Title: [135684] trunk
- Revision
- 135684
- Author
- [email protected]
- Date
- 2012-11-25 23:45:38 -0800 (Sun, 25 Nov 2012)
Log Message
WebCore::RenderBlock::determineStartPosition crash
https://bugs.webkit.org/show_bug.cgi?id=98993
Reviewed by Brent Fulgham.
Source/WebCore:
If we move some node and the node has some text,
InlineFlowBox::removeChild() is invoked. The method invokes
RootInlineBox::childRemoved(). childRemoved() checks whether the
removed inlinebox has the renderer of its parent's line break object.
If so, use setLineBreakInfo to make the parent's line break info to
be 0. However in RenderBlock::determineStartPosition(), the code
assume that all line break info is solved, i.e.
prevRootBox->lineBreakObj()->isText(). Since lineBreakObj() returns 0
because of removeChild(), determineStartPosition crash occurs.
Test: fast/inline/inline-box-append-child-crash.html
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlock::determineStartPosition):
Checks whether lineBreakObj() is 0 or not before using lineBreakObj().
LayoutTests:
* fast/inline/inline-box-append-child-crash-expected.txt: Added.
* fast/inline/inline-box-append-child-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135683 => 135684)
--- trunk/LayoutTests/ChangeLog 2012-11-26 06:35:57 UTC (rev 135683)
+++ trunk/LayoutTests/ChangeLog 2012-11-26 07:45:38 UTC (rev 135684)
@@ -1,3 +1,13 @@
+2012-11-25 Takashi Sakamoto <[email protected]>
+
+ WebCore::RenderBlock::determineStartPosition crash
+ https://bugs.webkit.org/show_bug.cgi?id=98993
+
+ Reviewed by Brent Fulgham.
+
+ * fast/inline/inline-box-append-child-crash-expected.txt: Added.
+ * fast/inline/inline-box-append-child-crash.html: Added.
+
2012-11-25 Chris Fleizach <[email protected]>
AX: file upload input cannot be activated with VoiceOver
Added: trunk/LayoutTests/fast/inline/inline-box-append-child-crash-expected.txt (0 => 135684)
--- trunk/LayoutTests/fast/inline/inline-box-append-child-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/inline/inline-box-append-child-crash-expected.txt 2012-11-26 07:45:38 UTC (rev 135684)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/inline/inline-box-append-child-crash.html (0 => 135684)
--- trunk/LayoutTests/fast/inline/inline-box-append-child-crash.html (rev 0)
+++ trunk/LayoutTests/fast/inline/inline-box-append-child-crash.html 2012-11-26 07:45:38 UTC (rev 135684)
@@ -0,0 +1,25 @@
+<html>
+<body>
+ <!-- [bug 93993] https://bugs.webkit.org/show_bug.cgi?id=98993 -->
+ <!-- WebCore::RenderBlock::determineStartPosition crash -->
+ <!-- If this test passes, no crash. We can see "PASS". -->
+ <foo style="white-space:pre-wrap;">
+ <sup>
+ <foo id="root">
+ a<foo style="position:fixed;"></foo><foo><label id="node">
+ a</label>
+ </foo>
+ </foo>
+ </sup>
+ </foo>
+</body>
+<script type="text/_javascript_">
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.offsetTop;
+root.appendChild(node);
+document.body.offsetTop;
+document.body.innerHTML = 'PASS';
+</script>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (135683 => 135684)
--- trunk/Source/WebCore/ChangeLog 2012-11-26 06:35:57 UTC (rev 135683)
+++ trunk/Source/WebCore/ChangeLog 2012-11-26 07:45:38 UTC (rev 135684)
@@ -1,3 +1,26 @@
+2012-11-25 Takashi Sakamoto <[email protected]>
+
+ WebCore::RenderBlock::determineStartPosition crash
+ https://bugs.webkit.org/show_bug.cgi?id=98993
+
+ Reviewed by Brent Fulgham.
+
+ If we move some node and the node has some text,
+ InlineFlowBox::removeChild() is invoked. The method invokes
+ RootInlineBox::childRemoved(). childRemoved() checks whether the
+ removed inlinebox has the renderer of its parent's line break object.
+ If so, use setLineBreakInfo to make the parent's line break info to
+ be 0. However in RenderBlock::determineStartPosition(), the code
+ assume that all line break info is solved, i.e.
+ prevRootBox->lineBreakObj()->isText(). Since lineBreakObj() returns 0
+ because of removeChild(), determineStartPosition crash occurs.
+
+ Test: fast/inline/inline-box-append-child-crash.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlock::determineStartPosition):
+ Checks whether lineBreakObj() is 0 or not before using lineBreakObj().
+
2012-11-25 Nikita Vasilyev <[email protected]>
Web Inspector: use native Element.prototype.normalize instead of custom defined Element.prototype.pruneEmptyTextNodes
Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (135683 => 135684)
--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2012-11-26 06:35:57 UTC (rev 135683)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2012-11-26 07:45:38 UTC (rev 135684)
@@ -1826,7 +1826,7 @@
// We have a dirty line.
if (RootInlineBox* prevRootBox = curr->prevRootBox()) {
// We have a previous line.
- if (!dirtiedByFloat && (!prevRootBox->endsWithBreak() || (prevRootBox->lineBreakObj()->isText() && prevRootBox->lineBreakPos() >= toRenderText(prevRootBox->lineBreakObj())->textLength())))
+ if (!dirtiedByFloat && (!prevRootBox->endsWithBreak() || !prevRootBox->lineBreakObj() || (prevRootBox->lineBreakObj()->isText() && prevRootBox->lineBreakPos() >= toRenderText(prevRootBox->lineBreakObj())->textLength())))
// The previous line didn't break cleanly or broke at a newline
// that has been deleted, so treat it as dirty too.
curr = prevRootBox;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
