Skip to site navigation (Press enter)

[webkit-changes] [119646] branches/chromium/1132

cevans Wed, 06 Jun 2012 17:20:54 -0700

Title: [119646] branches/chromium/1132

Revision: 119646
Author: [email protected]
Date: 2012-06-06 17:20:44 -0700 (Wed, 06 Jun 2012)

Log Message

Merge 119409
BUG=130369
Review URL: https://chromiumcodereview.appspot.com/10546039


Modified Paths

branches/chromium/1132/Source/WebCore/rendering/RenderBlock.cpp


Added Paths

branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash-expected.txt
branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash.html
branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash-expected.txt
branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash.html

Diff

Copied: branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash-expected.txt (from rev 119409, trunk/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash-expected.txt) (0 => 119646)


--- branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash-expected.txt	2012-06-07 00:20:44 UTC (rev 119646)
@@ -0,0 +1,2 @@
+WebKit Bug - Crash in multi-column layout.
+PASS. WebKit didn't crash.

Copied: branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash.html (from rev 119409, trunk/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash.html) (0 => 119646)


--- branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash.html	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/multicol/span/empty-anonymous-block-split-crash.html	2012-06-07 00:20:44 UTC (rev 119646)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test0 { -webkit-column-width: 1px; }
+#test2::after { display: compact; content: ''; }
+#test3 { content: counter(c); -webkit-column-span: all; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+_onload_ = function() {
+    test0 = document.createElement('div');
+    test0.setAttribute('id', 'test0');
+    document.body.appendChild(test0); 
+    test1 = document.createElement('div');
+    test0.appendChild(test1);
+    test2 = document.createElement('div');
+    test2.setAttribute('id', 'test2');
+    test1.appendChild(test2);
+    test3 = document.createElement('div');
+    test3.setAttribute('id', 'test3');
+    test2.appendChild(test3);
+    test2.appendChild(document.createTextNode('A'));
+    document.designMode = 'on';
+    document.execCommand('selectall');
+    document.body.offsetTop;
+    document.body.innerHTML = "WebKit Bug - Crash in multi-column layout.<br />PASS. WebKit didn't crash.";
+}
+</script>
+</head>
+<body>
+</body>
+</html>

Copied: branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash-expected.txt (from rev 119409, trunk/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash-expected.txt) (0 => 119646)


--- branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash-expected.txt	2012-06-07 00:20:44 UTC (rev 119646)
@@ -0,0 +1,2 @@
+WebKit Bug - Crash in multi-column layout.
+PASS. WebKit didn't crash.

Copied: branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash.html (from rev 119409, trunk/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash.html) (0 => 119646)


--- branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash.html	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/multicol/span/positioned-objects-not-removed-crash.html	2012-06-07 00:20:44 UTC (rev 119646)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+#test0 { -webkit-columns: 1px; } 
+#test1 { -webkit-perspective: 1; display: compact; }
+#test1:before { content: ""; } 
+#test1:after { display: table; content: ""; } 
+#test2 { -webkit-column-span: all; }
+#test4:last-child { position:fixed; } 
+.c0 { display: table-header-group; } 
+.c1:first-letter { content: ""; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+_onload_ = function() {
+    test0 = document.createElement('div');
+    test0.setAttribute('id', 'test0');
+    document.body.appendChild(test0);
+    test1 = document.createElement('div');
+    test1.setAttribute('id','test1');
+    test0.appendChild(test1);
+    test2 = document.createElement('div');
+    test2.setAttribute('id','test2');
+    test1.appendChild(test2);
+    test3 = document.createElement('span');
+    test1.appendChild(test3);
+    test4 = document.createElement('div');
+    test4.setAttribute('id', 'test4'); 
+    test3.appendChild(test4);
+    document.body.offsetTop;
+    test2.setAttribute('class', 'c0'); 
+    test4.setAttribute('class', 'c1');
+    document.body.offsetTop;
+    document.body.innerHTML = "WebKit Bug - Crash in multi-column layout.<br />PASS. WebKit didn't crash.";
+}
+</script>
+</body>
+</html>

Modified: branches/chromium/1132/Source/WebCore/rendering/RenderBlock.cpp (119645 => 119646)


--- branches/chromium/1132/Source/WebCore/rendering/RenderBlock.cpp	2012-06-07 00:13:21 UTC (rev 119645)
+++ branches/chromium/1132/Source/WebCore/rendering/RenderBlock.cpp	2012-06-07 00:20:44 UTC (rev 119646)
@@ -601,7 +601,13 @@
     RenderBoxModelObject* curr = toRenderBoxModelObject(parent());
     RenderBoxModelObject* currChild = this;
     RenderObject* currChildNextSibling = currChild->nextSibling();
-    
+    bool documentUsesBeforeAfterRules = document()->usesBeforeAfterRules(); 
+
+    // Note: |this| can be destroyed inside this loop if it is an empty anonymous
+    // block and we try to call updateBeforeAfterContent inside which removes the
+    // generated content and additionally cleans up |this| empty anonymous block.
+    // See RenderBlock::removeChild(). DO NOT reference any local variables to |this|
+    // after this point.
     while (curr && curr != fromBlock) {
         ASSERT(curr->isRenderBlock());
         
@@ -628,7 +634,7 @@
         // has to move into the inline continuation.  Call updateBeforeAfterContent to ensure that the inline's :after
         // content gets properly destroyed.
         bool isLastChild = (currChildNextSibling == blockCurr->lastChild());
-        if (document()->usesBeforeAfterRules())
+        if (documentUsesBeforeAfterRules)
             blockCurr->children()->updateBeforeAfterContent(blockCurr, AFTER);
         if (isLastChild && currChildNextSibling != blockCurr->lastChild())
             currChildNextSibling = 0; // We destroyed the last child, so now we need to update
@@ -638,8 +644,7 @@
         // Since we are doing layout anyway, it is easier to blow away the entire list, than
         // traversing down the subtree looking for positioned children and then remove them
         // from our positioned objects list.
-        if (currChildNextSibling)
-            blockCurr->removePositionedObjects(0);
+        blockCurr->removePositionedObjects(0);
 
         // Now we need to take all of the children starting from the first child
         // *after* currChild and append them all to the clone.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes