Title: [168104] branches/safari-537.76-branch
- Revision
- 168104
- Author
- matthew_han...@apple.com
- Date
- 2014-05-01 09:25:09 -0700 (Thu, 01 May 2014)
Log Message
Merge r166736.
Modified Paths
Added Paths
Diff
Modified: branches/safari-537.76-branch/LayoutTests/ChangeLog (168103 => 168104)
--- branches/safari-537.76-branch/LayoutTests/ChangeLog 2014-05-01 16:06:02 UTC (rev 168103)
+++ branches/safari-537.76-branch/LayoutTests/ChangeLog 2014-05-01 16:25:09 UTC (rev 168104)
@@ -1,5 +1,20 @@
2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+ Merge r166736.
+
+ 2014-04-03 David Hyatt <hy...@apple.com>
+
+ Continuations casting issue.
+ https://bugs.webkit.org/show_bug.cgi?id=130057
+ <rdar://problem/16283406>
+
+ Reviewed by Simon Fraser.
+
+ * fast/block/continuation-crash-expected.txt: Added.
+ * fast/block/continuation-crash.html: Added.
+
+2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+
Merge r167480.
2014-04-17 Darin Adler <da...@apple.com>
Copied: branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash-expected.txt (from rev 166736, trunk/LayoutTests/fast/block/continuation-crash-expected.txt) (0 => 168104)
--- branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash-expected.txt (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash-expected.txt 2014-05-01 16:25:09 UTC (rev 168104)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+
Copied: branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash.html (from rev 166736, trunk/LayoutTests/fast/block/continuation-crash.html) (0 => 168104)
--- branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash.html (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/fast/block/continuation-crash.html 2014-05-01 16:25:09 UTC (rev 168104)
@@ -0,0 +1,23 @@
+<style>
+#span2
+{ position: relative; }
+</style>
+ <script>
+function run() {
+ document.getElementById("span2").style.position = "static";
+}
+</script>
+<body>
+This test passes if it does not crash.
+<span id="span2">
+<div></div>
+<script>
+try {
+var x = window.getSelection();
+x.getRangeAt(document.body.appendChild(document.createElement("frame")).height);
+} catch (e) {}
+document.body.offsetWidth
+run()
+if (window.testRunner)
+ testRunner.dumpAsText()
+</script>
\ No newline at end of file
Modified: branches/safari-537.76-branch/Source/WebCore/ChangeLog (168103 => 168104)
--- branches/safari-537.76-branch/Source/WebCore/ChangeLog 2014-05-01 16:06:02 UTC (rev 168103)
+++ branches/safari-537.76-branch/Source/WebCore/ChangeLog 2014-05-01 16:25:09 UTC (rev 168104)
@@ -1,5 +1,27 @@
2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+ Merge r166736.
+
+ 2014-04-03 David Hyatt <hy...@apple.com>
+
+ Continuations casting issue.
+ https://bugs.webkit.org/show_bug.cgi?id=130057
+ <rdar://problem/16283406>
+
+ Reviewed by Simon Fraser.
+
+ The code to update relative positioned anonymous block continuations should not
+ have assumed that all siblings were RenderBlocks. Make the code smarter and
+ make it bail when it hits something that isn't part of the block continuation
+ chain.
+
+ Added fast/block/continuation-crash.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::updateStyleOfAnonymousBlockContinuations):
+
+2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+
Merge r167480.
2014-04-17 Darin Adler <da...@apple.com>
Modified: branches/safari-537.76-branch/Source/WebCore/rendering/RenderInline.cpp (168103 => 168104)
--- branches/safari-537.76-branch/Source/WebCore/rendering/RenderInline.cpp 2014-05-01 16:06:02 UTC (rev 168103)
+++ branches/safari-537.76-branch/Source/WebCore/rendering/RenderInline.cpp 2014-05-01 16:25:09 UTC (rev 168104)
@@ -151,14 +151,22 @@
return 0;
}
-static void updateStyleOfAnonymousBlockContinuations(RenderObject* block, const RenderStyle* newStyle, const RenderStyle* oldStyle)
+static void updateStyleOfAnonymousBlockContinuations(RenderObject* box, const RenderStyle* newStyle, const RenderStyle* oldStyle)
{
- for (;block && block->isAnonymousBlock(); block = block->nextSibling()) {
- if (!toRenderBlock(block)->isAnonymousBlockContinuation() || block->style()->position() == newStyle->position())
+ for (;box && box->isAnonymousBlock(); box = box->nextSibling()) {
+ if (box->style()->position() == newStyle->position())
continue;
+
+ if (!box->isRenderBlock())
+ break; // We're done if we ever encounter something other than a RenderBlock.
+
+ RenderBlock* block = toRenderBlock(box);
+ if (!block->isAnonymousBlockContinuation())
+ break; // We're done if we ever encounter something other than a continuation RenderBlock.
+
// If we are no longer in-flow positioned but our descendant block(s) still have an in-flow positioned ancestor then
// their containing anonymous block should keep its in-flow positioning.
- RenderInline* cont = toRenderBlock(block)->inlineElementContinuation();
+ RenderInline* cont = toRenderBlock(box)->inlineElementContinuation();
if (oldStyle->hasInFlowPosition() && inFlowPositionedInlineAncestor(cont))
continue;
RefPtr<RenderStyle> blockStyle = RenderStyle::createAnonymousStyleWithDisplay(block->style(), BLOCK);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
