Title: [180320] branches/safari-600.4.10-branch
- Revision
- 180320
- Author
- lforsch...@apple.com
- Date
- 2015-02-18 15:59:02 -0800 (Wed, 18 Feb 2015)
Log Message
Merged r179968. rdar://problem/19738568
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.4.10-branch/LayoutTests/ChangeLog (180319 => 180320)
--- branches/safari-600.4.10-branch/LayoutTests/ChangeLog 2015-02-18 23:55:25 UTC (rev 180319)
+++ branches/safari-600.4.10-branch/LayoutTests/ChangeLog 2015-02-18 23:59:02 UTC (rev 180320)
@@ -1,5 +1,23 @@
2015-02-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r179968
+
+ 2015-02-11 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r179706
+
+ 2015-02-05 Maciej Stachowiak <m...@apple.com>
+
+ Crash due to failing to dirty a removed text node's line box
+ https://bugs.webkit.org/show_bug.cgi?id=136544
+
+ Reviewed by David Hyatt.
+
+ * fast/text/remove-text-node-linebox-not-dirty-crash-expected.txt: Added.
+ * fast/text/remove-text-node-linebox-not-dirty-crash.html: Added.
+
+2015-02-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r179959
2015-02-11 Lucas Forschler <lforsch...@apple.com>
Copied: branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash-expected.txt (from rev 179968, branches/safari-600.5-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash-expected.txt) (0 => 180320)
--- branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash-expected.txt (rev 0)
+++ branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash-expected.txt 2015-02-18 23:59:02 UTC (rev 180320)
@@ -0,0 +1,3 @@
+This test passes if it does not crash. bar
+
+
Copied: branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash.html (from rev 179968, branches/safari-600.5-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash.html) (0 => 180320)
--- branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash.html (rev 0)
+++ branches/safari-600.4.10-branch/LayoutTests/fast/text/remove-text-node-linebox-not-dirty-crash.html 2015-02-18 23:59:02 UTC (rev 180320)
@@ -0,0 +1,23 @@
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window._onload_ = function()
+{
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.firstChild.parentNode.removeChild(a.firstChild);
+ document.body.offsetTop;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+<div id="a">foo</div>
+<div></div>
+ This test passes if it does not crash. <output>
+<unknown>bar</output>
+<span id="b">
+<span><div style="display:inline-block"></div><br><br></span>
Modified: branches/safari-600.4.10-branch/Source/WebCore/ChangeLog (180319 => 180320)
--- branches/safari-600.4.10-branch/Source/WebCore/ChangeLog 2015-02-18 23:55:25 UTC (rev 180319)
+++ branches/safari-600.4.10-branch/Source/WebCore/ChangeLog 2015-02-18 23:59:02 UTC (rev 180320)
@@ -1,5 +1,27 @@
2015-02-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r179968
+
+ 2015-02-11 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r179706
+
+ 2015-02-05 Maciej Stachowiak <m...@apple.com>
+
+ Crash due to failing to dirty a removed text node's line box
+ https://bugs.webkit.org/show_bug.cgi?id=136544
+
+ Reviewed by David Hyatt.
+
+ Test: fast/text/remove-text-node-linebox-not-dirty-crash.html
+
+ * rendering/RenderLineBoxList.cpp:
+ (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Make the check for dirtying the next
+ line box a bit more inclusive to avoid a case of a line box for a destroyed render object not
+ being dirtied. In particular, when the text node's parent has no line boxes but contains BRs.
+
+2015-02-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r179959
2015-02-11 Lucas Forschler <lforsch...@apple.com>
Modified: branches/safari-600.4.10-branch/Source/WebCore/rendering/RenderLineBoxList.cpp (180319 => 180320)
--- branches/safari-600.4.10-branch/Source/WebCore/rendering/RenderLineBoxList.cpp 2015-02-18 23:55:25 UTC (rev 180319)
+++ branches/safari-600.4.10-branch/Source/WebCore/rendering/RenderLineBoxList.cpp 2015-02-18 23:59:02 UTC (rev 180320)
@@ -396,7 +396,7 @@
// space, the search for |child|'s linebox will go past the leading space to the previous linebox and select that
// one as |box|. If we hit that situation here, dirty the |box| actually containing the child too.
bool insertedAfterLeadingSpace = box->lineBreakObj() == child->previousSibling();
- if (adjacentBox && (adjacentBox->lineBreakObj() == child || child->isBR() || (curr && curr->isBR())
+ if (adjacentBox && (adjacentBox->lineBreakObj()->isDescendantOf(child) || child->isBR() || (curr && curr->isBR())
|| insertedAfterLeadingSpace || isIsolated(container->style().unicodeBidi())))
adjacentBox->markDirty();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
