[webkit-changes] [91386] trunk

Wed, 20 Jul 2011 12:02:02 -0700

Title: [91386] trunk
Revision
91386
Author
t...@chromium.org
Date
2011-07-20 12:01:55 -0700 (Wed, 20 Jul 2011)

Log Message

Stale pointer due to floats not removed (flexible box display)
https://bugs.webkit.org/show_bug.cgi?id=64603

Reviewed by David Hyatt.

Source/WebCore:

Flexbox items should avoid floats.

Test: fast/flexbox/horizontal-box-float-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::avoidsFloats):
* rendering/RenderBox.h:
(WebCore::RenderBox::isDeprecatedFlexItem):

LayoutTests:

* fast/flexbox/horizontal-box-float-crash-expected.txt: Added.
* fast/flexbox/horizontal-box-float-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (91385 => 91386)


--- trunk/LayoutTests/ChangeLog	2011-07-20 18:55:07 UTC (rev 91385)
+++ trunk/LayoutTests/ChangeLog	2011-07-20 19:01:55 UTC (rev 91386)
@@ -1,3 +1,13 @@
+2011-07-20  Tony Chang  <t...@chromium.org>
+
+        Stale pointer due to floats not removed (flexible box display)
+        https://bugs.webkit.org/show_bug.cgi?id=64603
+
+        Reviewed by David Hyatt.
+
+        * fast/flexbox/horizontal-box-float-crash-expected.txt: Added.
+        * fast/flexbox/horizontal-box-float-crash.html: Added.
+
 2011-07-20  Stephen White  <senorbla...@chromium.org>
 
         Unreviewed; chromium test expectations changes.

Added: trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt (0 => 91386)


--- trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash-expected.txt	2011-07-20 19:01:55 UTC (rev 91386)
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+PASS
+

Added: trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash.html (0 => 91386)


--- trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/flexbox/horizontal-box-float-crash.html	2011-07-20 19:01:55 UTC (rev 91386)
@@ -0,0 +1,38 @@
+<html>
+<body _onload_="runTest()">
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    function runTest()
+    {
+        document.body.offsetTop;
+        var container = document.getElementById('container');
+        var test = document.getElementById('test');
+        var blockquote = document.getElementById('blockquote');
+        blockquote.parentNode.removeChild(blockquote);
+        test.appendChild(blockquote);
+        document.body.offsetTop;
+        test.parentNode.removeChild(test);
+        if (window.layoutTestController) {
+            // Force a focus in which forces a paint that can trigger the crash.
+            layoutTestController.setWindowIsKey(false);
+            layoutTestController.setWindowIsKey(true);
+            document.getElementById("results").innerHTML = "PASS";
+        }
+    }
+</script>
+<div>This test passes if it does not crash.</div>
+<div id="container" style="display: -webkit-box;">
+    <div id="test">
+        <span style="float: right;">This is a floating span.</span>
+        <span>.</span>
+    </div>
+    <span>
+        <ol id="results">
+            <blockquote id="blockquote">blockquote</blockquote>
+        </ol>
+    </span>
+</div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (91385 => 91386)


--- trunk/Source/WebCore/ChangeLog	2011-07-20 18:55:07 UTC (rev 91385)
+++ trunk/Source/WebCore/ChangeLog	2011-07-20 19:01:55 UTC (rev 91386)
@@ -1,3 +1,19 @@
+2011-07-20  Tony Chang  <t...@chromium.org>
+
+        Stale pointer due to floats not removed (flexible box display)
+        https://bugs.webkit.org/show_bug.cgi?id=64603
+
+        Reviewed by David Hyatt.
+
+        Flexbox items should avoid floats.
+
+        Test: fast/flexbox/horizontal-box-float-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::avoidsFloats):
+        * rendering/RenderBox.h:
+        (WebCore::RenderBox::isDeprecatedFlexItem):
+
 2011-07-20  Scott Graham  <scot...@chromium.org>
 
         Reviewed by Antti Koivisto.

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (91385 => 91386)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2011-07-20 18:55:07 UTC (rev 91385)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2011-07-20 19:01:55 UTC (rev 91386)
@@ -3194,7 +3194,7 @@
 
 bool RenderBox::avoidsFloats() const
 {
-    return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot();
+    return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot() || isDeprecatedFlexItem();
 }
 
 void RenderBox::addShadowOverflow()

Modified: trunk/Source/WebCore/rendering/RenderBox.h (91385 => 91386)


--- trunk/Source/WebCore/rendering/RenderBox.h	2011-07-20 18:55:07 UTC (rev 91385)
+++ trunk/Source/WebCore/rendering/RenderBox.h	2011-07-20 19:01:55 UTC (rev 91386)
@@ -383,6 +383,8 @@
     virtual void markForPaginationRelayoutIfNeeded() { }
 
     bool isWritingModeRoot() const { return !parent() || parent()->style()->writingMode() != style()->writingMode(); }
+
+    bool isDeprecatedFlexItem() const { return !isInline() && !isFloatingOrPositioned() && parent() && parent()->isDeprecatedFlexibleBox(); }
     
     virtual int lineHeight(bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;
     virtual int baselinePosition(FontBaseline, bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to