[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
rolandsteiner at chromium.org
rolandsteiner at chromium.org
Thu Feb 4 21:21:15 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 2175198dc2404edb0a9df0d64a0334022a203075
Author: rolandsteiner at chromium.org <rolandsteiner at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jan 20 07:46:52 2010 +0000
Bug 33266 - WebCore::InlineFlowBox::determineSpacingForFlowBoxes ReadAV at NULL (43c64e8abbda6766e5f5edbd254c2d57)
(https://bugs.webkit.org/show_bug.cgi?id=33266)
Reviewed by Dan Bernstein.
WebCore:
Ruby did not handle malformed cases correctly when the ruby base was in
block flow. Changed the code to handle all possible cases.
Also, added some simplification methods to RenderBlock.
Tests: fast/ruby/ruby-illegal-1.html
fast/ruby/ruby-illegal-2.html
fast/ruby/ruby-illegal-3.html
fast/ruby/ruby-illegal-4.html
fast/ruby/ruby-illegal-5.html
fast/ruby/ruby-illegal-6.html
fast/ruby/ruby-illegal-7.html
fast/ruby/ruby-illegal-combined.html
fast/ruby/rubyDOM-insert-rt-block-1.html
fast/ruby/rubyDOM-insert-rt-block-2.html
fast/ruby/rubyDOM-insert-rt-block-3.html
fast/ruby/rubyDOM-remove-rt-block-1.html
fast/ruby/rubyDOM-remove-rt-block-2.html
fast/ruby/rubyDOM-remove-rt-block-3.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::moveAllChildrenTo): useful for anonymous block manipulation
(WebCore::RenderBlock::removeChild): making use of moveAllChildrenTo
* rendering/RenderBlock.h:
* rendering/RenderRubyBase.cpp:
(WebCore::RenderRubyBase::hasOnlyWrappedInlineChildren):
(WebCore::RenderRubyBase::moveChildren):
(WebCore::RenderRubyBase::moveInlineChildren):
(WebCore::RenderRubyBase::moveBlockChildren):
(WebCore::RenderRubyBase::mergeBlockChildren):
* rendering/RenderRubyBase.h:
* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::addChild):
(WebCore::RenderRubyRun::removeChild):
LayoutTests:
Layout tests for ruby with malformed HTML.
Split up in individual tests, as well ass added a single combined test
(whose resulting render tree is probably completely different from what
you'd expect), since that combined test showed additional issues not
covered by the individual tests.
* fast/ruby/ruby-illegal-1-expected.txt: Added.
* fast/ruby/ruby-illegal-1.html: Added.
* fast/ruby/ruby-illegal-2-expected.txt: Added.
* fast/ruby/ruby-illegal-2.html: Added.
* fast/ruby/ruby-illegal-3-expected.txt: Added.
* fast/ruby/ruby-illegal-3.html: Added.
* fast/ruby/ruby-illegal-4-expected.txt: Added.
* fast/ruby/ruby-illegal-4.html: Added.
* fast/ruby/ruby-illegal-5-expected.txt: Added.
* fast/ruby/ruby-illegal-5.html: Added.
* fast/ruby/ruby-illegal-6-expected.txt: Added.
* fast/ruby/ruby-illegal-6.html: Added.
* fast/ruby/ruby-illegal-7-expected.txt: Added.
* fast/ruby/ruby-illegal-7.html: Added.
* fast/ruby/ruby-illegal-combined-expected.txt: Added.
* fast/ruby/ruby-illegal-combined.html: Added.
* fast/ruby/ruby-illegal-expected.txt: Removed.
* fast/ruby/ruby-illegal.html: Removed.
* fast/ruby/rubyDOM-insert-rt-block-1-expected.txt: Added.
* fast/ruby/rubyDOM-insert-rt-block-1.html: Added.
* fast/ruby/rubyDOM-insert-rt-block-2-expected.txt: Added.
* fast/ruby/rubyDOM-insert-rt-block-2.html: Added.
* fast/ruby/rubyDOM-insert-rt-block-3-expected.txt: Added.
* fast/ruby/rubyDOM-insert-rt-block-3.html: Added.
* fast/ruby/rubyDOM-remove-rt-block-1-expected.txt: Added.
* fast/ruby/rubyDOM-remove-rt-block-1.html: Added.
* fast/ruby/rubyDOM-remove-rt-block-2-expected.txt: Added.
* fast/ruby/rubyDOM-remove-rt-block-2.html: Added.
* fast/ruby/rubyDOM-remove-rt-block-3-expected.txt: Added.
