = document.createElement('figcaption');
+    figCaption.setAttribute('class', 'c26');
+    document.documentElement.appendChild(document.createElement('var'));
+    document.documentElement.appendChild(document.createElement('summary'));
+    var text = document.createTextNode("bug 70183: Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox");
+    figCaption.appendChild(text);
+    button.appendChild(figCaption);
+    document.body.offsetTop;
+    document.documentElement.appendChild(document.createTextNode("If this test did not CRASH or show errors in valgrind, it has PASSED."));
+}
+window._onload_ = runTest;
+</script>

Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (104202 => 104203)


--- branches/safari-534.54-branch/Source/WebCore/ChangeLog	2012-01-05 21:04:16 UTC (rev 104202)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog	2012-01-05 21:11:10 UTC (rev 104203)
@@ -1,5 +1,26 @@
 2011-1-5  Lucas Forschler  <[email protected]>
 
+    Merge 97786
+
+    2011-10-18  Julien Chaffraix  <[email protected]>
+
+            Crash in RenderDeprecatedFlexibleBox::layoutHorizontalBox
+            https://bugs.webkit.org/show_bug.cgi?id=70183
+
+            Reviewed by David Hyatt.
+
+            Test: fast/flexbox/layoutHorizontal-crash.html
+
+            The deferred scroll information update logic was not updated when an object was destroy'ed.
+
+            The fix is very simple. As the deferred logic was only used with deprecated flexbox, it is a
+            pretty uncommon cases so let's optimize the new code for the common case.
+
+            * rendering/RenderBlock.cpp:
+            (WebCore::RenderBlock::willBeDestroyed):
+
+2011-1-5  Lucas Forschler  <[email protected]>
+
     Merge 97502
 
     2011-10-14  Simon Fraser  <[email protected]>

Modified: branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp (104202 => 104203)


--- branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 21:04:16 UTC (rev 104202)
+++ branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 21:11:10 UTC (rev 104203)
@@ -191,6 +191,9 @@
 
     m_lineBoxes.deleteLineBoxes(renderArena());
 
+    if (UNLIKELY(gDelayedUpdateScrollInfoSet != 0))
+        gDelayedUpdateScrollInfoSet->remove(this);
+
     RenderBox::destroy();
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to