Title: [117282] releases/WebKitGTK/webkit-1.8
- Revision
- 117282
- Author
- [email protected]
- Date
- 2012-05-16 06:57:05 -0700 (Wed, 16 May 2012)
Log Message
Merge 113597 - Crash due to floats not cleared before starting SVG <text> layout.
https://bugs.webkit.org/show_bug.cgi?id=83021
Reviewed by Dirk Schulze.
.:
* ManualTests/svg-text-float-not-removed-crash.html: Added.
Source/WebCore:
Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
Can't reproduce the failure in DRT.
forceLayoutInlineChildren is used in SVG <text> layout and overrides
RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
which will cause a crash when trying to access removed renderers.
* rendering/RenderBlock.h:
(WebCore::RenderBlock::forceLayoutInlineChildren):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/ChangeLog (117281 => 117282)
--- releases/WebKitGTK/webkit-1.8/ChangeLog 2012-05-16 13:56:48 UTC (rev 117281)
+++ releases/WebKitGTK/webkit-1.8/ChangeLog 2012-05-16 13:57:05 UTC (rev 117282)
@@ -1,3 +1,12 @@
+2012-04-09 Abhishek Arya <[email protected]>
+
+ Crash due to floats not cleared before starting SVG <text> layout.
+ https://bugs.webkit.org/show_bug.cgi?id=83021
+
+ Reviewed by Dirk Schulze.
+
+ * ManualTests/svg-text-float-not-removed-crash.html: Added.
+
2012-04-16 Gustavo Noronha Silva <[email protected]>
[GTK] Bump dependency on GTK+ 3.x to match reality
Added: releases/WebKitGTK/webkit-1.8/ManualTests/svg-text-float-not-removed-crash.html (0 => 117282)
--- releases/WebKitGTK/webkit-1.8/ManualTests/svg-text-float-not-removed-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/ManualTests/svg-text-float-not-removed-crash.html 2012-05-16 13:57:05 UTC (rev 117282)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<script>
+setInterval(function(){
+ var elements = document.getElementsByTagName("*");
+ var didRemoveElement = false;
+ for (var i = 0; i < elements.length; i++) {
+ var element = elements.item(i);
+ if (!element.firstElementChild && element != document.documentElement) {
+ didRemoveElement = true;
+ try {
+ element.parentNode.removeChild(element)
+ } catch(e) { }
+ }
+ }
+
+ if (!didRemoveElement)
+ document.documentElement.innerHTML = "PASS. WebKit didn't crash.";
+}, 100);
+</script>
+<style>
+#test1:after {
+ float: left;
+ content: 'A';
+}
+</style>
+<svg>
+<text>
+<a id="test1">
+A
+</a>
+</text>
+</svg>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/ManualTests/svg-text-float-not-removed-crash.html
___________________________________________________________________
Added: svn:executable
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (117281 => 117282)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:56:48 UTC (rev 117281)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:57:05 UTC (rev 117282)
@@ -1,3 +1,20 @@
+2012-04-09 Abhishek Arya <[email protected]>
+
+ Crash due to floats not cleared before starting SVG <text> layout.
+ https://bugs.webkit.org/show_bug.cgi?id=83021
+
+ Reviewed by Dirk Schulze.
+
+ Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
+ Can't reproduce the failure in DRT.
+
+ forceLayoutInlineChildren is used in SVG <text> layout and overrides
+ RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
+ which will cause a crash when trying to access removed renderers.
+
+ * rendering/RenderBlock.h:
+ (WebCore::RenderBlock::forceLayoutInlineChildren):
+
2012-04-02 Abhishek Arya <[email protected]>
<select> shouldn't intrude as a run-in.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.h (117281 => 117282)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.h 2012-05-16 13:56:48 UTC (rev 117281)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.h 2012-05-16 13:57:05 UTC (rev 117282)
@@ -455,6 +455,7 @@
{
LayoutUnit repaintLogicalTop = 0;
LayoutUnit repaintLogicalBottom = 0;
+ clearFloats(NormalLayoutPass);
layoutInlineChildren(true, repaintLogicalTop, repaintLogicalBottom);
}
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
