[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 11:22:17 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit cd4a9aaf7f62c46f4fb41d0c99c01200d40fe370
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jul 20 20:37:15 2010 +0000
2010-07-20 Leo Yang <leo.yang at torchmobile.com.cn>
Reviewed by David Hyatt.
Don't merge Anonymous block whose first child is inline run-in.
Make run-in recalculate its style after its renderer is destroyed.
https://bugs.webkit.org/show_bug.cgi?id=41375.
Test: fast/runin/crash-when-reparent-sibling.html
* rendering/RenderBlock.cpp:
(WebCore::canMergeContiguousAnonymousBlocks):
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::destroyLeftoverChildren):
2010-07-20 Leo Yang <leo.yang at torchmobile.com.cn>
Reviewed by David Hyatt.
Test case to verify https://bugs.webkit.org/show_bug.cgi?id=41375.
Test passes if expected result occurs without crash.
https://bugs.webkit.org/show_bug.cgi?id=41375.
* fast/runin/crash-when-reparent-sibling-expected.txt: Added.
* fast/runin/crash-when-reparent-sibling.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63772 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9910e1b..e27a3cc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-07-20 Leo Yang <leo.yang at torchmobile.com.cn>
+
+ Reviewed by David Hyatt.
+
+ Test case to verify https://bugs.webkit.org/show_bug.cgi?id=41375.
+ Test passes if expected result occurs without crash.
+ https://bugs.webkit.org/show_bug.cgi?id=41375.
+
+ * fast/runin/crash-when-reparent-sibling-expected.txt: Added.
+ * fast/runin/crash-when-reparent-sibling.html: Added.
+
2010-07-20 Alexey Proskuryakov <ap at apple.com>
Reviewed by Brady Eidson.
diff --git a/LayoutTests/fast/runin/crash-when-reparent-sibling-expected.txt b/LayoutTests/fast/runin/crash-when-reparent-sibling-expected.txt
new file mode 100644
index 0000000..bf92d92
--- /dev/null
+++ b/LayoutTests/fast/runin/crash-when-reparent-sibling-expected.txt
@@ -0,0 +1,5 @@
+PASS
+Output:
+block sibling
+run-in
+block child
diff --git a/LayoutTests/fast/runin/crash-when-reparent-sibling.html b/LayoutTests/fast/runin/crash-when-reparent-sibling.html
new file mode 100644
index 0000000..973b12e
--- /dev/null
+++ b/LayoutTests/fast/runin/crash-when-reparent-sibling.html
@@ -0,0 +1,45 @@
+<html>
+ <head>
+ <script>
+ function runTest()
+ {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ // Create a run-in.
+ var elem = document.createElement("div");
+ elem.id = "run-in";
+ elem.innerHTML = "run-in";
+ elem.setAttribute("style", "display: run-in");
+ document.body.appendChild(elem);
+
+ // Create a sibling block to the run-in.
+ elem = document.createElement("div");
+ elem.id = "block-sibling";
+ elem.innerHTML = "block sibling";
+ document.body.appendChild(elem);
+
+ // Trigger a re-paint.
+ document.body.offsetTop;
+
+ // Add a block child to the run-in.
+ elem = document.createElement("div");
+ elem.innerHTML = "block child";
+ elem.setAttribute("style", "display: table");
+ document.getElementById("run-in").appendChild(elem);
+
+ // Trigger a re-paint.
+ document.body.offsetTop;
+
+ // Reparent the run-in's sibling block.
+ document.getElementById("output").appendChild(document.getElementById("block-sibling"));
+ document.getElementById("result").innerHTML = "PASS";
+ }
+ </script>
+ </head>
+ <body onload="runTest()">
+ <div id="result"></div>
+ Output: <br/>
+ <div id="output"></div>
+ </body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4090d3c..5aa6bb6 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-07-20 Leo Yang <leo.yang at torchmobile.com.cn>
+
+ Reviewed by David Hyatt.
+
+ Don't merge Anonymous block whose first child is inline run-in.
+ Make run-in recalculate its style after its renderer is destroyed.
+ https://bugs.webkit.org/show_bug.cgi?id=41375.
+
+ Test: fast/runin/crash-when-reparent-sibling.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::canMergeContiguousAnonymousBlocks):
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::destroyLeftoverChildren):
+
2010-07-20 Steve Block <steveblock at google.com>
Unreviewed Qt test fix.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 1e51bc1..e8b5822 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -3,6 +3,7 @@
* (C) 1999 Antti Koivisto (koivisto at kde.org)
* (C) 2007 David Smith (catfish.man at gmail.com)
* Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) Research In Motion Limited 2010. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -936,6 +937,10 @@ static bool canMergeContiguousAnonymousBlocks(RenderObject* oldChild, RenderObje
|| (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation())))
return false;
+ // FIXME: This check isn't required when inline run-ins can't be split into continuations.
+ if (prev && prev->firstChild() && prev->firstChild()->isInline() && prev->firstChild()->isRunIn())
+ return false;
+
#if ENABLE(RUBY)
if ((prev && (prev->isRubyRun() || prev->isRubyBase()))
|| (next && (next->isRubyRun() || next->isRubyBase())))
diff --git a/WebCore/rendering/RenderObjectChildList.cpp b/WebCore/rendering/RenderObjectChildList.cpp
index 323dc20..68e392c 100644
--- a/WebCore/rendering/RenderObjectChildList.cpp
+++ b/WebCore/rendering/RenderObjectChildList.cpp
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) Research In Motion Limited 2010. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -44,7 +45,11 @@ void RenderObjectChildList::destroyLeftoverChildren()
while (firstChild()) {
if (firstChild()->isListMarker() || (firstChild()->style()->styleType() == FIRST_LETTER && !firstChild()->isText()))
firstChild()->remove(); // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
- else {
+ else if (firstChild()->isRunIn() && firstChild()->node()) {
+ firstChild()->node()->setRenderer(0);
+ firstChild()->node()->setNeedsStyleRecalc();
+ firstChild()->destroy();
+ } else {
// Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
if (firstChild()->node())
firstChild()->node()->setRenderer(0);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list