Title: [124657] branches/safari-536.26-branch
- Revision
- 124657
- Author
- [email protected]
- Date
- 2012-08-03 14:57:35 -0700 (Fri, 03 Aug 2012)
Log Message
Merged r122293. <rdar://problem/11968351>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124656 => 124657)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-03 21:50:15 UTC (rev 124656)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-03 21:57:35 UTC (rev 124657)
@@ -1,5 +1,21 @@
2012-08-02 Lucas Forschler <[email protected]>
+ Merge 122293
+
+ 2012-07-10 Shinya Kawanaka <[email protected]>
+
+ Crash in nextLinePosition() due to accessing a removed root line box.
+ https://bugs.webkit.org/show_bug.cgi?id=90484
+
+ Reviewed by Abhishek Arya.
+
+ This testcase should not be triggered in ASAN.
+
+ * editing/execCommand/crash-extend-selection-forward-expected.txt: Added.
+ * editing/execCommand/crash-extend-selection-forward.html: Added.
+
+2012-08-02 Lucas Forschler <[email protected]>
+
Merge 122188
2012-07-09 Kent Tamura <[email protected]>
Copied: branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt (from rev 122293, trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt) (0 => 124657)
--- branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt 2012-08-03 21:57:35 UTC (rev 124657)
@@ -0,0 +1,3 @@
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+PASS. WebKit didn't crash.
Copied: branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward.html (from rev 122293, trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward.html) (0 => 124657)
--- branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/editing/execCommand/crash-extend-selection-forward.html 2012-08-03 21:57:35 UTC (rev 124657)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function editingTest() {
+ var s = window.getSelection();
+ d = document.getElementById("test1");
+ s.setPosition(d, 0);
+ extendSelectionForwardByLineCommand();
+
+ test1.innerHTML = "PASS. WebKit didn't crash.";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+<pre id="console"></pre>
+<div id=test1>(required to cause a crash)<object style='content: counters(c, ".") "-"; ' type=text/vbs></object></div>
+<script>
+runEditingTest();
+</script>
+</body>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124656 => 124657)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-03 21:50:15 UTC (rev 124656)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-03 21:57:35 UTC (rev 124657)
@@ -1,5 +1,31 @@
2012-08-02 Lucas Forschler <[email protected]>
+ Merge 122293
+
+ 2012-07-10 Shinya Kawanaka <[email protected]>
+
+ Crash in nextLinePosition() due to accessing a removed root line box.
+ https://bugs.webkit.org/show_bug.cgi?id=90484
+
+ Reviewed by Abhishek Arya.
+
+ When <object> element is reattached, the 'content' style is compared to the old style.
+ If it is not the same, a flag to recalc style is enabled. Because of this, the recalc style flag
+ is not cleared in updateLayoutIgnorePendingStyleSheets() in nextLinePosition(), and it causes
+ the second layout in isEditablePosition(p). Then 'RootInlineBox root' is invalidated, but
+ it's used after that.
+
+ When the content of the same <object> elements are compared, they should be the same.
+ However, operator== for ContentData is not implemented correctly (it compares a pointer instead of
+ content). So operator== does not hold for the content of the same <object> elements.
+
+ Test: editing/execCommand/crash-extend-selection-forward.html
+
+ * rendering/style/ContentData.cpp:
+ (WebCore::operator==): Compares the instance of data instead of pointer.
+
+2012-08-02 Lucas Forschler <[email protected]>
+
Merge 122188
2012-07-09 Kent Tamura <[email protected]>
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/style/ContentData.cpp (124656 => 124657)
--- branches/safari-536.26-branch/Source/WebCore/rendering/style/ContentData.cpp 2012-08-03 21:50:15 UTC (rev 124656)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/style/ContentData.cpp 2012-08-03 21:57:35 UTC (rev 124657)
@@ -69,11 +69,11 @@
case CONTENT_NONE:
return true;
case CONTENT_OBJECT:
- return static_cast<const ImageContentData*>(&a)->image() == static_cast<const ImageContentData*>(&b)->image();
+ return *static_cast<const ImageContentData*>(&a)->image() == *static_cast<const ImageContentData*>(&b)->image();
case CONTENT_TEXT:
return static_cast<const TextContentData*>(&a)->text() == static_cast<const TextContentData*>(&b)->text();
case CONTENT_COUNTER:
- return static_cast<const CounterContentData*>(&a)->counter() == static_cast<const CounterContentData*>(&b)->counter();
+ return *static_cast<const CounterContentData*>(&a)->counter() == *static_cast<const CounterContentData*>(&b)->counter();
case CONTENT_QUOTE:
return static_cast<const QuoteContentData*>(&a)->quote() == static_cast<const QuoteContentData*>(&b)->quote();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
