[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
mitz at apple.com
mitz at apple.com
Wed Dec 22 12:45:11 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit f2a5175e95957fce3045c271c766182baeafd015
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Aug 28 17:02:06 2010 +0000
Speculative fix for <rdar://problem/7275077> Crash in InlineBox::root() under RenderTextControl::textWithHardLineBreaks()
https://bugs.webkit.org/show_bug.cgi?id=44816
Reviewed by Simon Fraser.
No test because I could not reproduce the crash.
In a common variant of the crash, InlineBox::root() is called with this == 12. This suggests that
a RenderInline* was cast into a RenderBox*, so RenderBox::inlineBoxWrapper() interpreted the
m_lineHeight and m_verticalPosition members of a RenderInline as a pointer to an InlineBox.
The cast into RenderBox* in textWithHardLineBreaks() was introduced in r40881 with no exaplanation.
* rendering/RenderTextControl.cpp:
(WebCore::RenderTextControl::textWithHardLineBreaks): Fetch the first line directly from the inner
text block instead of relying on the first child being a text node.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66309 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 8291680..0f6ec65 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-08-28 Dan Bernstein <mitz at apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Speculative fix for <rdar://problem/7275077> Crash in InlineBox::root() under RenderTextControl::textWithHardLineBreaks()
+ https://bugs.webkit.org/show_bug.cgi?id=44816
+
+ No test because I could not reproduce the crash.
+
+ In a common variant of the crash, InlineBox::root() is called with this == 12. This suggests that
+ a RenderInline* was cast into a RenderBox*, so RenderBox::inlineBoxWrapper() interpreted the
+ m_lineHeight and m_verticalPosition members of a RenderInline as a pointer to an InlineBox.
+
+ The cast into RenderBox* in textWithHardLineBreaks() was introduced in r40881 with no exaplanation.
+
+ * rendering/RenderTextControl.cpp:
+ (WebCore::RenderTextControl::textWithHardLineBreaks): Fetch the first line directly from the inner
+ text block instead of relying on the first child being a text node.
+
2010-08-28 Moritz Lipp <mlq at pwmt.org>
Reviewed by Xan Lopez.
diff --git a/WebCore/rendering/RenderTextControl.cpp b/WebCore/rendering/RenderTextControl.cpp
index 9098bab..e66e4ed 100644
--- a/WebCore/rendering/RenderTextControl.cpp
+++ b/WebCore/rendering/RenderTextControl.cpp
@@ -355,26 +355,22 @@ String RenderTextControl::textWithHardLineBreaks()
{
if (!m_innerText)
return "";
- Node* firstChild = m_innerText->firstChild();
- if (!firstChild)
- return "";
- RenderObject* renderer = firstChild->renderer();
+ RenderBlock* renderer = toRenderBlock(m_innerText->renderer());
if (!renderer)
return "";
- InlineBox* box = renderer->isText() ? toRenderText(renderer)->firstTextBox() : toRenderBox(renderer)->inlineBoxWrapper();
- if (!box)
- return "";
-
Node* breakNode;
unsigned breakOffset;
- RootInlineBox* line = box->root();
+ RootInlineBox* line = renderer->firstRootBox();
+ if (!line)
+ return "";
+
getNextSoftBreak(line, breakNode, breakOffset);
Vector<UChar> result;
- for (Node* n = firstChild; n; n = n->traverseNextNode(m_innerText.get())) {
+ for (Node* n = m_innerText->firstChild(); n; n = n->traverseNextNode(m_innerText.get())) {
if (n->hasTagName(brTag))
result.append(&newlineCharacter, 1);
else if (n->isTextNode()) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list