Skip to site navigation (Press enter)

[webkit-changes] [127631] branches/chromium/1229

cevans Wed, 05 Sep 2012 12:29:09 -0700

Title: [127631] branches/chromium/1229

Revision: 127631
Author: [email protected]
Date: 2012-09-05 12:29:53 -0700 (Wed, 05 Sep 2012)

Log Message

Merge 125343
BUG=131815
Review URL: https://chromiumcodereview.appspot.com/10913091


Modified Paths

branches/chromium/1229/Source/WebCore/rendering/RenderQuote.cpp


Added Paths

branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750-expected.txt
branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750.html

Diff

Copied: branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750-expected.txt (from rev 125343, trunk/LayoutTests/fast/css-generated-content/quote-crash-93750-expected.txt) (0 => 127631)


--- branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750-expected.txt	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750-expected.txt	2012-09-05 19:29:53 UTC (rev 127631)
@@ -0,0 +1,5 @@
+Bug 93750: RenderQuote corrupts doubly linked list on insertion before head of list
+
+It passes if it does not CRASH or ASSERT.
+
+

Copied: branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750.html (from rev 125343, trunk/LayoutTests/fast/css-generated-content/quote-crash-93750.html) (0 => 127631)


--- branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750.html	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/css-generated-content/quote-crash-93750.html	2012-09-05 19:29:53 UTC (rev 127631)
@@ -0,0 +1,21 @@
+<!doctype html>
+
+<style>
+    .fixed::before {
+        position:fixed;
+    }
+</style>
+
+<script>
+    if (window.testRunner) window.testRunner.dumpAsText();
+    _onload_ = function(){
+      document.designMode = "on";
+      document.execCommand("SelectAll");
+      document.execCommand("Indent", false);
+    }
+</script>
+
+<p>Bug <a href="" RenderQuote corrupts doubly linked list on insertion before head of list</p>
+<p>It passes if it does not CRASH or ASSERT.</p>
+ 
+<q class="fixed"></q>

Modified: branches/chromium/1229/Source/WebCore/rendering/RenderQuote.cpp (127630 => 127631)


--- branches/chromium/1229/Source/WebCore/rendering/RenderQuote.cpp	2012-09-05 19:27:07 UTC (rev 127630)
+++ branches/chromium/1229/Source/WebCore/rendering/RenderQuote.cpp	2012-09-05 19:29:53 UTC (rev 127631)
@@ -292,6 +292,8 @@
     if (!m_previous) {
         m_next = view()->renderQuoteHead();
         view()->setRenderQuoteHead(this);
+        if (m_next)
+            m_next->m_previous = this;
     }
     m_attached = true;
 
@@ -299,7 +301,9 @@
         quote->updateDepth();
 
     ASSERT(!m_next || m_next->m_attached);
+    ASSERT(!m_next || m_next->m_previous == this);
     ASSERT(!m_previous || m_previous->m_attached);
+    ASSERT(!m_previous || m_previous->m_next == this);
 }
 
 void RenderQuote::detachQuote()

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes