Title: [138974] trunk
- Revision
- 138974
- Author
- [email protected]
- Date
- 2013-01-07 11:52:02 -0800 (Mon, 07 Jan 2013)
Log Message
Unreviewed, rolling out r137632.
http://trac.webkit.org/changeset/137632
https://bugs.webkit.org/show_bug.cgi?id=106237
Caused major security regressions on ClusterFuzz (Requested by
inferno-sec on #webkit).
Patch by Sheriff Bot <[email protected]> on 2013-01-07
Source/WebCore:
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::startDelayUpdateScrollInfo):
(WebCore::RenderBlock::finishDelayUpdateScrollInfo):
LayoutTests:
* mathml/mo-stretch-crash-expected.txt: Removed.
* mathml/mo-stretch-crash.html: Removed.
Modified Paths
Removed Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (138973 => 138974)
--- trunk/LayoutTests/ChangeLog 2013-01-07 19:52:01 UTC (rev 138973)
+++ trunk/LayoutTests/ChangeLog 2013-01-07 19:52:02 UTC (rev 138974)
@@ -1,3 +1,15 @@
+2013-01-07 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r137632.
+ http://trac.webkit.org/changeset/137632
+ https://bugs.webkit.org/show_bug.cgi?id=106237
+
+ Caused major security regressions on ClusterFuzz (Requested by
+ inferno-sec on #webkit).
+
+ * mathml/mo-stretch-crash-expected.txt: Removed.
+ * mathml/mo-stretch-crash.html: Removed.
+
2013-01-07 Dimitri Glazkov <[email protected]>
[Chromium] Rebaseline svg/W3C-SVG-1.1/paths-data-03-f.svg.
Deleted: trunk/LayoutTests/mathml/mo-stretch-crash-expected.txt (138973 => 138974)
--- trunk/LayoutTests/mathml/mo-stretch-crash-expected.txt 2013-01-07 19:52:01 UTC (rev 138973)
+++ trunk/LayoutTests/mathml/mo-stretch-crash-expected.txt 2013-01-07 19:52:02 UTC (rev 138974)
@@ -1,2 +0,0 @@
-This test passes if it does not crash.
-
Deleted: trunk/LayoutTests/mathml/mo-stretch-crash.html (138973 => 138974)
--- trunk/LayoutTests/mathml/mo-stretch-crash.html 2013-01-07 19:52:01 UTC (rev 138973)
+++ trunk/LayoutTests/mathml/mo-stretch-crash.html 2013-01-07 19:52:02 UTC (rev 138974)
@@ -1,30 +0,0 @@
-<!DOCTYPE html>
-<q id=quote></q>
-<dd id=dd>
-<body id=body>
- <style>
- dd, q, mfenced, div {
- width: 7px;
- overflow-y: auto;
- padding-left: 100%;
- }
- </style>
- <script>
- if (window.testRunner)
- testRunner.dumpAsText();
-
- body.contentEditable = "true";
- function crash() {
- mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
- div = document.createElement("div");
- mfenced.appendChild(div);
- dd.appendChild(mfenced);
- body.style.display = "-webkit-flex";
- div.appendChild(quote);
- }
- window.addEventListener("load", crash, false);
- </script>
-
-This test passes if it does not crash.
-</body>
-</dd>
Modified: trunk/Source/WebCore/ChangeLog (138973 => 138974)
--- trunk/Source/WebCore/ChangeLog 2013-01-07 19:52:01 UTC (rev 138973)
+++ trunk/Source/WebCore/ChangeLog 2013-01-07 19:52:02 UTC (rev 138974)
@@ -1,3 +1,16 @@
+2013-01-07 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r137632.
+ http://trac.webkit.org/changeset/137632
+ https://bugs.webkit.org/show_bug.cgi?id=106237
+
+ Caused major security regressions on ClusterFuzz (Requested by
+ inferno-sec on #webkit).
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::startDelayUpdateScrollInfo):
+ (WebCore::RenderBlock::finishDelayUpdateScrollInfo):
+
2013-01-07 Victor Carbune <[email protected]>
[Track] Rendering crash
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (138973 => 138974)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-07 19:52:01 UTC (rev 138973)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-07 19:52:02 UTC (rev 138974)
@@ -1286,8 +1286,8 @@
void RenderBlock::startDelayUpdateScrollInfo()
{
- if (!gDelayedUpdateScrollInfoSet) {
- ASSERT(!gDelayUpdateScrollInfo);
+ if (gDelayUpdateScrollInfo == 0) {
+ ASSERT(!gDelayedUpdateScrollInfoSet);
gDelayedUpdateScrollInfoSet = new DelayedUpdateScrollInfoSet;
}
ASSERT(gDelayedUpdateScrollInfoSet);
@@ -1301,22 +1301,15 @@
if (gDelayUpdateScrollInfo == 0) {
ASSERT(gDelayedUpdateScrollInfoSet);
- Vector<RenderBlock*> infoSet;
- while (gDelayedUpdateScrollInfoSet && gDelayedUpdateScrollInfoSet->size()) {
- copyToVector(*gDelayedUpdateScrollInfoSet, infoSet);
- for (Vector<RenderBlock*>::iterator it = infoSet.begin(); it != infoSet.end(); ++it) {
- RenderBlock* block = *it;
- // |block| may have been destroyed at this point, but then it will have been removed from gDelayedUpdateScrollInfoSet.
- if (gDelayedUpdateScrollInfoSet && gDelayedUpdateScrollInfoSet->contains(block)) {
- gDelayedUpdateScrollInfoSet->remove(block);
- if (block->hasOverflowClip())
- block->layer()->updateScrollInfoAfterLayout();
- }
+ OwnPtr<DelayedUpdateScrollInfoSet> infoSet(adoptPtr(gDelayedUpdateScrollInfoSet));
+ gDelayedUpdateScrollInfoSet = 0;
+
+ for (DelayedUpdateScrollInfoSet::iterator it = infoSet->begin(); it != infoSet->end(); ++it) {
+ RenderBlock* block = *it;
+ if (block->hasOverflowClip()) {
+ block->layer()->updateScrollInfoAfterLayout();
}
}
- delete gDelayedUpdateScrollInfoSet;
- gDelayedUpdateScrollInfoSet = 0;
- ASSERT(!gDelayUpdateScrollInfo);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
