[webkit-changes] [145659] branches/safari-536.30-branch

Tue, 12 Mar 2013 18:26:53 -0700

Title: [145659] branches/safari-536.30-branch

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145658 => 145659)


--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-13 01:26:39 UTC (rev 145658)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-13 01:28:32 UTC (rev 145659)
@@ -1,5 +1,19 @@
 2013-03-12  Lucas Forschler  <[email protected]>
 
+        Merge r140069
+
+    2013-01-17  Abhishek Arya  <[email protected]>
+
+            Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
+            https://bugs.webkit.org/show_bug.cgi?id=90802
+
+            Reviewed by Julien Chaffraix.
+
+            * fast/multicol/float-not-removed-crash-expected.txt: Added.
+            * fast/multicol/float-not-removed-crash.html: Added.
+
+2013-03-12  Lucas Forschler  <[email protected]>
+
         Merge r139788
 
     2013-01-15  Elliott Sprehn  <[email protected]>

Copied: branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt (from rev 140069, trunk/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt) (0 => 145659)


--- branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt	2013-03-13 01:28:32 UTC (rev 145659)
@@ -0,0 +1,3 @@
+Test passes if it does not crash.
+PASS. WebKit didn't crash.
+

Copied: branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash.html (from rev 140069, trunk/LayoutTests/fast/multicol/float-not-removed-crash.html) (0 => 145659)


--- branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash.html	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/multicol/float-not-removed-crash.html	2013-03-13 01:28:32 UTC (rev 145659)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+.class1:nth-child(-n+6) { float: left; padding-bottom: 100px; }
+.class2:nth-child(even) { -webkit-backface-visibility: hidden; -webkit-column-span: all; }
+.class3 { -webkit-column-count: 65536; }
+</style>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function crash() {
+    test1 = document.createElement('div');
+    test2 = document.createElement('div');
+    test3 = document.createElement('div');
+    test3.setAttribute('class', 'class3');
+    document.documentElement.appendChild(test3);
+    test4 = document.createElement('div');
+    test4.setAttribute('class', 'class2');
+    test5 = document.createElement('div');
+    test5.setAttribute('class', 'class1');
+    test6 = document.createElement('div');
+    test7 = document.createElement('i');
+    test8 = document.createTextNode("PASS. WebKit didn't crash.");
+    test6.appendChild(test8);
+    test6.appendChild(test7);
+    test1.appendChild(test6);
+    test3.appendChild(test1);
+    test7.appendChild(test5);
+    document.documentElement.offsetTop;
+    setTimeout('test3.appendChild(test4);', 0);
+    setTimeout('test2.appendChild(test7);', 2);
+    setTimeout('if (window.testRunner) testRunner.notifyDone();', 4);
+}
+
+window._onload_ = crash;
+</script>
+</html>
\ No newline at end of file

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145658 => 145659)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:26:39 UTC (rev 145658)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:28:32 UTC (rev 145659)
@@ -1,5 +1,27 @@
 2013-03-12  Lucas Forschler  <[email protected]>
 
+        Merge r140069
+
+    2013-01-17  Abhishek Arya  <[email protected]>
+
+            Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
+            https://bugs.webkit.org/show_bug.cgi?id=90802
+
+            Reviewed by Julien Chaffraix.
+
+            Test: fast/multicol/float-not-removed-crash.html
+
+            * rendering/RenderBoxModelObject.cpp:
+            (WebCore::RenderBoxModelObject::moveChildrenTo):
+            1. When fullRemoveInsert is True, make sure to clear the
+            floating objects from our list (similar to positioned objects).
+            Our children are getting moved to another block and we won't
+            get notified when they are going away.
+            2. Remove the redundant hasPositionedObjects check since it
+            is already done inside removePositionedObjects.
+
+2013-03-12  Lucas Forschler  <[email protected]>
+
         Merge r139788
 
     2013-01-15  Elliott Sprehn  <[email protected]>

Modified: branches/safari-536.30-branch/Source/WebCore/rendering/RenderBoxModelObject.cpp (145658 => 145659)


--- branches/safari-536.30-branch/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-03-13 01:26:39 UTC (rev 145658)
+++ branches/safari-536.30-branch/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-03-13 01:28:32 UTC (rev 145659)
@@ -3064,8 +3064,8 @@
     // or when fullRemoveInsert is false.
     if (fullRemoveInsert && isRenderBlock()) {
         RenderBlock* block = toRenderBlock(this);
-        if (block->hasPositionedObjects())
-            block->removePositionedObjects(0);
+        block->removePositionedObjects(0);
+        block->removeFloatingObjects(); 
     }
 
     ASSERT(!beforeChild || toBoxModelObject == beforeChild->parent());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to