Title: [119502] trunk
- Revision
- 119502
- Author
- [email protected]
- Date
- 2012-06-05 11:05:26 -0700 (Tue, 05 Jun 2012)
Log Message
Crash when modifying fixed-position elements in a detached frame
https://bugs.webkit.org/show_bug.cgi?id=88288
Patch by Douglas Stockwell <[email protected]> on 2012-06-05
Reviewed by James Robinson.
Source/WebCore:
Test: fast/block/positioning/fixed-position-detached-frame.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::collectMatchingRulesForList):
LayoutTests:
* fast/block/positioning/fixed-position-detached-frame-expected.txt: Added.
* fast/block/positioning/fixed-position-detached-frame.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (119501 => 119502)
--- trunk/LayoutTests/ChangeLog 2012-06-05 17:33:31 UTC (rev 119501)
+++ trunk/LayoutTests/ChangeLog 2012-06-05 18:05:26 UTC (rev 119502)
@@ -1,3 +1,13 @@
+2012-06-05 Douglas Stockwell <[email protected]>
+
+ Crash when modifying fixed-position elements in a detached frame
+ https://bugs.webkit.org/show_bug.cgi?id=88288
+
+ Reviewed by James Robinson.
+
+ * fast/block/positioning/fixed-position-detached-frame-expected.txt: Added.
+ * fast/block/positioning/fixed-position-detached-frame.html: Added.
+
2012-06-05 Alexei Filippov <[email protected]>
Web Inspector: serialize edge counts instead of indexes in heap snapshot
Added: trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame-expected.txt (0 => 119502)
--- trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame-expected.txt 2012-06-05 18:05:26 UTC (rev 119502)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame.html (0 => 119502)
--- trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame.html (rev 0)
+++ trunk/LayoutTests/fast/block/positioning/fixed-position-detached-frame.html 2012-06-05 18:05:26 UTC (rev 119502)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<iframe></iframe>
+<script>
+framedoc = frames[0].document.documentElement;
+document.body.innerText = 'PASS';
+framedoc.innerHTML = '<title style="position:fixed">';
+framedoc.getElementsByTagName('title')[0].innerText = 'a';
+if (window.layoutTestController)
+ layoutTestController.dumpAsText()
+</script>
Modified: trunk/Source/WebCore/ChangeLog (119501 => 119502)
--- trunk/Source/WebCore/ChangeLog 2012-06-05 17:33:31 UTC (rev 119501)
+++ trunk/Source/WebCore/ChangeLog 2012-06-05 18:05:26 UTC (rev 119502)
@@ -1,3 +1,15 @@
+2012-06-05 Douglas Stockwell <[email protected]>
+
+ Crash when modifying fixed-position elements in a detached frame
+ https://bugs.webkit.org/show_bug.cgi?id=88288
+
+ Reviewed by James Robinson.
+
+ Test: fast/block/positioning/fixed-position-detached-frame.html
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::collectMatchingRulesForList):
+
2012-06-05 Andrey Kosyakov <[email protected]>
Web Inspector: render timeline paint category dark green
Modified: trunk/Source/WebCore/css/StyleResolver.cpp (119501 => 119502)
--- trunk/Source/WebCore/css/StyleResolver.cpp 2012-06-05 17:33:31 UTC (rev 119501)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2012-06-05 18:05:26 UTC (rev 119502)
@@ -2069,7 +2069,7 @@
#ifdef FIXED_POSITION_CREATES_STACKING_CONTEXT
|| style->position() == FixedPosition
#else
- || (style->position() == FixedPosition && e && e->document()->page()->settings()->fixedPositionCreatesStackingContext())
+ || (style->position() == FixedPosition && e && e->document()->page() && e->document()->page()->settings()->fixedPositionCreatesStackingContext())
#endif
#if ENABLE(OVERFLOW_SCROLLING)
// Touch overflow scrolling creates a stacking context.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
