Skip to site navigation (Press enter)

[webkit-changes] [92132] trunk

inferno Mon, 01 Aug 2011 11:03:14 -0700

Title: [92132] trunk

Revision: 92132
Author: infe...@chromium.org
Date: 2011-08-01 11:03:03 -0700 (Mon, 01 Aug 2011)

Log Message

Regression(82144): Crash in TrailingObjects::updateMidpointsForTrailingBoxes
https://bugs.webkit.org/show_bug.cgi?id=65137


Source/WebCore: 

Fix the looping condition to prevent trailingSpaceMidpoint from becoming negative.

Reviewed by Dave Hyatt.

Test: fast/block/update-midpoints-for-trailing-boxes-crash.html

* rendering/RenderBlockLineLayout.cpp:
(WebCore::TrailingObjects::updateMidpointsForTrailingBoxes):

LayoutTests: 

ASSERTION FAILED: trailingSpaceMidpoint >= 0

Reviewed by Dave Hyatt.

* fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt: Added.
* fast/block/update-midpoints-for-trailing-boxes-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

Added Paths

trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt
trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (92131 => 92132)


--- trunk/LayoutTests/ChangeLog	2011-08-01 16:51:22 UTC (rev 92131)
+++ trunk/LayoutTests/ChangeLog	2011-08-01 18:03:03 UTC (rev 92132)
@@ -1,3 +1,15 @@
+2011-07-28  Abhishek Arya  <infe...@chromium.org>
+
+        Regression(82144): Crash in TrailingObjects::updateMidpointsForTrailingBoxes
+        https://bugs.webkit.org/show_bug.cgi?id=65137
+
+        ASSERTION FAILED: trailingSpaceMidpoint >= 0
+
+        Reviewed by Dave Hyatt.
+
+        * fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt: Added.
+        * fast/block/update-midpoints-for-trailing-boxes-crash.html: Added.
+
 2011-08-01  Csaba Osztrogonác  <o...@webkit.org>
 
         [Qt] Unreviewed gardening after r92127.

Added: trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt (0 => 92132)


--- trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash-expected.txt	2011-08-01 18:03:03 UTC (rev 92132)
@@ -0,0 +1 @@
+PASS, does not crash

Added: trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash.html (0 => 92132)


--- trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/update-midpoints-for-trailing-boxes-crash.html	2011-08-01 18:03:03 UTC (rev 92132)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.a {
+	display: table-cell;
+	white-space: nowrap;
+}
+.b {
+	padding-left: 4px;
+	white-space: pre-wrap;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<div class='a'>
+<span class='b'>PASS,</span>
+<span>
+<span>does not crash</span>
+<span class='b'></span>
+</span>
+</div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (92131 => 92132)


--- trunk/Source/WebCore/ChangeLog	2011-08-01 16:51:22 UTC (rev 92131)
+++ trunk/Source/WebCore/ChangeLog	2011-08-01 18:03:03 UTC (rev 92132)
@@ -1,3 +1,17 @@
+2011-07-28  Abhishek Arya  <infe...@chromium.org>
+
+        Regression(82144): Crash in TrailingObjects::updateMidpointsForTrailingBoxes
+        https://bugs.webkit.org/show_bug.cgi?id=65137
+
+        Fix the looping condition to prevent trailingSpaceMidpoint from becoming negative.
+
+        Reviewed by Dave Hyatt.
+
+        Test: fast/block/update-midpoints-for-trailing-boxes-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::TrailingObjects::updateMidpointsForTrailingBoxes):
+
 2011-08-01  Benjamin Poulain  <benja...@webkit.org>
 
         [Qt] OpenGLShims does not build on ARM

Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (92131 => 92132)


--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2011-08-01 16:51:22 UTC (rev 92131)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2011-08-01 18:03:03 UTC (rev 92132)
@@ -1838,7 +1838,7 @@
     if (lineMidpointState.numMidpoints % 2) {
         // Find the trailing space object's midpoint.
         int trailingSpaceMidpoint = lineMidpointState.numMidpoints - 1;
-        for ( ; trailingSpaceMidpoint >= 0 && lineMidpointState.midpoints[trailingSpaceMidpoint].m_obj != m_whitespace; --trailingSpaceMidpoint) { }
+        for ( ; trailingSpaceMidpoint > 0 && lineMidpointState.midpoints[trailingSpaceMidpoint].m_obj != m_whitespace; --trailingSpaceMidpoint) { }
         ASSERT(trailingSpaceMidpoint >= 0);
         if (collapseFirstSpace == CollapseFirstSpace)
             lineMidpointState.midpoints[trailingSpaceMidpoint].m_pos--;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes