Title: [123791] branches/safari-536.26-branch
- Revision
- 123791
- Author
- lforsch...@apple.com
- Date
- 2012-07-26 14:00:45 -0700 (Thu, 26 Jul 2012)
Log Message
Merged r116325. <rdar://problem/11942095>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (123790 => 123791)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-26 20:54:15 UTC (rev 123790)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-26 21:00:45 UTC (rev 123791)
@@ -1,3 +1,17 @@
+2012-07-26 Lucas Forschler <lforsch...@apple.com>
+
+ Merge 116325
+
+ 2012-05-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in RenderBlock::updateFirstLetterStyle.
+ https://bugs.webkit.org/show_bug.cgi?id=85759
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/css-generated-content/first-letter-next-sibling-crash-expected.txt: Added.
+ * fast/css-generated-content/first-letter-next-sibling-crash.html: Added.
+
2012-06-19 Lucas Forschler <lforsch...@apple.com>
Merge 120642
Copied: branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt (from rev 116325, trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt) (0 => 123791)
--- branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash-expected.txt 2012-07-26 21:00:45 UTC (rev 123791)
@@ -0,0 +1,2 @@
+WebKit Bug 85759 - Crash in RenderBlock::updateFirstLetterStyle.
+PASS if test does not crash.
Copied: branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html (from rev 116325, trunk/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html) (0 => 123791)
--- branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/css-generated-content/first-letter-next-sibling-crash.html 2012-07-26 21:00:45 UTC (rev 123791)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<style>
+.absolutePosition { position: fixed; }
+.float:before { float: right; content: ''; }
+.float:first-letter { float: right; }
+.inline::first-letter { content: ''; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function startTest() {
+ document.body.offsetTop;
+ var parent = document.getElementById("parent");
+ var child = document.getElementById("child");
+ child.setAttribute('class', 'inline');
+ document.body.offsetTop;
+ parent.removeChild(child);
+ document.body.offsetTop;
+ parent.setAttribute('class', 'inline');
+}
+window._onload_ = startTest;
+</script>
+WebKit Bug 85759 - Crash in RenderBlock::updateFirstLetterStyle.
+<div class="float" id="parent">
+<div class="absolutePosition" id="child"></div>
+PASS if test does not crash.
+</div>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (123790 => 123791)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-26 20:54:15 UTC (rev 123790)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-26 21:00:45 UTC (rev 123791)
@@ -1,3 +1,23 @@
+2012-07-26 Lucas Forschler <lforsch...@apple.com>
+
+ Merge 116325
+
+ 2012-05-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in RenderBlock::updateFirstLetterStyle.
+ https://bugs.webkit.org/show_bug.cgi?id=85759
+
+ Reviewed by Julien Chaffraix.
+
+ Test: fast/css-generated-content/first-letter-next-sibling-crash.html
+
+ RenderBlock::removeChild can bring up the children from last single anonymous block,
+ causing |nextSibling| in RenderBlock::updateFirstLetterStyle to go stale. We prevent
+ this by removing the child safely using removeChildNode before destroying it.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::updateFirstLetterStyle):
+
2012-06-22 Lucas Forschler <lforsch...@apple.com>
Rollout 121034
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderBlock.cpp (123790 => 123791)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-07-26 20:54:15 UTC (rev 123790)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderBlock.cpp 2012-07-26 21:00:45 UTC (rev 123791)
@@ -5938,6 +5938,9 @@
remainingText->setFirstLetter(newFirstLetter);
toRenderBoxModelObject(newFirstLetter)->setFirstLetterRemainingText(remainingText);
}
+ // To prevent removal of single anonymous block in RenderBlock::removeChild and causing
+ // |nextSibling| to go stale, we remove the old first letter using removeChildNode first.
+ firstLetterContainer->virtualChildren()->removeChildNode(firstLetterContainer, firstLetter);
firstLetter->destroy();
firstLetter = newFirstLetter;
firstLetterContainer->addChild(firstLetter, nextSibling);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes