Skip to site navigation (Press enter)

[webkit-changes] [124508] branches/safari-536.26-branch

lforschler Thu, 02 Aug 2012 15:04:52 -0700

Title: [124508] branches/safari-536.26-branch

Revision: 124508
Author: [email protected]
Date: 2012-08-02 15:05:02 -0700 (Thu, 02 Aug 2012)

Log Message

Merged r118816.  <rdar://problem/11969449>


Modified Paths

branches/safari-536.26-branch/LayoutTests/ChangeLog
branches/safari-536.26-branch/Source/WebCore/ChangeLog
branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp


Added Paths

branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt
branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124507 => 124508)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-08-02 22:01:58 UTC (rev 124507)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-08-02 22:05:02 UTC (rev 124508)
@@ -1,5 +1,19 @@
 2012-08-02  Lucas Forschler  <[email protected]>
 
+    Merge 118816
+
+    2012-05-29  Abhishek Arya  <[email protected]>
+
+            Crash due to text fragment destruction when updating first-letter block.
+            https://bugs.webkit.org/show_bug.cgi?id=87751
+
+            Reviewed by Eric Seidel.
+
+            * fast/text/text-fragment-first-letter-update-crash-expected.txt: Added.
+            * fast/text/text-fragment-first-letter-update-crash.html: Added.
+
+2012-08-02  Lucas Forschler  <[email protected]>
+
     Merge 118703
 
     2012-05-28  Yong Li  <[email protected]>

Copied: branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt (from rev 118816, trunk/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt) (0 => 124508)


--- branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt	2012-08-02 22:05:02 UTC (rev 124508)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Copied: branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html (from rev 118816, trunk/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html) (0 => 124508)


--- branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html	2012-08-02 22:05:02 UTC (rev 124508)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+#el0 { -webkit-columns: 1; } 
+#el2:first-of-type { } 
+#el2:first-letter { content: counter(c); } 
+#el3 { -webkit-column-span: all; content: counter(c) attr(A); } 
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+el0 = document.createElement('div');
+el0.setAttribute('id', 'el0');
+document.body.appendChild(el0);
+el1=document.createElement('b');
+el0.appendChild(el1);
+el1.appendChild(document.createTextNode('A'));
+el2=document.createElement('div');
+el2.setAttribute('id','el2');
+el0.appendChild(el2);
+el3=document.createElement('div');
+el3.setAttribute('id', 'el3');
+el2.appendChild(el3);
+document.designMode = 'on';
+document.execCommand('selectall');
+el2.appendChild(document.createTextNode('AA'));
+document.designMode = 'on';
+document.execCommand('selectall');
+document.execCommand('removeFormat');
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124507 => 124508)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-08-02 22:01:58 UTC (rev 124507)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-08-02 22:05:02 UTC (rev 124508)
@@ -1,5 +1,21 @@
 2012-08-02  Lucas Forschler  <[email protected]>
 
+    Merge 118816
+
+    2012-05-29  Abhishek Arya  <[email protected]>
+
+            Crash due to text fragment destruction when updating first-letter block.
+            https://bugs.webkit.org/show_bug.cgi?id=87751
+
+            Reviewed by Eric Seidel.
+
+            Test: fast/text/text-fragment-first-letter-update-crash.html
+
+            * rendering/RenderObject.cpp:
+            (WebCore::RenderObject::setStyle):
+
+2012-08-02  Lucas Forschler  <[email protected]>
+
     Merge 118703
 
     2012-05-28  Yong Li  <[email protected]>

Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp (124507 => 124508)


--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp	2012-08-02 22:01:58 UTC (rev 124507)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp	2012-08-02 22:05:02 UTC (rev 124508)
@@ -1785,9 +1785,15 @@
     if (m_style->outlineWidth() > 0 && m_style->outlineSize() > maximalOutlineSize(PaintPhaseOutline))
         toRenderView(document()->renderer())->setMaximalOutlineSize(m_style->outlineSize());
 
+    bool doesNotNeedLayout = !m_parent || isText();
+
     styleDidChange(diff, oldStyle.get());
 
-    if (!m_parent || isText())
+    // FIXME: |this| might be destroyed here. This can currently happen for a RenderTextFragment when
+    // its first-letter block gets an update in RenderTextFragment::styleDidChange. For RenderTextFragment(s),
+    // we will safely bail out with the doesNotNeedLayout flag. We might want to broaden this condition
+    // in the future as we move renderer changes out of layout and into style changes.
+    if (doesNotNeedLayout)
         return;
 
     // Now that the layer (if any) has been updated, we need to adjust the diff again,

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes