[webkit-changes] [104223] branches/safari-534.54-branch

Thu, 05 Jan 2012 14:36:01 -0800

Title: [104223] branches/safari-534.54-branch

Diff

Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (104222 => 104223)


--- branches/safari-534.54-branch/LayoutTests/ChangeLog	2012-01-05 22:35:49 UTC (rev 104222)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog	2012-01-05 22:35:53 UTC (rev 104223)
@@ -1,5 +1,21 @@
 2011-1-5  Lucas Forschler  <[email protected]>
 
+    Merge 98763
+
+    2011-10-28  Ken Buchanan <[email protected]>
+
+            Crash when splitting inline flows with generated floats
+            https://bugs.webkit.org/show_bug.cgi?id=70458
+
+            Reviewed by David Hyatt.
+
+            Added test for crash condition when splitting inline flows on an object with generated floats.
+
+            * fast/css-generated-content/inline-splitting-with-after-float-crash.html: Added
+            * fast/css-generated-content/inline-splitting-with-after-float-crash-expected.txt: Added
+
+2011-1-5  Lucas Forschler  <[email protected]>
+
     Merge 98561
 
     2011-10-27  Ken Buchanan <[email protected]>

Copied: branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash-expected.txt (from rev 98763, trunk/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash-expected.txt) (0 => 104223)


--- branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash-expected.txt	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash-expected.txt	2012-01-05 22:35:53 UTC (rev 104223)
@@ -0,0 +1,2 @@
+PASS, if the script does not cause a crash or ASSERT failure
+

Copied: branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash.html (from rev 98763, trunk/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash.html) (0 => 104223)


--- branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash.html	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/css-generated-content/inline-splitting-with-after-float-crash.html	2012-01-05 22:35:53 UTC (rev 104223)
@@ -0,0 +1,27 @@
+<style>
+    .c2:after { float: left; content: "A"; }
+</style>
+PASS, if the script does not cause a crash or ASSERT failure
+<script>
+    function endTest(childSpan) {
+        childSpan.appendChild(divToInsert);
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+    function startTest() {
+        quoteNode = document.createElement('q');
+        document.documentElement.appendChild(quoteNode);
+        divToInsert = document.createElement('div');
+        parentSpan = document.createElement('span');
+        parentSpan.setAttribute('class', 'c2');
+        childSpan = document.createElement('span');
+        parentSpan.appendChild(childSpan);
+        document.documentElement.appendChild(parentSpan);
+        setTimeout('endTest(childSpan);', 50);
+        if (window.layoutTestController) {
+            layoutTestController.waitUntilDone();
+            layoutTestController.dumpAsText();
+        }
+    }
+    window._onload_ = startTest;
+</script>

Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (104222 => 104223)


--- branches/safari-534.54-branch/Source/WebCore/ChangeLog	2012-01-05 22:35:49 UTC (rev 104222)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog	2012-01-05 22:35:53 UTC (rev 104223)
@@ -1,5 +1,22 @@
 2011-1-5  Lucas Forschler  <[email protected]>
 
+    Merge 98763
+
+    2011-10-28  Ken Buchanan <[email protected]>
+
+            Crash when splitting inline flows with generated floats
+            https://bugs.webkit.org/show_bug.cgi?id=70458
+
+            Reviewed by David Hyatt.
+
+            When lineBoxes on a RenderBlock are being deleted, we now check the floating object list to
+            ensure references to them are being cleared.
+
+            * rendering/RenderBlock.cpp:
+            (WebCore::RenderBlock::deleteLineBoxTree): Remove references to lineBox when deleting them
+
+2011-1-5  Lucas Forschler  <[email protected]>
+
     Merge 98561
 
     2011-10-27  Ken Buchanan <[email protected]>

Modified: branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp (104222 => 104223)


--- branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 22:35:49 UTC (rev 104222)
+++ branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-01-05 22:35:53 UTC (rev 104223)
@@ -832,6 +832,15 @@
 
 void RenderBlock::deleteLineBoxTree()
 {
+    if (containsFloats()) {
+        // Clear references to originating lines, since the lines are being deleted
+        const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
+        FloatingObjectSetIterator end = floatingObjectSet.end();
+        for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
+            ASSERT(!((*it)->m_originatingLine) || (*it)->m_originatingLine->renderer() == this);
+            (*it)->m_originatingLine = 0;
+        }
+    }
     m_lineBoxes.deleteLineBoxTree(renderArena());
 }
 
Property changes on: branches/safari-534.54-branch/Source/WebCore/rendering/RenderBlock.cpp
___________________________________________________________________

Added: svn:executable

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to