[webkit-changes] [111263] trunk

Mon, 19 Mar 2012 15:54:24 -0700

Title: [111263] trunk
Revision
111263
Author
[email protected]
Date
2012-03-19 15:53:57 -0700 (Mon, 19 Mar 2012)

Log Message

Crash due to layer tree information not updated when moving run-in children.
https://bugs.webkit.org/show_bug.cgi?id=81265

Reviewed by Julien Chaffraix.

Source/WebCore:

We need to do a full removal as the run-in child is getting inserted into
the neighbouring block and |blockRunIn| is going to be destroyed later
in the function.

Test: fast/runin/run-in-layer-not-removed-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::handleRunInChild):

LayoutTests:

* fast/runin/run-in-layer-not-removed-crash-expected.txt: Added.
* fast/runin/run-in-layer-not-removed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (111262 => 111263)


--- trunk/LayoutTests/ChangeLog	2012-03-19 22:52:42 UTC (rev 111262)
+++ trunk/LayoutTests/ChangeLog	2012-03-19 22:53:57 UTC (rev 111263)
@@ -1,3 +1,13 @@
+2012-03-19  Abhishek Arya  <[email protected]>
+
+        Crash due to layer tree information not updated when moving run-in children.
+        https://bugs.webkit.org/show_bug.cgi?id=81265
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/runin/run-in-layer-not-removed-crash-expected.txt: Added.
+        * fast/runin/run-in-layer-not-removed-crash.html: Added.
+
 2012-03-19  Andy Chen  <[email protected]>
 
         [BlackBerry] Add new layout test for text match marker

Added: trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt (0 => 111263)


--- trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt	2012-03-19 22:53:57 UTC (rev 111263)
@@ -0,0 +1,3 @@
+Webkit Bug 81265: Crash due to layer tree information not updated when moving run-in children.
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html (0 => 111263)


--- trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html	2012-03-19 22:53:57 UTC (rev 111263)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<body>
+Webkit Bug 81265: Crash due to layer tree information not updated when moving run-in children.<br />
+Test passes if it does not crash.
+<style>
+#test0 {
+    -webkit-perspective: 1;
+}
+#test1:nth-last-child(3n) {
+    -webkit-box-reflect: right;
+    display: run-in;
+}
+#test2 {
+    display: inline-table;
+}
+#test2:first-child {
+    -webkit-box-reflect: below;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+_onload_ = function() 
+{
+    test0 = document.createElement('div');
+    test0.setAttribute('id','test0');
+    document.body.appendChild(test0);
+    test1 = document.createElement('b');
+    test1.setAttribute('id','test1');
+    document.body.appendChild(test1);
+    test2 = document.createElement('div');
+    test2.setAttribute('id','test2');
+    test1.appendChild(test2);
+    test3 = document.createElement('div');
+    document.body.appendChild(test3);
+    document.body.insertBefore(document.createElement('div'), test3);
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('removeFormat');
+}
+</script>
+</body>
+</html>
+
Property changes on: trunk/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (111262 => 111263)


--- trunk/Source/WebCore/ChangeLog	2012-03-19 22:52:42 UTC (rev 111262)
+++ trunk/Source/WebCore/ChangeLog	2012-03-19 22:53:57 UTC (rev 111263)
@@ -1,3 +1,19 @@
+2012-03-19  Abhishek Arya  <[email protected]>
+
+        Crash due to layer tree information not updated when moving run-in children.
+        https://bugs.webkit.org/show_bug.cgi?id=81265
+
+        Reviewed by Julien Chaffraix.
+
+        We need to do a full removal as the run-in child is getting inserted into
+        the neighbouring block and |blockRunIn| is going to be destroyed later
+        in the function.
+
+        Test: fast/runin/run-in-layer-not-removed-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::handleRunInChild):
+
 2012-03-19  Dana Jansens  <[email protected]>
 
         [chromium] Remove misleading double-if

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (111262 => 111263)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-03-19 22:52:42 UTC (rev 111262)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-03-19 22:53:57 UTC (rev 111263)
@@ -1874,7 +1874,7 @@
     // Move the nodes from the old child to the new child
     for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
         RenderObject* nextSibling = runInChild->nextSibling();
-        blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
+        blockRunIn->children()->removeChildNode(blockRunIn, runInChild);
         inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
         runInChild = nextSibling;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to