Title: [109245] trunk
- Revision
- 109245
- Author
- [email protected]
- Date
- 2012-02-29 12:40:10 -0800 (Wed, 29 Feb 2012)
Log Message
Crash when changing list marker locations
https://bugs.webkit.org/show_bug.cgi?id=79681
Patch by Ken Buchanan <[email protected]> on 2012-02-29
Reviewed by David Hyatt.
Source/WebCore:
This fixes a regression crash from r108548.
There are some conditions where removing the anonymous block
parent at that point can cause problems. One is when there is
a continuation from it, and another when it is a sibling of
lineBoxParent and it causes lineBoxParent to be deleted
incidentally. This patch delays the destruction until after
lineBoxParent has been used and makes an exception for
continuations.
* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::updateMarkerLocation)
LayoutTests:
This test exercises the crashing condition for bug 79681 where an
anonymous block was being removed from the render tree inappropriately.
* fast/lists/remove-listmarker-from-anonblock-with-continuation-crash-expected.txt: Added
* fast/lists/remove-listmarker-from-anonblock-with-continuation-crash.html: Added
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (109244 => 109245)
--- trunk/LayoutTests/ChangeLog 2012-02-29 20:33:32 UTC (rev 109244)
+++ trunk/LayoutTests/ChangeLog 2012-02-29 20:40:10 UTC (rev 109245)
@@ -1,3 +1,16 @@
+2012-02-29 Ken Buchanan <[email protected]>
+
+ Crash when changing list marker locations
+ https://bugs.webkit.org/show_bug.cgi?id=79681
+
+ Reviewed by David Hyatt.
+
+ This test exercises the crashing condition for bug 79681 where an
+ anonymous block was being removed from the render tree inappropriately.
+
+ * fast/lists/remove-listmarker-from-anonblock-with-continuation-crash-expected.txt: Added
+ * fast/lists/remove-listmarker-from-anonblock-with-continuation-crash.html: Added
+
2012-02-29 Adam Klein <[email protected]>
Unreviewed gardening, further mark stop-animation-on-suspend.html as crashy on Windows.
Added: trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash-expected.txt (0 => 109245)
--- trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash-expected.txt 2012-02-29 20:40:10 UTC (rev 109245)
@@ -0,0 +1,3 @@
+PASS if no crash or assert in debug
+
+
Added: trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash.html (0 => 109245)
--- trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash.html (rev 0)
+++ trunk/LayoutTests/fast/lists/remove-listmarker-from-anonblock-with-continuation-crash.html 2012-02-29 20:40:10 UTC (rev 109245)
@@ -0,0 +1,25 @@
+<style>
+.listItem { display: list-item; text-decoration: none; -webkit-column-width: 10px; }
+.colSpanAll { display: block; -webkit-column-span: all; }
+.absPosition { display: inherit; position: absolute; }
+</style>
+<script>
+theadElement = document.createElement('thead');
+theadElement.setAttribute('class', 'listItem');
+document.documentElement.appendChild(theadElement);
+
+listItemElement = document.createElement('li');
+listItemElement.appendChild(document.createTextNode('PASS if no crash or assert in debug'));
+
+theadElement.appendChild(listItemElement);
+theadElement.appendChild(document.createElement('progress'));
+theadElement.appendChild(document.createElement('hgroup'));
+
+document.documentElement.offsetHeight;
+listItemElement.setAttribute('class', 'absPosition');
+document.documentElement.offsetHeight;
+listItemElement.setAttribute('class', 'colSpanAll');
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (109244 => 109245)
--- trunk/Source/WebCore/ChangeLog 2012-02-29 20:33:32 UTC (rev 109244)
+++ trunk/Source/WebCore/ChangeLog 2012-02-29 20:40:10 UTC (rev 109245)
@@ -1,3 +1,23 @@
+2012-02-29 Ken Buchanan <[email protected]>
+
+ Crash when changing list marker locations
+ https://bugs.webkit.org/show_bug.cgi?id=79681
+
+ Reviewed by David Hyatt.
+
+ This fixes a regression crash from r108548.
+
+ There are some conditions where removing the anonymous block
+ parent at that point can cause problems. One is when there is
+ a continuation from it, and another when it is a sibling of
+ lineBoxParent and it causes lineBoxParent to be deleted
+ incidentally. This patch delays the destruction until after
+ lineBoxParent has been used and makes an exception for
+ continuations.
+
+ * rendering/RenderListItem.cpp:
+ (WebCore::RenderListItem::updateMarkerLocation)
+
2012-02-29 Max Feil <[email protected]>
[BlackBerry] Add support for FLAC audio and OGG/Vorbis audio
Modified: trunk/Source/WebCore/rendering/RenderListItem.cpp (109244 => 109245)
--- trunk/Source/WebCore/rendering/RenderListItem.cpp 2012-02-29 20:33:32 UTC (rev 109244)
+++ trunk/Source/WebCore/rendering/RenderListItem.cpp 2012-02-29 20:40:10 UTC (rev 109245)
@@ -247,14 +247,15 @@
LayoutStateDisabler layoutStateDisabler(view());
updateFirstLetter();
m_marker->remove();
- // If markerPar is an anonymous block that will lose all its children, destroy it
- if (markerPar && (markerPar != lineBoxParent) && markerPar->isAnonymousBlock() && !(toRenderBlock(markerPar)->firstChild()))
- markerPar->destroy();
if (!lineBoxParent)
lineBoxParent = this;
lineBoxParent->addChild(m_marker, firstNonMarkerChild(lineBoxParent));
if (m_marker->preferredLogicalWidthsDirty())
m_marker->computePreferredLogicalWidths();
+ // If markerPar is an anonymous block that has lost all its children, destroy it.
+ // Extraneous anonymous blocks can cause problems for RenderBlock::updateBeforeAfterContent.
+ if (markerPar && markerPar->isAnonymousBlock() && !markerPar->firstChild() && !toRenderBlock(markerPar)->continuation())
+ markerPar->destroy();
}
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
