[webkit-changes] [124783] trunk

Mon, 06 Aug 2012 10:46:15 -0700

Title: [124783] trunk
Revision
124783
Author
[email protected]
Date
2012-08-06 10:46:32 -0700 (Mon, 06 Aug 2012)

Log Message

Crash in WebCore::RenderListItem::updateMarkerLocation
https://bugs.webkit.org/show_bug.cgi?id=90476

Patch by Douglas Stockwell <[email protected]> on 2012-08-06
Reviewed by Abhishek Arya.

Source/WebCore: 

In some cases an anonymous block is destroyed when its last child is
removed. RenderListItem did not expect this and has it's own logic for
cleaning up such blocks when the list marker is removed. Detect this
case in RenderBlock::removeChild to defer to the logic in RenderListItem::updateListMarker.

Test: fast/lists/list-marker-remove-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):

LayoutTests: 

* fast/lists/list-marker-remove-crash-expected.txt: Added.
* fast/lists/list-marker-remove-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (124782 => 124783)


--- trunk/LayoutTests/ChangeLog	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/ChangeLog	2012-08-06 17:46:32 UTC (rev 124783)
@@ -1,3 +1,13 @@
+2012-08-06  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::RenderListItem::updateMarkerLocation
+        https://bugs.webkit.org/show_bug.cgi?id=90476
+
+        Reviewed by Abhishek Arya.
+
+        * fast/lists/list-marker-remove-crash-expected.txt: Added.
+        * fast/lists/list-marker-remove-crash.html: Added.
+
 2012-08-06  Csaba Osztrogonác  <[email protected]>
 
         Web Inspector: rename WorkerAgent.setWorkerInspectionEnabled to WorkerAgent.enable and make it return error

Added: trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt (0 => 124783)


--- trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt	2012-08-06 17:46:32 UTC (rev 124783)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/lists/list-marker-remove-crash.html (0 => 124783)


--- trunk/LayoutTests/fast/lists/list-marker-remove-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/list-marker-remove-crash.html	2012-08-06 17:46:32 UTC (rev 124783)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<button></button>
+<script>
+document.designMode="on";
+var steps = [
+    "SelectAll",
+    "InsertUnorderedList",
+    "Italic",
+    "InsertOrderedList",
+    "InsertHorizontalRule",
+    "SelectAll",
+    "InsertUnorderedList",
+    "InsertHorizontalRule",
+    "InsertParagraph",
+    "InsertUnorderedList"
+];
+if (window.testRunner)
+    testRunner.dumpAsText();
+while (steps.length)
+    document.execCommand(steps.shift(), false);
+document.documentElement.innerHTML = 'PASS';
+</script>

Modified: trunk/LayoutTests/platform/chromium/TestExpectations (124782 => 124783)


--- trunk/LayoutTests/platform/chromium/TestExpectations	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/platform/chromium/TestExpectations	2012-08-06 17:46:32 UTC (rev 124783)
@@ -3500,3 +3500,5 @@
 BUGWK92275 : fast/multicol/vertical-rl/nested-columns.html = IMAGE+TEXT
 BUGWK92275 : fast/speech/input-appearance-searchandspeech.html = IMAGE+TEXT
 BUGWK92275 : fast/table/colspanMinWidth-vertical.html = TEXT
+
+BUGWK93247 : fast/lists/list-marker-remove-crash.html = CRASH

Modified: trunk/LayoutTests/platform/efl/TestExpectations (124782 => 124783)


--- trunk/LayoutTests/platform/efl/TestExpectations	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/platform/efl/TestExpectations	2012-08-06 17:46:32 UTC (rev 124783)
@@ -863,3 +863,5 @@
 
 BUGWK92956 : http/tests/security/contentSecurityPolicy/object-src-url-blocked.html = TEXT
 BUGWK93212 : http/tests/incremental/slow-utf8-text.pl = TIMEOUT
+
+BUGWK93247 : fast/lists/list-marker-remove-crash.html = CRASH

