[webkit-changes] [116325] trunk

Mon, 07 May 2012 11:26:31 -0700

Title: [116325] trunk
Revision
116325
Author
[email protected]
Date
2012-05-07 11:27:21 -0700 (Mon, 07 May 2012)

Log Message

Crash in RenderBlock::updateFirstLetterStyle.
https://bugs.webkit.org/show_bug.cgi?id=85759

Reviewed by Julien Chaffraix.

Source/WebCore:

Test: fast/css-generated-content/first-letter-next-sibling-crash.html

RenderBlock::removeChild can bring up the children from last single anonymous block,
causing |nextSibling| in RenderBlock::updateFirstLetterStyle to go stale. We prevent
this by removing the child safely using removeChildNode before destroying it.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::updateFirstLetterStyle):

LayoutTests:

* fast/css-generated-content/first-letter-next-sibling-crash-expected.txt: Added.
* fast/css-generated-content/first-letter-next-sibling-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (116324 => 116325)


--- trunk/LayoutTests/ChangeLog	2012-05-07 18:24:45 UTC (rev 116324)
+++ trunk/LayoutTests/ChangeLog	2012-05-07 18:27:21 UTC (rev 116325)
@@ -1,3 +1,13 @@
+2012-05-07  Abhishek Arya  <[email protected]>
+
+        Crash in RenderBlock::updateFirstLetterStyle.
+        https://bugs.webkit.org/show_bug.cgi?id=85759
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/css-generated-content/first-letter-next-sibling-crash-expected.txt: Added.
+        * fast/css-generated-content/first-letter-next-sibling-crash.html: Added.
+
 2012-05-07  Philippe Normand  <[email protected]>
 
         Unreviewed, GTK gardening.

Added: trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt (0 => 116325)


--- trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt	2012-05-07 18:27:21 UTC (rev 116325)
@@ -0,0 +1,2 @@
+WebKit Bug 85759 - Crash in RenderBlock::updateFirstLetterStyle.
+PASS if test does not crash.

Added: trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html (0 => 116325)


--- trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html	2012-05-07 18:27:21 UTC (rev 116325)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<style>
+.absolutePosition { position: fixed; }
+.float:before { float: right; content: ''; }
+.float:first-letter { float: right; }
+.inline::first-letter { content: ''; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function startTest() {
+    document.body.offsetTop;
+    var parent = document.getElementById("parent");
+    var child = document.getElementById("child");
+    child.setAttribute('class', 'inline');
+    document.body.offsetTop;
+    parent.removeChild(child);
+    document.body.offsetTop;
+    parent.setAttribute('class', 'inline');
+}
+window._onload_ = startTest;
+</script>
+WebKit Bug 85759 - Crash in RenderBlock::updateFirstLetterStyle.
+<div class="float" id="parent">
+<div class="absolutePosition" id="child"></div>
+PASS if test does not crash.
+</div>
+</html>
Property changes on: trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (116324 => 116325)


--- trunk/Source/WebCore/ChangeLog	2012-05-07 18:24:45 UTC (rev 116324)
+++ trunk/Source/WebCore/ChangeLog	2012-05-07 18:27:21 UTC (rev 116325)
@@ -1,3 +1,19 @@
+2012-05-07  Abhishek Arya  <[email protected]>
+
+        Crash in RenderBlock::updateFirstLetterStyle.
+        https://bugs.webkit.org/show_bug.cgi?id=85759
+
+        Reviewed by Julien Chaffraix.
+
+        Test: fast/css-generated-content/first-letter-next-sibling-crash.html
+
+        RenderBlock::removeChild can bring up the children from last single anonymous block,
+        causing |nextSibling| in RenderBlock::updateFirstLetterStyle to go stale. We prevent
+        this by removing the child safely using removeChildNode before destroying it.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::updateFirstLetterStyle):
+
 2012-05-07  Tommy Widenflycht  <[email protected]>
 
         MediaStream API: Rename MediaStreamCenter::didConstructMediaStream

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (116324 => 116325)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-05-07 18:24:45 UTC (rev 116324)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-05-07 18:27:21 UTC (rev 116325)
@@ -5938,6 +5938,9 @@
             remainingText->setFirstLetter(newFirstLetter);
             toRenderBoxModelObject(newFirstLetter)->setFirstLetterRemainingText(remainingText);
         }
+        // To prevent removal of single anonymous block in RenderBlock::removeChild and causing
+        // |nextSibling| to go stale, we remove the old first letter using removeChildNode first.
+        firstLetterContainer->virtualChildren()->removeChildNode(firstLetterContainer, firstLetter);
         firstLetter->destroy();
         firstLetter = newFirstLetter;
         firstLetterContainer->addChild(firstLetter, nextSibling);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to