Title: [124055] branches/safari-536.26-branch
- Revision
- 124055
- Author
- [email protected]
- Date
- 2012-07-30 11:17:55 -0700 (Mon, 30 Jul 2012)
Log Message
Merged r116683. <rdar://problem/11942090>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124054 => 124055)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 18:15:38 UTC (rev 124054)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 18:17:55 UTC (rev 124055)
@@ -1,5 +1,19 @@
2012-07-30 Lucas Forschler <[email protected]>
+ Merge 116683
+
+ 2012-05-10 Abhishek Arya <[email protected]>
+
+ Crash due to floats not removed from first-letter element.
+ https://bugs.webkit.org/show_bug.cgi?id=86019
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/block/float/float-not-removed-from-first-letter-expected.txt: Added.
+ * fast/block/float/float-not-removed-from-first-letter.html: Added.
+
+2012-07-30 Lucas Forschler <[email protected]>
+
Merge 116669
2012-05-10 Abhishek Arya <[email protected]>
Copied: branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt (from rev 116683, trunk/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt) (0 => 124055)
--- branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter-expected.txt 2012-07-30 18:17:55 UTC (rev 124055)
@@ -0,0 +1,3 @@
+Webkit Bug 86019 - Crash due to floats not removed from first-letter element.
+
+PASS. WebKit didn't crash.
Copied: branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html (from rev 116683, trunk/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html) (0 => 124055)
--- branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/block/float/float-not-removed-from-first-letter.html 2012-07-30 18:17:55 UTC (rev 124055)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+Webkit Bug 86019 - Crash due to floats not removed from first-letter element.
+<style>
+.li2 { width: 0px; }
+.li2:first-letter { float: left; content: counter(section); }
+.li2:first-of-type { display: -webkit-inline-flexbox; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function crash() {
+ li1 = document.createElement('li');
+ document.documentElement.appendChild(li1);
+ keygen1 = document.createElement('keygen');
+ keygen1.setAttribute('autofocus', 'autofocus');
+ document.documentElement.appendChild(keygen1);
+ li2 = document.createElement('li');
+ li2.setAttribute('class', 'li2');
+ document.documentElement.appendChild(li2);
+ text1 = document.createTextNode("PASS. WebKit didn't crash.");
+ li2.appendChild(text1);
+}
+window._onload_ = crash;
+</script>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124054 => 124055)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 18:15:38 UTC (rev 124054)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 18:17:55 UTC (rev 124055)
@@ -1,5 +1,28 @@
2012-07-30 Lucas Forschler <[email protected]>
+ Merge 116683
+
+ 2012-05-10 Abhishek Arya <[email protected]>
+
+ Crash due to floats not removed from first-letter element.
+ https://bugs.webkit.org/show_bug.cgi?id=86019
+
+ Reviewed by Julien Chaffraix.
+
+ Move clearing logic of a floating/positioned object from removeChild
+ to removeChildNode. There are lot of places which use removeChildNode
+ directly and hence the object is not removed from the floating or
+ positioned objects list.
+
+ Test: fast/block/float/float-not-removed-from-first-letter.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::removeChild):
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::removeChildNode):
+
+2012-07-30 Lucas Forschler <[email protected]>
+
Merge 116669
2012-05-10 Abhishek Arya <[email protected]>
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp (124054 => 124055)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp 2012-07-30 18:15:38 UTC (rev 124054)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp 2012-07-30 18:17:55 UTC (rev 124055)
@@ -329,12 +329,6 @@
if (!children)
return;
- // We do this here instead of in removeChildNode, since the only extremely low-level uses of remove/appendChildNode
- // cannot affect the positioned object list, and the floating object list is irrelevant (since the list gets cleared on
- // layout anyway).
- if (oldChild->isFloatingOrPositioned())
- toRenderBox(oldChild)->removeFloatingOrPositionedChildFromBlockLists();
-
children->removeChildNode(this, oldChild);
}
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderObjectChildList.cpp (124054 => 124055)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderObjectChildList.cpp 2012-07-30 18:15:38 UTC (rev 124054)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderObjectChildList.cpp 2012-07-30 18:17:55 UTC (rev 124055)
@@ -75,6 +75,9 @@
{
ASSERT(oldChild->parent() == owner);
+ if (oldChild->isFloatingOrPositioned())
+ toRenderBox(oldChild)->removeFloatingOrPositionedChildFromBlockLists();
+
// So that we'll get the appropriate dirty bit set (either that a normal flow child got yanked or
// that a positioned child got yanked). We also repaint, so that the area exposed when the child
// disappears gets repainted properly.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