* fast/ruby/rubyDOM-remove-rt-block-3.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53525 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 308c067..f42c3ec 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,47 @@
+2010-01-20 Roland Steiner <rolandsteiner at chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ Bug 33266 - WebCore::InlineFlowBox::determineSpacingForFlowBoxes ReadAV at NULL (43c64e8abbda6766e5f5edbd254c2d57)
+ (https://bugs.webkit.org/show_bug.cgi?id=33266)
+
+ Layout tests for ruby with malformed HTML.
+ Split up in individual tests, as well ass added a single combined test
+ (whose resulting render tree is probably completely different from what
+ you'd expect), since that combined test showed additional issues not
+ covered by the individual tests.
+
+ * fast/ruby/ruby-illegal-1-expected.txt: Added.
+ * fast/ruby/ruby-illegal-1.html: Added.
+ * fast/ruby/ruby-illegal-2-expected.txt: Added.
+ * fast/ruby/ruby-illegal-2.html: Added.
+ * fast/ruby/ruby-illegal-3-expected.txt: Added.
+ * fast/ruby/ruby-illegal-3.html: Added.
+ * fast/ruby/ruby-illegal-4-expected.txt: Added.
+ * fast/ruby/ruby-illegal-4.html: Added.
+ * fast/ruby/ruby-illegal-5-expected.txt: Added.
+ * fast/ruby/ruby-illegal-5.html: Added.
+ * fast/ruby/ruby-illegal-6-expected.txt: Added.
+ * fast/ruby/ruby-illegal-6.html: Added.
+ * fast/ruby/ruby-illegal-7-expected.txt: Added.
+ * fast/ruby/ruby-illegal-7.html: Added.
+ * fast/ruby/ruby-illegal-combined-expected.txt: Added.
+ * fast/ruby/ruby-illegal-combined.html: Added.
+ * fast/ruby/ruby-illegal-expected.txt: Removed.
+ * fast/ruby/ruby-illegal.html: Removed.
+ * fast/ruby/rubyDOM-insert-rt-block-1-expected.txt: Added.
+ * fast/ruby/rubyDOM-insert-rt-block-1.html: Added.
+ * fast/ruby/rubyDOM-insert-rt-block-2-expected.txt: Added.
+ * fast/ruby/rubyDOM-insert-rt-block-2.html: Added.
+ * fast/ruby/rubyDOM-insert-rt-block-3-expected.txt: Added.
+ * fast/ruby/rubyDOM-insert-rt-block-3.html: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-1-expected.txt: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-1.html: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-2-expected.txt: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-2.html: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-3-expected.txt: Added.
+ * fast/ruby/rubyDOM-remove-rt-block-3.html: Added.
+
2010-01-17 Jon Honeycutt <jhoneycutt at apple.com>
MSAA: The child <option> elements of a non-multiple <select> are not
diff --git a/LayoutTests/fast/ruby/ruby-illegal-1-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-1-expected.txt
new file mode 100644
index 0000000..ba26c51
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-1-expected.txt
@@ -0,0 +1,2 @@
+SUCCESS!
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-1.html b/LayoutTests/fast/ruby/ruby-illegal-1.html
new file mode 100644
index 0000000..2f7fbfa
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-1.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<blockQuote><ruby><i><noBR><form><input type=file></i>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-2-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-2-expected.txt
new file mode 100644
index 0000000..4d0868f
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-2-expected.txt
@@ -0,0 +1,3 @@
+SUCCESS!
+\x0e
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-2.html b/LayoutTests/fast/ruby/ruby-illegal-2.html
new file mode 100644
index 0000000..38a2758
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-2.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<ruby <table >\x0e
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-3-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-3-expected.txt
new file mode 100644
index 0000000..ff642cf
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-3-expected.txt
@@ -0,0 +1,3 @@
+SUCCESS!
+\x0f
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-3.html b/LayoutTests/fast/ruby/ruby-illegal-3.html
new file mode 100644
index 0000000..c87ed2b
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-3.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<ruby <table >\x0f<i
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-4-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-4-expected.txt
new file mode 100644
index 0000000..ba26c51
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-4-expected.txt
@@ -0,0 +1,2 @@
+SUCCESS!
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-4.html b/LayoutTests/fast/ruby/ruby-illegal-4.html
new file mode 100644
index 0000000..78d9390
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-4.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<samp><ruby <s<hr</samp>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-5-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-5-expected.txt
new file mode 100644
index 0000000..ba26c51
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-5-expected.txt
@@ -0,0 +1,2 @@
+SUCCESS!
