Title: [137759] branches/chromium/1312
- Revision
- 137759
- Author
- cev...@google.com
- Date
- 2012-12-14 11:32:05 -0800 (Fri, 14 Dec 2012)
Log Message
Merge 137632
BUG=163593
Review URL: https://codereview.chromium.org/11583006
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash-expected.txt (from rev 137632, trunk/LayoutTests/mathml/mo-stretch-crash-expected.txt) (0 => 137759)
--- branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash-expected.txt (rev 0)
+++ branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash-expected.txt 2012-12-14 19:32:05 UTC (rev 137759)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+
Copied: branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash.html (from rev 137632, trunk/LayoutTests/mathml/mo-stretch-crash.html) (0 => 137759)
--- branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash.html (rev 0)
+++ branches/chromium/1312/LayoutTests/mathml/mo-stretch-crash.html 2012-12-14 19:32:05 UTC (rev 137759)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<q id=quote></q>
+<dd id=dd>
+<body id=body>
+ <style>
+ dd, q, mfenced, div {
+ width: 7px;
+ overflow-y: auto;
+ padding-left: 100%;
+ }
+ </style>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ body.contentEditable = "true";
+ function crash() {
+ mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
+ div = document.createElement("div");
+ mfenced.appendChild(div);
+ dd.appendChild(mfenced);
+ body.style.display = "-webkit-flex";
+ div.appendChild(quote);
+ }
+ window.addEventListener("load", crash, false);
+ </script>
+
+This test passes if it does not crash.
+</body>
+</dd>
Modified: branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp (137758 => 137759)
--- branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp 2012-12-14 19:26:04 UTC (rev 137758)
+++ branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp 2012-12-14 19:32:05 UTC (rev 137759)
@@ -1334,8 +1334,8 @@
void RenderBlock::startDelayUpdateScrollInfo()
{
- if (gDelayUpdateScrollInfo == 0) {
- ASSERT(!gDelayedUpdateScrollInfoSet);
+ if (!gDelayedUpdateScrollInfoSet) {
+ ASSERT(!gDelayUpdateScrollInfo);
gDelayedUpdateScrollInfoSet = new DelayedUpdateScrollInfoSet;
}
ASSERT(gDelayedUpdateScrollInfoSet);
@@ -1349,15 +1349,22 @@
if (gDelayUpdateScrollInfo == 0) {
ASSERT(gDelayedUpdateScrollInfoSet);
- OwnPtr<DelayedUpdateScrollInfoSet> infoSet(adoptPtr(gDelayedUpdateScrollInfoSet));
- gDelayedUpdateScrollInfoSet = 0;
-
- for (DelayedUpdateScrollInfoSet::iterator it = infoSet->begin(); it != infoSet->end(); ++it) {
- RenderBlock* block = *it;
- if (block->hasOverflowClip()) {
- block->layer()->updateScrollInfoAfterLayout();
+ Vector<RenderBlock*> infoSet;
+ while (gDelayedUpdateScrollInfoSet && gDelayedUpdateScrollInfoSet->size()) {
+ copyToVector(*gDelayedUpdateScrollInfoSet, infoSet);
+ for (Vector<RenderBlock*>::iterator it = infoSet.begin(); it != infoSet.end(); ++it) {
+ RenderBlock* block = *it;
+ // |block| may have been destroyed at this point, but then it will have been removed from gDelayedUpdateScrollInfoSet.
+ if (gDelayedUpdateScrollInfoSet && gDelayedUpdateScrollInfoSet->contains(block)) {
+ gDelayedUpdateScrollInfoSet->remove(block);
+ if (block->hasOverflowClip())
+ block->layer()->updateScrollInfoAfterLayout();
+ }
}
}
+ delete gDelayedUpdateScrollInfoSet;
+ gDelayedUpdateScrollInfoSet = 0;
+ ASSERT(!gDelayUpdateScrollInfo);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
