Title: [133080] branches/safari-536.28-branch
- Revision
- 133080
- Author
- [email protected]
- Date
- 2012-10-31 14:56:50 -0700 (Wed, 31 Oct 2012)
Log Message
Merged r118249. <rdar://problem/12536403>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133079 => 133080)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-10-31 21:49:45 UTC (rev 133079)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-10-31 21:56:50 UTC (rev 133080)
@@ -1,5 +1,19 @@
2012-10-31 Lucas Forschler <[email protected]>
+ Merge r118249
+
+ 2012-05-23 Abhishek Arya <[email protected]>
+
+ Crash in run-ins with continuations while moving back to original position.
+ https://bugs.webkit.org/show_bug.cgi?id=87264
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/runin/runin-continuations-crash-expected.txt: Added.
+ * fast/runin/runin-continuations-crash.html: Added.
+
+2012-10-31 Lucas Forschler <[email protected]>
+
Merge r117971
2012-05-22 Nikolas Zimmermann <[email protected]>
@@ -10474,3 +10488,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash-expected.txt (from rev 118249, trunk/LayoutTests/fast/runin/runin-continuations-crash-expected.txt) (0 => 133080)
--- branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash-expected.txt 2012-10-31 21:56:50 UTC (rev 133080)
@@ -0,0 +1,3 @@
+WebKit Bug 87264 - Crash in run-ins with continuations while moving back to original position.
+Test passes if it does not crash.
+
Copied: branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash.html (from rev 118249, trunk/LayoutTests/fast/runin/runin-continuations-crash.html) (0 => 133080)
--- branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/runin/runin-continuations-crash.html 2012-10-31 21:56:50 UTC (rev 133080)
@@ -0,0 +1,33 @@
+<html>
+<body>
+WebKit Bug 87264 - Crash in run-ins with continuations while moving back to original position.<br />
+Test passes if it does not crash.<br />
+<style>
+.runIn { display: run-in; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+
+runIn1 = document.createElement('div');
+runIn1.setAttribute('class', 'runIn');
+document.body.appendChild(runIn1);
+
+q1 = document.createElement('q');
+q1.style.display = 'block';
+document.body.appendChild(q1);
+
+span1 = document.createElement('span');
+q1.appendChild(span1);
+
+document.body.offsetTop;
+
+runIn1.appendChild(document.createElement('div'));
+span1.style.display = 'block';
+document.body.offsetTop;
+q1.style.display = 'none';
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133079 => 133080)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-10-31 21:49:45 UTC (rev 133079)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-10-31 21:56:50 UTC (rev 133080)
@@ -1,5 +1,27 @@
2012-10-31 Lucas Forschler <[email protected]>
+ Merge r118249
+
+ 2012-05-23 Abhishek Arya <[email protected]>
+
+ Crash in run-ins with continuations while moving back to original position.
+ https://bugs.webkit.org/show_bug.cgi?id=87264
+
+ Reviewed by Julien Chaffraix.
+
+ Run-in that are now placed in sibling block can break up into continuation
+ chains when new children are added to it. We cannot easily send them back to their
+ original place since that requires writing integration logic with RenderInline::addChild
+ and all other places that might cause continuations to be created (without blowing away
+ |this|). Disabling this feature for now to prevent crashes.
+
+ Test: fast/runin/runin-continuations-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::moveRunInToOriginalPosition):
+
+2012-10-31 Lucas Forschler <[email protected]>
+
Merge r117971
2012-05-22 Nikolas Zimmermann <[email protected]>
@@ -205542,3 +205564,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp (133079 => 133080)
--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-10-31 21:49:45 UTC (rev 133079)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-10-31 21:56:50 UTC (rev 133080)
@@ -1839,8 +1839,8 @@
if (!runIn->isRenderBlock())
return;
- // We shouldn't run in into the sibling block if we are part of a
- // continuation chain. In that case, treat it as a normal block.
+ // FIXME: We don't support run-ins with or as part of a continuation
+ // as it makes the back-and-forth placing complex.
if (runIn->isElementContinuation() || runIn->virtualContinuation())
return;
@@ -1900,6 +1900,14 @@
if (!runInIsPlacedIntoSiblingBlock(runIn))
return;
+ // FIXME: Run-in that are now placed in sibling block can break up into continuation
+ // chains when new children are added to it. We cannot easily send them back to their
+ // original place since that requires writing integration logic with RenderInline::addChild
+ // and all other places that might cause continuations to be created (without blowing away
+ // |this|). Disabling this feature for now to prevent crashes.
+ if (runIn->isElementContinuation() || runIn->virtualContinuation())
+ return;
+
RenderBoxModelObject* oldRunIn = toRenderBoxModelObject(runIn);
RenderBoxModelObject* newRunIn = createReplacementRunIn(oldRunIn);
destroyRunIn(oldRunIn);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
