[webkit-changes] [133346] branches/safari-536.28-branch

Fri, 02 Nov 2012 14:25:34 -0700

Title: [133346] branches/safari-536.28-branch

Diff

Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133345 => 133346)


--- branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-02 21:14:26 UTC (rev 133345)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-02 21:26:52 UTC (rev 133346)
@@ -1,5 +1,19 @@
 2012-11-02  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r124564
+
+    2012-08-02  Abhishek Arya  <infe...@chromium.org>
+
+            Crash due to layer not removed from parent for anonymous block.
+            https://bugs.webkit.org/show_bug.cgi?id=90800
+
+            Reviewed by Kent Tamura.
+
+            * fast/block/layer-not-removed-from-parent-crash-expected.txt: Added.
+            * fast/block/layer-not-removed-from-parent-crash.html: Added.
+
+2012-11-02  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r124556
 
     2012-08-02  Kent Tamura  <tk...@chromium.org>
@@ -10742,3 +10756,4 @@
 .
 .
 .
+.

Copied: branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash-expected.txt (from rev 124564, trunk/LayoutTests/fast/block/layer-not-removed-from-parent-crash-expected.txt) (0 => 133346)


--- branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash-expected.txt	2012-11-02 21:26:52 UTC (rev 133346)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Copied: branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash.html (from rev 124564, trunk/LayoutTests/fast/block/layer-not-removed-from-parent-crash.html) (0 => 133346)


--- branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash.html	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/block/layer-not-removed-from-parent-crash.html	2012-11-02 21:26:52 UTC (rev 133346)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<body style='-webkit-columns: 1'>
+A
+<style>
+.class1 { -webkit-column-span: all; }
+</style><script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+function crash() {
+test1 = document.createElementNS("http://www.w3.org/1999/xhtml", "article");
+document.body.appendChild(test1);
+test1.appendChild(document.createTextNode('A'));
+test1.setAttribute("class", "class1");
+test2 = document.createElementNS("http://www.w3.org/1999/xhtml", "article");
+document.body.appendChild(test2);
+test2.appendChild(document.createTextNode('A'));
+test2.setAttribute("class", "class1");
+document.body.offsetTop;
+document.designMode = "on";
+document.execCommand("InsertHTML", false, "No crash!")
+document.execCommand("SelectAll", false)
+document.execCommand("InsertHTML", false, "There should be an empty line between these two paragraphs.<span><div></div></span><div>This paragraph and the empty line should have be in their own divs with a red border.")
+document.execCommand("SelectAll", false)
+document.execCommand("InsertHTML", false, "There should be an empty line between these two paragraphs.<span><div></div></span><div>This paragraph and the empty line should have be in their own divs with a red border.")
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+}
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</body>
+</html>

Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133345 => 133346)


--- branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-02 21:14:26 UTC (rev 133345)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-02 21:26:52 UTC (rev 133346)
@@ -1,5 +1,26 @@
 2012-11-02  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r124564
+
+    2012-08-02  Abhishek Arya  <infe...@chromium.org>
+
+            Crash due to layer not removed from parent for anonymous block.
+            https://bugs.webkit.org/show_bug.cgi?id=90800
+
+            Reviewed by Kent Tamura.
+
+            Reverse the order of setStyle and removeChildNode calls. This ensures that setting the style
+            properly removes its layer from the parent in RenderBoxModelObject::styleDidChange. Calling
+            removeChildNode before calling setStyle is problematic since the parent layer never gets
+            notified.
+
+            Test: fast/block/layer-not-removed-from-parent-crash.html
+
+            * rendering/RenderBlock.cpp:
+            (WebCore::RenderBlock::removeChild):
+
+2012-11-02  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r124556
 
     2012-08-02  Kent Tamura  <tk...@chromium.org>
@@ -206026,3 +206047,4 @@
 .
 .
 .
+.

Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp (133345 => 133346)


--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-11-02 21:14:26 UTC (rev 133345)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderBlock.cpp	2012-11-02 21:26:52 UTC (rev 133346)
@@ -1180,8 +1180,8 @@
             // column span flag if it is set.
             ASSERT(!inlineChildrenBlock->continuation());
             RefPtr<RenderStyle> newStyle = RenderStyle::createAnonymousStyleWithDisplay(style(), BLOCK);
+            inlineChildrenBlock->setStyle(newStyle);
             children()->removeChildNode(this, inlineChildrenBlock, inlineChildrenBlock->hasLayer());
-            inlineChildrenBlock->setStyle(newStyle);
             
             // Now just put the inlineChildrenBlock inside the blockChildrenBlock.
             blockChildrenBlock->children()->insertChildNode(blockChildrenBlock, inlineChildrenBlock, prev == inlineChildrenBlock ? blockChildrenBlock->firstChild() : 0,

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to