Title: [117886] releases/WebKitGTK/webkit-1.8
- Revision
- 117886
- Author
- [email protected]
- Date
- 2012-05-21 20:04:23 -0700 (Mon, 21 May 2012)
Log Message
Merge 116551 - Crash from removal of a line break object
https://bugs.webkit.org/show_bug.cgi?id=85997
Patch by Ken Buchanan <[email protected]> on 2012-05-09
Reviewed by David Hyatt.
Source/WebCore:
Regression from r115343. That replaced a call to setNeedsLayout()
with a separate call that used a different bit during linebox
invalidation after renderer child removal. There are special cases
where layout isn't marked on parent nodes just from the removal, so
line dirtying needs to explicitly mark ancestors for layout.
* rendering/RenderObject.h:
(WebCore::RenderObject::setAncestorLineBoxDirty):
LayoutTests:
Test case to exercise crashing condition in bug 85997.
* fast/block/line-layout/line-break-removal-near-textarea-crash-expected.txt: Added
* fast/block/line-layout/line-break-removal-near-textarea-crash.html: Added
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (117885 => 117886)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-22 03:04:03 UTC (rev 117885)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-22 03:04:23 UTC (rev 117886)
@@ -1,3 +1,15 @@
+2012-05-09 Ken Buchanan <[email protected]>
+
+ Crash from removal of a line break object
+ https://bugs.webkit.org/show_bug.cgi?id=85997
+
+ Reviewed by David Hyatt.
+
+ Test case to exercise crashing condition in bug 85997.
+
+ * fast/block/line-layout/line-break-removal-near-textarea-crash-expected.txt: Added
+ * fast/block/line-layout/line-break-removal-near-textarea-crash.html: Added
+
2012-04-25 Ken Buchanan <[email protected]>
Crash from removal of line break object after layout
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash-expected.txt (0 => 117886)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash-expected.txt 2012-05-22 03:04:23 UTC (rev 117886)
@@ -0,0 +1,2 @@
+PASS, if no crash or assert in debug
+abc
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash.html (0 => 117886)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/line-layout/line-break-removal-near-textarea-crash.html 2012-05-22 03:04:23 UTC (rev 117886)
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<style>
+.style1 { display: table-row; content: counter(section); }
+.style2 { position: fixed; }
+.style3 { vertical-align: super; -webkit-appearance: button; -webkit-column-width: 100px; }
+.style3:nth-of-type(2n) { display: list-item; }
+</style>
+<script>
+window._onload_ = function() {
+ div1 = document.createElement('div');
+ document.documentElement.appendChild(div1);
+
+ spanElem1 = document.createElement('span');
+ spanElem1.setAttribute('class', 'style3');
+ document.documentElement.appendChild(spanElem1);
+
+ spanElem2 = document.createElement('span');
+ spanElem1.appendChild(spanElem2);
+ spanElem1.appendChild(document.createTextNode('abc'));
+
+ textareaElem = document.createElement('textarea');
+ textareaElem.setAttribute('class', 'style1');
+ spanElem2.appendChild(textareaElem);
+
+ canvasElem = document.createElement('canvas');
+ spanElem2.appendChild(canvasElem);
+
+ paragraphElem = document.createElement('p');
+ paragraphElem.setAttribute('class', 'style2');
+ spanElem2.appendChild(paragraphElem);
+
+ document.execCommand("SelectAll", false, "");
+ window.scrollBy(-15, -48);
+ document.documentElement.offsetHeight;
+
+ div1.setAttribute('class', 'style3');
+ spanElem2.removeChild(paragraphElem);
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+}
+</script>
+<body>
+PASS, if no crash or assert in debug
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (117885 => 117886)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-22 03:04:03 UTC (rev 117885)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-22 03:04:23 UTC (rev 117886)
@@ -1,3 +1,19 @@
+2012-05-09 Ken Buchanan <[email protected]>
+
+ Crash from removal of a line break object
+ https://bugs.webkit.org/show_bug.cgi?id=85997
+
+ Reviewed by David Hyatt.
+
+ Regression from r115343. That replaced a call to setNeedsLayout()
+ with a separate call that used a different bit during linebox
+ invalidation after renderer child removal. There are special cases
+ where layout isn't marked on parent nodes just from the removal, so
+ line dirtying needs to explicitly mark ancestors for layout.
+
+ * rendering/RenderObject.h:
+ (WebCore::RenderObject::setAncestorLineBoxDirty):
+
2012-04-26 Ken Buchanan <[email protected]>
Crash from removal of line break object after layout
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.h (117885 => 117886)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.h 2012-05-22 03:04:03 UTC (rev 117885)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.h 2012-05-22 03:04:23 UTC (rev 117886)
@@ -381,6 +381,7 @@
if (!s_ancestorLineboxDirtySet)
s_ancestorLineboxDirtySet = new RenderObjectAncestorLineboxDirtySet;
s_ancestorLineboxDirtySet->add(this);
+ setNeedsLayout(true);
} else if (s_ancestorLineboxDirtySet) {
s_ancestorLineboxDirtySet->remove(this);
if (s_ancestorLineboxDirtySet->isEmpty()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
