Title: [124112] branches/safari-536.26-branch
- Revision
- 124112
- Author
- lforsch...@apple.com
- Date
- 2012-07-30 16:16:24 -0700 (Mon, 30 Jul 2012)
Log Message
Merged r120662. <rdar://problem/11942166>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124111 => 124112)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 23:13:25 UTC (rev 124111)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 23:16:24 UTC (rev 124112)
@@ -1,5 +1,18 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 120662
+
+ 2012-06-18 Mike Lawther <mikelawt...@chromium.org>
+
+ Crash when setting title dynamically
+ https://bugs.webkit.org/show_bug.cgi?id=88083
+
+ Reviewed by Dan Bernstein.
+
+ * fast/text/title-crash.html: Added.
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 119409
2012-06-04 Abhishek Arya <infe...@chromium.org>
Copied: branches/safari-536.26-branch/LayoutTests/fast/text/title-crash.html (from rev 120662, trunk/LayoutTests/fast/text/title-crash.html) (0 => 124112)
--- branches/safari-536.26-branch/LayoutTests/fast/text/title-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/text/title-crash.html 2012-07-30 23:16:24 UTC (rev 124112)
@@ -0,0 +1,6 @@
+<style>*{font-style:italic;font-size:1ex;}</style>
+<script>
+ if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+ document.documentElement.innerHTML = '<title>a</title>This test passes if it does not crash.'
+</script>
\ No newline at end of file
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124111 => 124112)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 23:13:25 UTC (rev 124111)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 23:16:24 UTC (rev 124112)
@@ -1,5 +1,28 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 120662
+
+ 2012-06-18 Mike Lawther <mikelawt...@chromium.org>
+
+ Crash when setting title dynamically
+ https://bugs.webkit.org/show_bug.cgi?id=88083
+
+ Reviewed by Dan Bernstein.
+
+ Test: fast/text/title-crash.html
+
+ The crashing code takes a rare branch in StyleResolver::styleForElement() where
+ m_parentStyle is set to point to m_style. Consequently, while applying properties
+ to m_style we end up mutating m_parentStyle.
+
+ In this situation, we clone style() and point m_parentStyle at the clone. The
+ clone is destroyed at the end of StyleResolver::styleForElement().
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::collectMatchingRulesForList):
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 119409
2012-06-04 Abhishek Arya <infe...@chromium.org>
Modified: branches/safari-536.26-branch/Source/WebCore/css/StyleResolver.cpp (124111 => 124112)
--- branches/safari-536.26-branch/Source/WebCore/css/StyleResolver.cpp 2012-07-30 23:13:25 UTC (rev 124111)
+++ branches/safari-536.26-branch/Source/WebCore/css/StyleResolver.cpp 2012-07-30 23:16:24 UTC (rev 124112)
@@ -1604,12 +1604,15 @@
m_style = RenderStyle::create();
+ RefPtr<RenderStyle> cloneForParent;
+
if (m_parentStyle)
m_style->inheritFrom(m_parentStyle);
else {
- m_parentStyle = style();
// Make sure our fonts are initialized if we don't inherit them from our parent style.
m_style->font().update(0);
+ cloneForParent = RenderStyle::clone(style());
+ m_parentStyle = cloneForParent.get();
}
// Even if surrounding content is user-editable, shadow DOM should act as a single unit, and not necessarily be editable
@@ -1636,6 +1639,9 @@
initElement(0); // Clear out for the next resolve.
+ if (cloneForParent)
+ m_parentStyle = 0;
+
// Now return the style.
return m_style.release();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
