Title: [109124] trunk
- Revision
- 109124
- Author
- [email protected]
- Date
- 2012-02-28 11:12:52 -0800 (Tue, 28 Feb 2012)
Log Message
Crash from list marker having inline and block children
https://bugs.webkit.org/show_bug.cgi?id=79793
Patch by Ken Buchanan <[email protected]> on 2012-02-28
Reviewed by Julien Chaffraix.
Source/WebCore:
Crashing condition in which an anonymous block was being collapsed
even though it had a block sibling. removeChild() was not checking
for siblings that might precede :before content renderers, such
as list items. This patch corrects that.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild)
LayoutTests:
Test to exercise crashing condition in bug 79793. This creates a list
marker that precedes a floating :before content renderer and then
modifies the render tree to remove a neighboring header element.
* fast/css-generated-content/floating-before-content-with-list-marker-crash-expected.txt: Added
* fast/css-generated-content/floating-before-content-with-list-marker-crash.html: Added
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (109123 => 109124)
--- trunk/LayoutTests/ChangeLog 2012-02-28 18:51:47 UTC (rev 109123)
+++ trunk/LayoutTests/ChangeLog 2012-02-28 19:12:52 UTC (rev 109124)
@@ -1,3 +1,17 @@
+2012-02-28 Ken Buchanan <[email protected]>
+
+ Crash from list marker having inline and block children
+ https://bugs.webkit.org/show_bug.cgi?id=79793
+
+ Reviewed by Julien Chaffraix.
+
+ Test to exercise crashing condition in bug 79793. This creates a list
+ marker that precedes a floating :before content renderer and then
+ modifies the render tree to remove a neighboring header element.
+
+ * fast/css-generated-content/floating-before-content-with-list-marker-crash-expected.txt: Added
+ * fast/css-generated-content/floating-before-content-with-list-marker-crash.html: Added
+
2012-02-28 Pavel Feldman <[email protected]>
Web Inspector: move filtering of the timeline records into the presentation model.
Added: trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash-expected.txt (0 => 109124)
--- trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash-expected.txt 2012-02-28 19:12:52 UTC (rev 109124)
@@ -0,0 +1 @@
+PASS if no crash or assert in debug
Added: trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash.html (0 => 109124)
--- trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/floating-before-content-with-list-marker-crash.html 2012-02-28 19:12:52 UTC (rev 109124)
@@ -0,0 +1,19 @@
+<style>
+.floatingBefore::before { overflow: visible; float: left; content: open-quote; }
+</style>
+<script>
+tbodyElement = document.createElement('tbody');
+listItemElement = document.createElement('li');
+listItemElement.setAttribute('class', 'floatingBefore');
+document.documentElement.appendChild(listItemElement);
+headerElement = document.createElement('header');
+listItemElement.appendChild(headerElement);
+listItemElement.appendChild(document.createElement('sub'));
+document.documentElement.offsetHeight;
+tbodyElement.appendChild(headerElement);
+
+document.documentElement.appendChild(document.createTextNode('PASS if no crash or assert in debug'));
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (109123 => 109124)
--- trunk/Source/WebCore/ChangeLog 2012-02-28 18:51:47 UTC (rev 109123)
+++ trunk/Source/WebCore/ChangeLog 2012-02-28 19:12:52 UTC (rev 109124)
@@ -1,3 +1,18 @@
+2012-02-28 Ken Buchanan <[email protected]>
+
+ Crash from list marker having inline and block children
+ https://bugs.webkit.org/show_bug.cgi?id=79793
+
+ Reviewed by Julien Chaffraix.
+
+ Crashing condition in which an anonymous block was being collapsed
+ even though it had a block sibling. removeChild() was not checking
+ for siblings that might precede :before content renderers, such
+ as list items. This patch corrects that.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::removeChild)
+
2012-02-28 Adam Klein <[email protected]>
Unreviewed, speculative test fix after r109016.
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (109123 => 109124)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-02-28 18:51:47 UTC (rev 109123)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-02-28 19:12:52 UTC (rev 109124)
@@ -1209,8 +1209,8 @@
// are floating, then we need to pull the content up also.
RenderBlock* anonBlock = toRenderBlock((prev && prev->isAnonymousBlock()) ? prev : next);
if ((anonBlock->previousSibling() || anonBlock->nextSibling())
- && (!anonBlock->previousSibling() || (anonBlock->previousSibling()->style()->styleType() != NOPSEUDO && anonBlock->previousSibling()->isFloating()))
- && (!anonBlock->nextSibling() || (anonBlock->nextSibling()->style()->styleType() != NOPSEUDO && anonBlock->nextSibling()->isFloating()))) {
+ && (!anonBlock->previousSibling() || (anonBlock->previousSibling()->style()->styleType() != NOPSEUDO && anonBlock->previousSibling()->isFloating() && !anonBlock->previousSibling()->previousSibling()))
+ && (!anonBlock->nextSibling() || (anonBlock->nextSibling()->style()->styleType() != NOPSEUDO && anonBlock->nextSibling()->isFloating() && !anonBlock->nextSibling()->nextSibling()))) {
collapseAnonymousBoxChild(this, anonBlock);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
