Title: [140552] branches/chromium/1391
- Revision
- 140552
- Author
- infe...@chromium.org
- Date
- 2013-01-23 10:52:26 -0800 (Wed, 23 Jan 2013)
Log Message
Revert 140206
Modified Paths
Removed Paths
Diff
Deleted: branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt (140551 => 140552)
--- branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt 2013-01-23 18:52:24 UTC (rev 140551)
+++ branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt 2013-01-23 18:52:26 UTC (rev 140552)
@@ -1,2 +0,0 @@
-Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.
-PASS. WebKit didn't crash
Deleted: branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html (140551 => 140552)
--- branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html 2013-01-23 18:52:24 UTC (rev 140551)
+++ branches/chromium/1391/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html 2013-01-23 18:52:26 UTC (rev 140552)
@@ -1,33 +0,0 @@
-<!DOCTYPE html>
-<html>
-<noembed id=test4></noembed>
-<h6 id=test3>
-<h3 id=test7></h3>
-<span id=tCF36>
-<math>
-<and>
-<equivalent>
-<csc id=test5 style="float: left; "> X6DDguzp|m_v c;</csc>
-<otherwise id=test1>
-</equivalent>
-</and>
-<cartesianproduct id=test2>#L }|2pqynn</cartesianproduct>
-<factorial></factorial>
-<product id=test6>.
-</math>
-</span>
-</h6>
-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-
-document.documentElement.offsetTop;
-test1.appendChild(test2);
-test2.appendChild(test3);
-document.documentElement.offsetTop;
-test4.appendChild(test5);
-test6.appendChild(test7);
-document.documentElement.offsetTop;
-document.documentElement.innerHTML = "Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.<br />PASS. WebKit didn't crash";
-</script>
-</html>
Modified: branches/chromium/1391/Source/WebCore/rendering/RenderBox.cpp (140551 => 140552)
--- branches/chromium/1391/Source/WebCore/rendering/RenderBox.cpp 2013-01-23 18:52:24 UTC (rev 140551)
+++ branches/chromium/1391/Source/WebCore/rendering/RenderBox.cpp 2013-01-23 18:52:26 UTC (rev 140552)
@@ -179,12 +179,6 @@
}
if (parentBlock) {
- // Need to skip anonymous blocks in our ancestor chain since our overhanging floats
- // can be in the next siblings of enclosing block.
- while (parentBlock && parentBlock->isAnonymousBlock())
- parentBlock = parentBlock->containingBlock();
- ASSERT(parentBlock);
-
RenderObject* parent = parentBlock->parent();
if (parent && parent->isFlexibleBoxIncludingDeprecated())
parentBlock = toRenderBlock(parent);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes