Title: [140734] branches/chromium/1364
- Revision
- 140734
- Author
- [email protected]
- Date
- 2013-01-24 15:21:17 -0800 (Thu, 24 Jan 2013)
Log Message
Merge 140069
BUG=136226
Review URL: https://codereview.chromium.org/11953096
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt (from rev 140069, trunk/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt) (0 => 140734)
--- branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt 2013-01-24 23:21:17 UTC (rev 140734)
@@ -0,0 +1,3 @@
+Test passes if it does not crash.
+PASS. WebKit didn't crash.
+
Copied: branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash.html (from rev 140069, trunk/LayoutTests/fast/multicol/float-not-removed-crash.html) (0 => 140734)
--- branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash.html (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/multicol/float-not-removed-crash.html 2013-01-24 23:21:17 UTC (rev 140734)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+.class1:nth-child(-n+6) { float: left; padding-bottom: 100px; }
+.class2:nth-child(even) { -webkit-backface-visibility: hidden; -webkit-column-span: all; }
+.class3 { -webkit-column-count: 65536; }
+</style>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function crash() {
+ test1 = document.createElement('div');
+ test2 = document.createElement('div');
+ test3 = document.createElement('div');
+ test3.setAttribute('class', 'class3');
+ document.documentElement.appendChild(test3);
+ test4 = document.createElement('div');
+ test4.setAttribute('class', 'class2');
+ test5 = document.createElement('div');
+ test5.setAttribute('class', 'class1');
+ test6 = document.createElement('div');
+ test7 = document.createElement('i');
+ test8 = document.createTextNode("PASS. WebKit didn't crash.");
+ test6.appendChild(test8);
+ test6.appendChild(test7);
+ test1.appendChild(test6);
+ test3.appendChild(test1);
+ test7.appendChild(test5);
+ document.documentElement.offsetTop;
+ setTimeout('test3.appendChild(test4);', 0);
+ setTimeout('test2.appendChild(test7);', 2);
+ setTimeout('if (window.testRunner) testRunner.notifyDone();', 4);
+}
+
+window._onload_ = crash;
+</script>
+</html>
\ No newline at end of file
Modified: branches/chromium/1364/Source/WebCore/rendering/RenderBoxModelObject.cpp (140733 => 140734)
--- branches/chromium/1364/Source/WebCore/rendering/RenderBoxModelObject.cpp 2013-01-24 23:17:22 UTC (rev 140733)
+++ branches/chromium/1364/Source/WebCore/rendering/RenderBoxModelObject.cpp 2013-01-24 23:21:17 UTC (rev 140734)
@@ -2824,8 +2824,8 @@
// or when fullRemoveInsert is false.
if (fullRemoveInsert && isRenderBlock()) {
RenderBlock* block = toRenderBlock(this);
- if (block->hasPositionedObjects())
- block->removePositionedObjects(0);
+ block->removePositionedObjects(0);
+ block->removeFloatingObjects();
}
ASSERT(!beforeChild || toBoxModelObject == beforeChild->parent());
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
