[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 13:50:45 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 4d1702c2cf8b4f99fccd2187f89b558982b89807
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Sep 28 05:01:40 2010 +0000
2010-09-27 Abhishek Arya <inferno at chromium.org>
Reviewed by Dan Bernstein.
When the block RunIn is destroyed, its line box tree is not deleted. As a result, it
gets later used during dirtying of inline text boxes step where this deleted parent is
accessed. The fix is to delete the line box tree before destroying the runin block.
https://bugs.webkit.org/show_bug.cgi?id=46376
Test: fast/text/dirty-inline-textbox-crash.html
* rendering/RenderText.cpp:
(WebCore::RenderText::dirtyLineBoxes):
2010-09-27 Abhishek Arya <inferno at chromium.org>
Reviewed by Dan Bernstein.
Tests we do not crash on ASSERT(!m_hasBadParent) when dirtying
the inline textboxes.
https://bugs.webkit.org/show_bug.cgi?id=46376
* fast/text/dirty-inline-textbox-crash-expected.txt: Added.
* fast/text/dirty-inline-textbox-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68485 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6f174c0..b4c7c9e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-09-27 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ Tests we do not crash on ASSERT(!m_hasBadParent) when dirtying
+ the inline textboxes.
+ https://bugs.webkit.org/show_bug.cgi?id=46376
+
+ * fast/text/dirty-inline-textbox-crash-expected.txt: Added.
+ * fast/text/dirty-inline-textbox-crash.html: Added.
+
2010-09-27 MORITA Hajime <morrita at google.com>
Unreviewed, added an expectation.
diff --git a/LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt b/LayoutTests/fast/text/dirty-inline-textbox-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt
copy to LayoutTests/fast/text/dirty-inline-textbox-crash-expected.txt
diff --git a/LayoutTests/fast/text/dirty-inline-textbox-crash.html b/LayoutTests/fast/text/dirty-inline-textbox-crash.html
new file mode 100644
index 0000000..d0cc04b
--- /dev/null
+++ b/LayoutTests/fast/text/dirty-inline-textbox-crash.html
@@ -0,0 +1,21 @@
+<html>
+ <head>
+ <style>
+ .box
+ {
+ display: run-in;
+ -webkit-padding-start: 10000;
+ }
+ </style>
+ </head>
+ <body>
+ <div class="box">PASS</div>
+ <div class="box"></div>
+ <div class="box"></div>
+ <div></div>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ </body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 551ff17..19b8c37 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-09-27 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ When the block RunIn is destroyed, its line box tree is not deleted. As a result, it
+ gets later used during dirtying of inline text boxes step where this deleted parent is
+ accessed. The fix is to delete the line box tree before destroying the runin block.
+
+ https://bugs.webkit.org/show_bug.cgi?id=46376
+
+ Test: fast/text/dirty-inline-textbox-crash.html
+
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::dirtyLineBoxes):
+
2010-09-27 Eric Uhrhane <ericu at chromium.org>
Reviewed by David Levin.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index c1ee2ea..1dba16c 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -1454,7 +1454,8 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
if (runInNode)
runInNode->setRenderer(inlineRunIn);
- // Destroy the block run-in.
+ // Destroy the block run-in, which includes deleting its line box tree.
+ blockRunIn->deleteLineBoxTree();
blockRunIn->destroy();
// The block acts like an inline, so just null out its
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list