Title: [120857] branches/chromium/1180
- Revision
- 120857
- Author
- [email protected]
- Date
- 2012-06-20 13:33:43 -0700 (Wed, 20 Jun 2012)
Log Message
Merge 120737 - Crash in RenderInline::willBeDestroyed.
BUG=103423
Review URL: https://chromiumcodereview.appspot.com/10575040
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash-expected.txt (from rev 120737, trunk/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash-expected.txt) (0 => 120857)
--- branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash-expected.txt (rev 0)
+++ branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash-expected.txt 2012-06-20 20:33:43 UTC (rev 120857)
@@ -0,0 +1,3 @@
+WebKit Bug 89386 - Crash in RenderInline::willBeDestroyed.
+Test passes if it does not crash.
+
Copied: branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash.html (from rev 120737, trunk/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash.html) (0 => 120857)
--- branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash.html (rev 0)
+++ branches/chromium/1180/LayoutTests/fullscreen/empty-anonymous-block-continuation-crash.html 2012-06-20 20:33:43 UTC (rev 120857)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<body>
+WebKit Bug 89386 - Crash in RenderInline::willBeDestroyed.<br />
+Test passes if it does not crash.
+<summary>
+<i>
+<span id="test">
+<div></div>
+</span>
+</i>
+</summary>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+if ("webkitRequestFullScreen" in Element.prototype) {
+ var span = document.getElementById('test');
+ var fullscreenChangeEvent = function(event) {
+ if (document.webkitIsFullScreen)
+ document.webkitCancelFullScreen();
+ };
+
+ document.addEventListener('webkitfullscreenchange', fullscreenChangeEvent);
+ document.addEventListener('keydown', function () {
+ span.webkitRequestFullScreen();
+ });
+
+ eventSender.keyDown('a');
+}
+</script>
+</body>
+</html>
Modified: branches/chromium/1180/Source/WebCore/rendering/RenderBlock.cpp (120856 => 120857)
--- branches/chromium/1180/Source/WebCore/rendering/RenderBlock.cpp 2012-06-20 20:25:07 UTC (rev 120856)
+++ branches/chromium/1180/Source/WebCore/rendering/RenderBlock.cpp 2012-06-20 20:33:43 UTC (rev 120857)
@@ -1237,7 +1237,10 @@
// If we are an empty anonymous block in the continuation chain,
// we need to remove ourself and fix the continuation chain.
if (!beingDestroyed() && isAnonymousBlockContinuation()) {
- for (RenderObject* curr = this; curr; curr = curr->previousInPreOrder(parent())) {
+ RenderObject* containingBlockIgnoringAnonymous = containingBlock();
+ while (containingBlockIgnoringAnonymous && containingBlockIgnoringAnonymous->isAnonymousBlock())
+ containingBlockIgnoringAnonymous = containingBlockIgnoringAnonymous->containingBlock();
+ for (RenderObject* curr = this; curr; curr = curr->previousInPreOrder(containingBlockIgnoringAnonymous)) {
if (curr->virtualContinuation() != this)
continue;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
