Title: [121995] releases/WebKitGTK/webkit-1.8
- Revision
- 121995
- Author
- [email protected]
- Date
- 2012-07-06 13:01:27 -0700 (Fri, 06 Jul 2012)
Log Message
Merge 116683 - Crash due to floats not removed from first-letter element.
https://bugs.webkit.org/show_bug.cgi?id=86019
Patch by Abhishek Arya <[email protected]> on 2012-05-10
Reviewed by Julien Chaffraix.
Source/WebCore:
Move clearing logic of a floating/positioned object from removeChild
to removeChildNode. There are lot of places which use removeChildNode
directly and hence the object is not removed from the floating or
positioned objects list.
Test: fast/block/float/float-not-removed-from-first-letter.html
* rendering/RenderObject.cpp:
(WebCore::RenderObject::removeChild):
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::removeChildNode):
LayoutTests:
* fast/block/float/float-not-removed-from-first-letter-expected.txt: Added.
* fast/block/float/float-not-removed-from-first-letter.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121994 => 121995)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:01:05 UTC (rev 121994)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:01:27 UTC (rev 121995)
@@ -1,3 +1,13 @@
+2012-05-10 Abhishek Arya <[email protected]>
+
+ Crash due to floats not removed from first-letter element.
+ https://bugs.webkit.org/show_bug.cgi?id=86019
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/block/float/float-not-removed-from-first-letter-expected.txt: Added.
+ * fast/block/float/float-not-removed-from-first-letter.html: Added.
+
2012-05-12 Abhishek Arya <[email protected]>
Crash in HTMLSelectElement::setOption
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt (0 => 121995)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt 2012-07-06 20:01:27 UTC (rev 121995)
@@ -0,0 +1,3 @@
+Webkit Bug 86019 - Crash due to floats not removed from first-letter element.
+
+PASS. WebKit didn't crash.
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html (0 => 121995)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html 2012-07-06 20:01:27 UTC (rev 121995)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+Webkit Bug 86019 - Crash due to floats not removed from first-letter element.
+<style>
+.li2 { width: 0px; }
+.li2:first-letter { float: left; content: counter(section); }
+.li2:first-of-type { display: -webkit-inline-flexbox; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function crash() {
+ li1 = document.createElement('li');
+ document.documentElement.appendChild(li1);
+ keygen1 = document.createElement('keygen');
+ keygen1.setAttribute('autofocus', 'autofocus');
+ document.documentElement.appendChild(keygen1);
+ li2 = document.createElement('li');
+ li2.setAttribute('class', 'li2');
+ document.documentElement.appendChild(li2);
+ text1 = document.createTextNode("PASS. WebKit didn't crash.");
+ li2.appendChild(text1);
+}
+window._onload_ = crash;
+</script>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html
___________________________________________________________________
Added: svn:executable
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121994 => 121995)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:01:05 UTC (rev 121994)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:01:27 UTC (rev 121995)
@@ -1,3 +1,22 @@
+2012-05-10 Abhishek Arya <[email protected]>
+
+ Crash due to floats not removed from first-letter element.
+ https://bugs.webkit.org/show_bug.cgi?id=86019
+
+ Reviewed by Julien Chaffraix.
+
+ Move clearing logic of a floating/positioned object from removeChild
+ to removeChildNode. There are lot of places which use removeChildNode
+ directly and hence the object is not removed from the floating or
+ positioned objects list.
+
+ Test: fast/block/float/float-not-removed-from-first-letter.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::removeChild):
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::removeChildNode):
+
2012-05-12 Abhishek Arya <[email protected]>
Crash in HTMLSelectElement::setOption
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.cpp (121994 => 121995)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.cpp 2012-07-06 20:01:05 UTC (rev 121994)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObject.cpp 2012-07-06 20:01:27 UTC (rev 121995)
@@ -322,12 +322,6 @@
if (!children)
return;
- // We do this here instead of in removeChildNode, since the only extremely low-level uses of remove/appendChildNode
- // cannot affect the positioned object list, and the floating object list is irrelevant (since the list gets cleared on
- // layout anyway).
- if (oldChild->isFloatingOrPositioned())
- toRenderBox(oldChild)->removeFloatingOrPositionedChildFromBlockLists();
-
children->removeChildNode(this, oldChild);
}
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObjectChildList.cpp (121994 => 121995)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObjectChildList.cpp 2012-07-06 20:01:05 UTC (rev 121994)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderObjectChildList.cpp 2012-07-06 20:01:27 UTC (rev 121995)
@@ -75,6 +75,9 @@
{
ASSERT(oldChild->parent() == owner);
+ if (oldChild->isFloatingOrPositioned())
+ toRenderBox(oldChild)->removeFloatingOrPositionedChildFromBlockLists();
+
// So that we'll get the appropriate dirty bit set (either that a normal flow child got yanked or
// that a positioned child got yanked). We also repaint, so that the area exposed when the child
// disappears gets repainted properly.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
