[webkit-changes] [105344] branches/chromium/912

Wed, 18 Jan 2012 16:26:01 -0800

Title: [105344] branches/chromium/912

Diff

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3-expected.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash3-expected.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3-expected.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3-expected.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,46 @@
+<html>
+<head>
+<style>
+.c2 { display: table-caption; position: relative; }
+.c9 { visibility: collapse; height: 65536px; }
+.c15 { display: inline; float: right;}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    document.execCommand("SelectAll", false, "");
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[3] = document.createElement('tbody'); } catch(e) {}
+    try { nodes[3].setAttribute('class', 'c2'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[3]); } catch(e) {}
+    try { nodes[4] = document.createElement('col'); } catch(e) {}
+    try { nodes[4].setAttribute('class', 'c15'); } catch(e) {}
+    try { nodes[3].appendChild(nodes[4]); } catch(e) {}
+    try { nodes[6] = document.createElement('keygen'); } catch(e) {}
+    try { nodes[6].setAttribute('class', 'c2'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[6]); } catch(e) {}
+    try { nodes[8] = document.createElement('a'); } catch(e) {}
+    try { nodes[4].appendChild(nodes[8]); } catch(e) {}
+    try { nodes[21] = document.createElement('tr'); } catch(e) {}
+    try { nodes[21].setAttribute('class', 'c9'); } catch(e) {}
+    try { nodes[8].appendChild(nodes[21]); } catch(e) {}
+    try { nodes[29] = document.createElement('caption'); } catch(e) {}
+    setTimeout('try { nodes[29].appendChild(nodes[4]); } catch(e) {}', 561);
+    setTimeout('window.scrollBy(-37, 59);', 203);
+    setTimeout('tryToCrash();', 402);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash3.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash3.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,46 @@
+<html>
+<head>
+<style>
+.c2 { display: table-caption; position: relative; }
+.c9 { visibility: collapse; height: 65536px; }
+.c15 { display: inline; float: right;}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    document.execCommand("SelectAll", false, "");
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[3] = document.createElement('tbody'); } catch(e) {}
+    try { nodes[3].setAttribute('class', 'c2'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[3]); } catch(e) {}
+    try { nodes[4] = document.createElement('col'); } catch(e) {}
+    try { nodes[4].setAttribute('class', 'c15'); } catch(e) {}
+    try { nodes[3].appendChild(nodes[4]); } catch(e) {}
+    try { nodes[6] = document.createElement('keygen'); } catch(e) {}
+    try { nodes[6].setAttribute('class', 'c2'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[6]); } catch(e) {}
+    try { nodes[8] = document.createElement('a'); } catch(e) {}
+    try { nodes[4].appendChild(nodes[8]); } catch(e) {}
+    try { nodes[21] = document.createElement('tr'); } catch(e) {}
+    try { nodes[21].setAttribute('class', 'c9'); } catch(e) {}
+    try { nodes[8].appendChild(nodes[21]); } catch(e) {}
+    try { nodes[29] = document.createElement('caption'); } catch(e) {}
+    setTimeout('try { nodes[29].appendChild(nodes[4]); } catch(e) {}', 561);
+    setTimeout('window.scrollBy(-37, 59);', 203);
+    setTimeout('tryToCrash();', 402);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4-expected.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash4-expected.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4-expected.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4-expected.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,49 @@
+<html>
+<head>
+<style>
+.c10 { display: table-caption; width: 65536px; }
+.c12 > .c7 { visibility: hidden; float: left; }
+.c13:nth-of-type(2n) { color: Yellow; }
+.c15:nth-last-of-type(-n+6) { display: -webkit-box; padding-left: 65536px; }
+</style>
+
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    try { nodes[84].setAttribute('class', 'c18'); } catch(e) {};
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[8] = document.createElement('select'); } catch(e) {}
+    try { nodes[8].setAttribute('class', 'c7'); } catch(e) {}
+    try { nodes[16] = document.createElement('abbr'); } catch(e) {}
+    try { nodes[84] = document.createElement('li'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[84]); } catch(e) {}
+    try { nodes[91] = document.createElement('caption'); } catch(e) {}
+    try { nodes[91].setAttribute('class', 'c12'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[91]); } catch(e) {}
+    try { nodes[92] = document.createElement('details'); } catch(e) {}
+    try { nodes[92].setAttribute('class', 'c10'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[92]); } catch(e) {}
+    try { nodes[94] = document.createElement('ruby'); } catch(e) {}
+    try { nodes[94].setAttribute('class', 'c13'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[94]); } catch(e) {}
+
+    setTimeout("try { nodes[8].setAttribute('class', 'c15'); } catch(e) {}", 616);
+    setTimeout('try { nodes[91].appendChild(nodes[8]); } catch(e) {}', 502);
+    setTimeout('try { nodes[92].appendChild(nodes[16]); } catch(e) {}', 461);
+    setTimeout('tryToCrash();', 519);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash4.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash4.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,49 @@
+<html>
+<head>
+<style>
+.c10 { display: table-caption; width: 65536px; }
+.c12 > .c7 { visibility: hidden; float: left; }
+.c13:nth-of-type(2n) { color: Yellow; }
+.c15:nth-last-of-type(-n+6) { display: -webkit-box; padding-left: 65536px; }
+</style>
+
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    try { nodes[84].setAttribute('class', 'c18'); } catch(e) {};
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[8] = document.createElement('select'); } catch(e) {}
+    try { nodes[8].setAttribute('class', 'c7'); } catch(e) {}
+    try { nodes[16] = document.createElement('abbr'); } catch(e) {}
+    try { nodes[84] = document.createElement('li'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[84]); } catch(e) {}
+    try { nodes[91] = document.createElement('caption'); } catch(e) {}
+    try { nodes[91].setAttribute('class', 'c12'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[91]); } catch(e) {}
+    try { nodes[92] = document.createElement('details'); } catch(e) {}
+    try { nodes[92].setAttribute('class', 'c10'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[92]); } catch(e) {}
+    try { nodes[94] = document.createElement('ruby'); } catch(e) {}
+    try { nodes[94].setAttribute('class', 'c13'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[94]); } catch(e) {}
+
+    setTimeout("try { nodes[8].setAttribute('class', 'c15'); } catch(e) {}", 616);
+    setTimeout('try { nodes[91].appendChild(nodes[8]); } catch(e) {}', 502);
+    setTimeout('try { nodes[92].appendChild(nodes[16]); } catch(e) {}', 461);
+    setTimeout('tryToCrash();', 519);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5-expected.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash5-expected.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5-expected.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5-expected.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,42 @@
+<html>
+<head>
+<style>
+.c0 { display: table-caption; width: 0px; }
+.c7 { float: right; padding-right: 100px; padding-bottom: 100px;}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    try { nodes[91].appendChild(nodes[39]); } catch(e) {}
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[8] = document.createElement('dfn'); } catch(e) {}
+    try { nodes[8].setAttribute('class', 'c7'); } catch(e) {}
+    try { nodes[30] = document.createElement('span'); } catch(e) {}
+    try { nodes[39] = document.createElement('strong'); } catch(e) {}
+    try { nodes[69] = document.createElement('header'); } catch(e) {}
+    try { nodes[39].appendChild(nodes[69]); } catch(e) {}
+    try { nodes[89] = document.createElement('nav'); } catch(e) {}
+    try { nodes[89].setAttribute('class', 'c0'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[89]); } catch(e) {}
+    try { nodes[91] = document.createElement('form'); } catch(e) {}
+    try { nodes[91].setAttribute('class', 'c0'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[91]); } catch(e) {}
+    try { nodes[89].appendChild(nodes[8]); } catch(e) {}
+    setTimeout('try { nodes[30].appendChild(nodes[89]); } catch(e) {}', 4);
+    setTimeout('tryToCrash();', 0);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Copied: branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5.html (from rev 105120, trunk/LayoutTests/fast/table/multiple-captions-crash5.html) (0 => 105344)


--- branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/multiple-captions-crash5.html	2012-01-19 00:25:55 UTC (rev 105344)
@@ -0,0 +1,42 @@
+<html>
+<head>
+<style>
+.c0 { display: table-caption; width: 0px; }
+.c7 { float: right; padding-right: 100px; padding-bottom: 100px;}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+var nodes = Array();
+
+function tryToCrash()
+{
+    try { nodes[91].appendChild(nodes[39]); } catch(e) {}
+    setTimeout('layoutTestController.notifyDone();',1000);
+}
+
+function boom() {
+    try { nodes[8] = document.createElement('dfn'); } catch(e) {}
+    try { nodes[8].setAttribute('class', 'c7'); } catch(e) {}
+    try { nodes[30] = document.createElement('span'); } catch(e) {}
+    try { nodes[39] = document.createElement('strong'); } catch(e) {}
+    try { nodes[69] = document.createElement('header'); } catch(e) {}
+    try { nodes[39].appendChild(nodes[69]); } catch(e) {}
+    try { nodes[89] = document.createElement('nav'); } catch(e) {}
+    try { nodes[89].setAttribute('class', 'c0'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[89]); } catch(e) {}
+    try { nodes[91] = document.createElement('form'); } catch(e) {}
+    try { nodes[91].setAttribute('class', 'c0'); } catch(e) {}
+    try { document.documentElement.appendChild(nodes[91]); } catch(e) {}
+    try { nodes[89].appendChild(nodes[8]); } catch(e) {}
+    setTimeout('try { nodes[30].appendChild(nodes[89]); } catch(e) {}', 4);
+    setTimeout('tryToCrash();', 0);
+}
+</script>
+</head>
+<body _onLoad_="setTimeout('boom();',0)">
+Passes if it doesn't crash!
+</body>
+</html>
\ No newline at end of file

Modified: branches/chromium/912/Source/WebCore/rendering/RenderBlock.cpp (105343 => 105344)


--- branches/chromium/912/Source/WebCore/rendering/RenderBlock.cpp	2012-01-19 00:24:39 UTC (rev 105343)
+++ branches/chromium/912/Source/WebCore/rendering/RenderBlock.cpp	2012-01-19 00:25:55 UTC (rev 105344)
@@ -4021,13 +4021,17 @@
     }
 }
 
-void RenderBlock::markSiblingsWithFloatsForLayout()
+void RenderBlock::markSiblingsWithFloatsForLayout(RenderBox* floatToRemove)
 {
+    if (!m_floatingObjects)
+        return;
     const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
     FloatingObjectSetIterator end = floatingObjectSet.end();
     for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
         if (logicalBottomForFloat(*it) > logicalHeight()) {
             RenderBox* floatingBox = (*it)->renderer();
+            if (floatToRemove && floatingBox != floatToRemove)
+                continue;
 
             RenderObject* next = nextSibling();
             while (next) {

Modified: branches/chromium/912/Source/WebCore/rendering/RenderBlock.h (105343 => 105344)


--- branches/chromium/912/Source/WebCore/rendering/RenderBlock.h	2012-01-19 00:24:39 UTC (rev 105343)
+++ branches/chromium/912/Source/WebCore/rendering/RenderBlock.h	2012-01-19 00:25:55 UTC (rev 105344)
@@ -118,7 +118,7 @@
     bool generatesLineBoxesForInlineChild(RenderObject*);
 
     void markAllDescendantsWithFloatsForLayout(RenderBox* floatToRemove = 0, bool inLayout = true);
-    void markSiblingsWithFloatsForLayout();
+    void markSiblingsWithFloatsForLayout(RenderBox* floatToRemove = 0);
     void markPositionedObjectsForLayout();
     virtual void markForPaginationRelayoutIfNeeded();

Modified: branches/chromium/912/Source/WebCore/rendering/RenderBox.cpp (105343 => 105344)


--- branches/chromium/912/Source/WebCore/rendering/RenderBox.cpp	2012-01-19 00:24:39 UTC (rev 105343)
+++ branches/chromium/912/Source/WebCore/rendering/RenderBox.cpp	2012-01-19 00:25:55 UTC (rev 105344)
@@ -289,6 +289,7 @@
             if (parent && parent->isDeprecatedFlexibleBox())
                 parentBlock = toRenderBlock(parent);
 
+            parentBlock->markSiblingsWithFloatsForLayout(this);
             parentBlock->markAllDescendantsWithFloatsForLayout(this, false);
         }
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to