[webkit-changes] [114516] releases/WebKitGTK/webkit-1.8

Wed, 18 Apr 2012 09:29:40 -0700

Title: [114516] releases/WebKitGTK/webkit-1.8

Diff

Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (114515 => 114516)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-04-18 16:29:20 UTC (rev 114515)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-04-18 16:29:26 UTC (rev 114516)
@@ -1,5 +1,15 @@
 2012-04-18  Abhishek Arya  <[email protected]>
 
+        Crash due to layer tree information not updated when moving run-in children.
+        https://bugs.webkit.org/show_bug.cgi?id=81265
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/runin/run-in-layer-not-removed-crash-expected.txt: Added.
+        * fast/runin/run-in-layer-not-removed-crash.html: Added.
+
+2012-04-18  Abhishek Arya  <[email protected]>
+
         Crash in Text::splitText due to mutation events.
         https://bugs.webkit.org/show_bug.cgi?id=80828

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt (0 => 114516)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt	2012-04-18 16:29:26 UTC (rev 114516)
@@ -0,0 +1,3 @@
+Webkit Bug 81265: Crash due to layer tree information not updated when moving run-in children.
+Test passes if it does not crash.
+
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html (0 => 114516)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html	2012-04-18 16:29:26 UTC (rev 114516)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<body>
+Webkit Bug 81265: Crash due to layer tree information not updated when moving run-in children.<br />
+Test passes if it does not crash.
+<style>
+#test0 {
+    -webkit-perspective: 1;
+}
+#test1:nth-last-child(3n) {
+    -webkit-box-reflect: right;
+    display: run-in;
+}
+#test2 {
+    display: inline-table;
+}
+#test2:first-child {
+    -webkit-box-reflect: below;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+_onload_ = function() 
+{
+    test0 = document.createElement('div');
+    test0.setAttribute('id','test0');
+    document.body.appendChild(test0);
+    test1 = document.createElement('b');
+    test1.setAttribute('id','test1');
+    document.body.appendChild(test1);
+    test2 = document.createElement('div');
+    test2.setAttribute('id','test2');
+    test1.appendChild(test2);
+    test3 = document.createElement('div');
+    document.body.appendChild(test3);
+    document.body.insertBefore(document.createElement('div'), test3);
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.execCommand('removeFormat');
+}
+</script>
+</body>
+</html>
+
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/runin/run-in-layer-not-removed-crash.html
___________________________________________________________________

Added: svn:executable

Added: svn:eol-style

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (114515 => 114516)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-04-18 16:29:20 UTC (rev 114515)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-04-18 16:29:26 UTC (rev 114516)
@@ -1,5 +1,21 @@
 2012-04-18  Abhishek Arya  <[email protected]>
 
+        Crash due to layer tree information not updated when moving run-in children.
+        https://bugs.webkit.org/show_bug.cgi?id=81265
+
+        Reviewed by Julien Chaffraix.
+
+        We need to do a full removal as the run-in child is getting inserted into
+        the neighbouring block and |blockRunIn| is going to be destroyed later
+        in the function.
+
+        Test: fast/runin/run-in-layer-not-removed-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::handleRunInChild):
+
+2012-04-18  Abhishek Arya  <[email protected]>
+
         Crash in Text::splitText due to mutation events.
         https://bugs.webkit.org/show_bug.cgi?id=80828

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp (114515 => 114516)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp	2012-04-18 16:29:20 UTC (rev 114515)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp	2012-04-18 16:29:26 UTC (rev 114516)
@@ -1756,7 +1756,7 @@
     // Move the nodes from the old child to the new child
     for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
         RenderObject* nextSibling = runInChild->nextSibling();
-        blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
+        blockRunIn->children()->removeChildNode(blockRunIn, runInChild);
         inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
         runInChild = nextSibling;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to