Title: [180377] branches/safari-600.5-branch
- Revision
- 180377
- Author
- dburk...@apple.com
- Date
- 2015-02-19 17:41:06 -0800 (Thu, 19 Feb 2015)
Log Message
Merged r179877. <rdar://19850766>
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.5-branch/LayoutTests/ChangeLog (180376 => 180377)
--- branches/safari-600.5-branch/LayoutTests/ChangeLog 2015-02-20 01:36:08 UTC (rev 180376)
+++ branches/safari-600.5-branch/LayoutTests/ChangeLog 2015-02-20 01:41:06 UTC (rev 180377)
@@ -1,5 +1,25 @@
2015-02-19 Dana Burkart <dburk...@apple.com>
+ Merged r179877. <rdar://problem/19850766>
+
+ 2015-02-07 Zalan Bujtas <za...@apple.com>
+
+ REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency
+ https://bugs.webkit.org/show_bug.cgi?id=133462
+
+ Reviewed by David Hyatt.
+
+ RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
+ Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
+ we detach the inline tree first and destroy them after. The detached root boxes can't access
+ the flowthread containing block and we end up with dangling pointers in this map.
+ Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.
+
+ * fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt: Added.
+ * fast/multicol/newmulticol/crash-when-switching-to-floating.html: Added.
+
+2015-02-19 Dana Burkart <dburk...@apple.com>
+
Merged r179776. <rdar://problem/19850771>
2015-02-06 Zalan Bujtas <za...@apple.com>
Copied: branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt (from rev 179877, trunk/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt) (0 => 180377)
--- branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt 2015-02-20 01:41:06 UTC (rev 180377)
@@ -0,0 +1 @@
+Pass if no crash or assert in debug build.
Copied: branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html (from rev 179877, trunk/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html) (0 => 180377)
--- branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html 2015-02-20 01:41:06 UTC (rev 180377)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we clean up the inline content properly after introducing floating.</title>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<table><td></table>
+Pass if no crash or assert in debug build.
+<script>
+var head = document.getElementsByTagName("head")[0];
+style = document.createElement("style");
+style.innerHTML="* { \n\
+-webkit-animation-name: name9; \n\
+-webkit-animation-duration: 10s; \n\
+} \n\
+@-webkit-keyframes name9 { \n\
+ from { \n\
+ } \n\
+ to { \n\
+ -webkit-column-width: auto; \n\
+";
+head.appendChild(style);
+document.execCommand("SelectAll");
+style.innerHTML="* {float:left;}";
+</script>
+</body>
+</html>
Modified: branches/safari-600.5-branch/Source/WebCore/ChangeLog (180376 => 180377)
--- branches/safari-600.5-branch/Source/WebCore/ChangeLog 2015-02-20 01:36:08 UTC (rev 180376)
+++ branches/safari-600.5-branch/Source/WebCore/ChangeLog 2015-02-20 01:41:06 UTC (rev 180377)
@@ -1,5 +1,27 @@
2015-02-19 Dana Burkart <dburk...@apple.com>
+ Merged r179877. <rdar://problem/19850766>
+
+ 2015-02-07 Zalan Bujtas <za...@apple.com>
+
+ REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency
+ https://bugs.webkit.org/show_bug.cgi?id=133462
+
+ Reviewed by David Hyatt.
+
+ RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
+ Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
+ we detach the inline tree first and destroy them after. The detached root boxes can't access
+ the flowthread containing block and we end up with dangling pointers in this map.
+ Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.
+
+ Test: fast/multicol/newmulticol/crash-when-switching-to-floating.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::collapseAnonymousBoxChild):
+
+2015-02-19 Dana Burkart <dburk...@apple.com>
+
Merged r179776. <rdar://problem/19850771>
2015-02-06 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-600.5-branch/Source/WebCore/rendering/RenderBlock.cpp (180376 => 180377)
--- branches/safari-600.5-branch/Source/WebCore/rendering/RenderBlock.cpp 2015-02-20 01:36:08 UTC (rev 180376)
+++ branches/safari-600.5-branch/Source/WebCore/rendering/RenderBlock.cpp 2015-02-20 01:41:06 UTC (rev 180377)
@@ -758,9 +758,7 @@
parent->setChildrenInline(child->childrenInline());
RenderObject* nextSibling = child->nextSibling();
- RenderFlowThread* childFlowThread = child->flowThreadContainingBlock();
- CurrentRenderFlowThreadMaintainer flowThreadMaintainer(childFlowThread);
- if (childFlowThread && childFlowThread->isRenderNamedFlowThread())
+ if (auto* childFlowThread = child->flowThreadContainingBlock())
toRenderNamedFlowThread(childFlowThread)->removeFlowChildInfo(child);
parent->removeChildInternal(*child, child->hasLayer() ? NotifyChildren : DontNotifyChildren);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