Modified: trunk/LayoutTests/platform/gtk/TestExpectations (124782 => 124783)


--- trunk/LayoutTests/platform/gtk/TestExpectations	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/platform/gtk/TestExpectations	2012-08-06 17:46:32 UTC (rev 124783)
@@ -1297,6 +1297,7 @@
 BUGWK93073 : mathml/presentation/under.xhtml = TEXT
 BUGWK93073 : mathml/presentation/underover.xhtml = TEXT
 
+BUGWK93247 : fast/lists/list-marker-remove-crash.html = CRASH
 //////////////////////////////////////////////////////////////////////////////////////////
 // End of Tests failing
 //////////////////////////////////////////////////////////////////////////////////////////

Modified: trunk/LayoutTests/platform/mac/TestExpectations (124782 => 124783)


--- trunk/LayoutTests/platform/mac/TestExpectations	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/platform/mac/TestExpectations	2012-08-06 17:46:32 UTC (rev 124783)
@@ -320,3 +320,5 @@
 BUGWK93148 : tables/mozilla_expected_failures/marvin/table_overflow_hidden_tbody.html  = TEXT
 BUGWK93148 : tables/mozilla_expected_failures/marvin/table_overflow_hidden_tr.html  = TEXT
 BUGWK93148 : fast/css/nested-layers-with-hover.html = TEXT
+
+BUGWK93247 : fast/lists/list-marker-remove-crash.html = CRASH

Modified: trunk/LayoutTests/platform/qt/TestExpectations (124782 => 124783)


--- trunk/LayoutTests/platform/qt/TestExpectations	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/LayoutTests/platform/qt/TestExpectations	2012-08-06 17:46:32 UTC (rev 124783)
@@ -134,3 +134,5 @@
 BUGWK93148 : tables/mozilla_expected_failures/marvin/table_overflow_hidden_tbody.html  = TEXT
 BUGWK93148 : tables/mozilla_expected_failures/marvin/table_overflow_hidden_tr.html  = TEXT
 BUGWK93148 : fast/css/nested-layers-with-hover.html = TEXT
+
+BUGWK93247 : fast/lists/list-marker-remove-crash.html = CRASH

Modified: trunk/Source/WebCore/ChangeLog (124782 => 124783)


--- trunk/Source/WebCore/ChangeLog	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/Source/WebCore/ChangeLog	2012-08-06 17:46:32 UTC (rev 124783)
@@ -1,3 +1,20 @@
+2012-08-06  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::RenderListItem::updateMarkerLocation
+        https://bugs.webkit.org/show_bug.cgi?id=90476
+
+        Reviewed by Abhishek Arya.
+
+        In some cases an anonymous block is destroyed when its last child is
+        removed. RenderListItem did not expect this and has it's own logic for
+        cleaning up such blocks when the list marker is removed. Detect this
+        case in RenderBlock::removeChild to defer to the logic in RenderListItem::updateListMarker.
+
+        Test: fast/lists/list-marker-remove-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild):
+
 2012-08-06  Shawn Singh  <[email protected]>
 
         [chromium] Non-preserves-3d requires explicit flattening of screen-space transform.

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (124782 => 124783)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-08-06 17:43:02 UTC (rev 124782)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-08-06 17:46:32 UTC (rev 124783)
@@ -1224,7 +1224,7 @@
 
         // If we are an empty anonymous block in the continuation chain,
         // we need to remove ourself and fix the continuation chain.
-        if (!beingDestroyed() && isAnonymousBlockContinuation()) {
+        if (!beingDestroyed() && isAnonymousBlockContinuation() && !oldChild->isListMarker()) {
             RenderObject* containingBlockIgnoringAnonymous = containingBlock();
             while (containingBlockIgnoringAnonymous && containingBlockIgnoringAnonymous->isAnonymousBlock())
                 containingBlockIgnoringAnonymous = containingBlockIgnoringAnonymous->containingBlock();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to