[webkit-changes] [95217] branches/safari-534.51-branch

Thu, 15 Sep 2011 12:45:37 -0700

Title: [95217] branches/safari-534.51-branch

Diff

Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (95216 => 95217)


--- branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-09-15 19:43:33 UTC (rev 95216)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-09-15 19:46:39 UTC (rev 95217)
@@ -1,5 +1,19 @@
 2011-09-15  Mark Rowe  <mr...@apple.com>
 
+        Merge r91386.
+
+    2011-07-20  Tony Chang  <t...@chromium.org>
+
+        Stale pointer due to floats not removed (flexible box display)
+        https://bugs.webkit.org/show_bug.cgi?id=64603
+
+        Reviewed by David Hyatt.
+
+        * fast/flexbox/horizontal-box-float-crash-expected.txt: Added.
+        * fast/flexbox/horizontal-box-float-crash.html: Added.
+
+2011-09-15  Mark Rowe  <mr...@apple.com>
+
         Merge r90568.
 
     2011-07-07  Julien Chaffraix  <jchaffr...@webkit.org>

Added: branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt (0 => 95217)


--- branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt	2011-09-15 19:46:39 UTC (rev 95217)
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+PASS
+

Added: branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash.html (0 => 95217)


--- branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash.html	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/flexbox/horizontal-box-float-crash.html	2011-09-15 19:46:39 UTC (rev 95217)
@@ -0,0 +1,38 @@
+<html>
+<body _onload_="runTest()">
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    function runTest()
+    {
+        document.body.offsetTop;
+        var container = document.getElementById('container');
+        var test = document.getElementById('test');
+        var blockquote = document.getElementById('blockquote');
+        blockquote.parentNode.removeChild(blockquote);
+        test.appendChild(blockquote);
+        document.body.offsetTop;
+        test.parentNode.removeChild(test);
+        if (window.layoutTestController) {
+            // Force a focus in which forces a paint that can trigger the crash.
+            layoutTestController.setWindowIsKey(false);
+            layoutTestController.setWindowIsKey(true);
+            document.getElementById("results").innerHTML = "PASS";
+        }
+    }
+</script>
+<div>This test passes if it does not crash.</div>
+<div id="container" style="display: -webkit-box;">
+    <div id="test">
+        <span style="float: right;">This is a floating span.</span>
+        <span>.</span>
+    </div>
+    <span>
+        <ol id="results">
+            <blockquote id="blockquote">blockquote</blockquote>
+        </ol>
+    </span>
+</div>
+</body>
+</html>

Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (95216 => 95217)


--- branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-09-15 19:43:33 UTC (rev 95216)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-09-15 19:46:39 UTC (rev 95217)
@@ -1,5 +1,25 @@
 2011-09-15  Mark Rowe  <mr...@apple.com>
 
+        Merge r91386.
+
+    2011-07-20  Tony Chang  <t...@chromium.org>
+
+        Stale pointer due to floats not removed (flexible box display)
+        https://bugs.webkit.org/show_bug.cgi?id=64603
+
+        Reviewed by David Hyatt.
+
+        Flexbox items should avoid floats.
+
+        Test: fast/flexbox/horizontal-box-float-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::avoidsFloats):
+        * rendering/RenderBox.h:
+        (WebCore::RenderBox::isDeprecatedFlexItem):
+
+2011-09-15  Mark Rowe  <mr...@apple.com>
+
         Merge r88139.
 
     2011-06-04  Abhishek Arya  <infe...@chromium.org>

Modified: branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.cpp (95216 => 95217)


--- branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.cpp	2011-09-15 19:43:33 UTC (rev 95216)
+++ branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.cpp	2011-09-15 19:46:39 UTC (rev 95217)
@@ -3203,7 +3203,7 @@
 
 bool RenderBox::avoidsFloats() const
 {
-    return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot();
+    return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot() || isDeprecatedFlexItem();
 }
 
 void RenderBox::addShadowOverflow()

Modified: branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.h (95216 => 95217)


--- branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.h	2011-09-15 19:43:33 UTC (rev 95216)
+++ branches/safari-534.51-branch/Source/WebCore/rendering/RenderBox.h	2011-09-15 19:46:39 UTC (rev 95217)
@@ -384,6 +384,8 @@
     virtual void markForPaginationRelayoutIfNeeded() { }
 
     bool isWritingModeRoot() const { return !parent() || parent()->style()->writingMode() != style()->writingMode(); }
+
+    bool isDeprecatedFlexItem() const { return !isInline() && !isFloatingOrPositioned() && parent() && parent()->isFlexibleBox(); }
     
     virtual int lineHeight(bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;
     virtual int baselinePosition(FontBaseline, bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to