Title: [168277] releases/WebKitGTK/webkit-2.4/LayoutTests
- Revision
- 168277
- Author
- carlo...@webkit.org
- Date
- 2014-05-05 04:20:54 -0700 (Mon, 05 May 2014)
Log Message
Merge r166645 - Add LayoutTest for crash with bidi isolates
Merged from Blink (patch by j...@chromium.org):
https://src.chromium.org/viewvc/blink?revision=156580&view=revision
http://crbug.com/265838
See Bug 120504: Fix nested unicode-bidi: isolate
<https://bugs.webkit.org/show_bug.cgi?id=120504>
<http://trac.webkit.org/changeset/155554>
* fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (168276 => 168277)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 10:58:00 UTC (rev 168276)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:20:54 UTC (rev 168277)
@@ -1,3 +1,18 @@
+2014-04-02 David Kilzer <ddkil...@apple.com>
+
+ Add LayoutTest for crash with bidi isolates
+
+ Merged from Blink (patch by j...@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=156580&view=revision
+ http://crbug.com/265838
+
+ See Bug 120504: Fix nested unicode-bidi: isolate
+ <https://bugs.webkit.org/show_bug.cgi?id=120504>
+ <http://trac.webkit.org/changeset/155554>
+
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Added.
+
2014-04-01 Daniel Bates <daba...@apple.com>
RenderQuote must destroy remaining text renderer before first letter renderer
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (0 => 168277)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-05 11:20:54 UTC (rev 168277)
@@ -0,0 +1,4 @@
+ bar
+
+
+PASS did not crash
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (0 => 168277)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-05 11:20:54 UTC (rev 168277)
@@ -0,0 +1,36 @@
+<!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+function remove(node)
+{
+ node.parentNode.removeChild(node);
+}
+
+window._onload_ = function()
+{
+ document.body.offsetTop;
+ remove(b.lastChild);
+ document.body.offsetTop;
+ remove(a.firstChild);
+ document.body.offsetTop;
+
+ document.body.appendChild(document.createTextNode("PASS did not crash"));
+}
+</script>
+
+<body>
+ <div id="a">foo</div>
+ <div></div>
+ <div>
+ <output>
+ <output>bar</output>
+ <span id="b">
+ <span><div style="display:inline-block"></div><br><br><br></span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