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-5.html b/LayoutTests/fast/ruby/ruby-illegal-5.html
new file mode 100644
index 0000000..6d9c1d1
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-5.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<samp><ruby <s<r<blockQuote</samp>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-6-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-6-expected.txt
new file mode 100644
index 0000000..ba26c51
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-6-expected.txt
@@ -0,0 +1,2 @@
+SUCCESS!
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-6.html b/LayoutTests/fast/ruby/ruby-illegal-6.html
new file mode 100644
index 0000000..f916ac4
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-6.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<samp><ruby <s<hr<blockQuote</samp>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-7-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-7-expected.txt
new file mode 100644
index 0000000..68bf05c
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-7-expected.txt
@@ -0,0 +1,3 @@
+SUCCESS!
+>
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-7.html b/LayoutTests/fast/ruby/ruby-illegal-7.html
new file mode 100644
index 0000000..e364cfa
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-7.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) line mustn't crash the renderer -->
+<ruby>><table><rt>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-combined-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-combined-expected.txt
new file mode 100644
index 0000000..53927fa
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-combined-expected.txt
@@ -0,0 +1,6 @@
+SUCCESS!
+
+\x0e
+\x0f
+>
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal-combined.html b/LayoutTests/fast/ruby/ruby-illegal-combined.html
new file mode 100644
index 0000000..5525342
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-illegal-combined.html
@@ -0,0 +1,24 @@
+<html>
+<head>
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) lines mustn't crash the renderer -->
+<!-- Note: the resultant render tree isn't nearly what you'd probably expect! -->
+<div><blockQuote><ruby><i><noBR><form><input type=file></i></div>
+<div><ruby <table >\x0e</div>
+<div><ruby <table >\x0f<i</div>
+<div><samp><ruby <s<hr</samp></div>
+<div><samp><ruby <s<r<blockQuote</samp></div>
+<div><samp><ruby <s<hr<blockQuote</samp></div>
+<div><ruby>><table><rt></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/ruby-illegal-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-expected.txt
deleted file mode 100644
index 37f1c7b..0000000
--- a/LayoutTests/fast/ruby/ruby-illegal-expected.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-SUCCESS!
-
-\x0e
-\x0e
-
diff --git a/LayoutTests/fast/ruby/ruby-illegal.html b/LayoutTests/fast/ruby/ruby-illegal.html
deleted file mode 100644
index 0622514..0000000
--- a/LayoutTests/fast/ruby/ruby-illegal.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<html>
-<head>
-<script>
-function test()
-{
- if (window.layoutTestController)
- layoutTestController.dumpAsText();
- document.getElementById("result").firstChild.data = 'SUCCESS!';
-}
-</script>
-</head>
-<body onload="test()">
-<div id="result">FAILED!</div>
-<!-- The following malformed (!) lines mustn't crash the renderer -->
-<div><blockQuote><ruby><i><noBR><form><input type=file></i></div>
-<div><ruby <table >\x0e</div>
-<div><ruby <table >\x0e<i</div>
-<div><samp><ruby <s<hr</samp></div>
-<div><samp><ruby <s<r<blockQuote</samp></div>
-<div><samp><ruby <s<hr<blockQuote</samp></div>
-</body>
-</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1-expected.txt b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1-expected.txt
new file mode 100644
index 0000000..f4be8c6
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1-expected.txt
@@ -0,0 +1,9 @@
+SUCCESS!
+
+
+text
+new ruby text
+block
+more text
+ruby text
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1.html b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1.html
new file mode 100644
index 0000000..ec798cd
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-1.html
@@ -0,0 +1,28 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var block = document.getElementById('D');
+ var newRT = document.createElement('rt');
+ var newRTText = document.createTextNode('new ruby text');
+ newRT.appendChild(newRTText);
+ ruby.insertBefore(newRT, block);
+}
+</script>
+</head>
+<!-- Inserting a <rt> element, causing a split of block flow to inline flow and block flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">text <div id="D">block</div> more text<rt>ruby text</rt></ruby>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2-expected.txt b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2-expected.txt
new file mode 100644
index 0000000..830af93
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2-expected.txt
@@ -0,0 +1,9 @@
+SUCCESS!
+
+
+text
+block
+new ruby text
+more text
+ruby text
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2.html b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2.html
new file mode 100644
index 0000000..35b4d0f
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-2.html
@@ -0,0 +1,28 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var span = document.getElementById('S');
+ var newRT = document.createElement('rt');
+ var newRTText = document.createTextNode('new ruby text');
+ newRT.appendChild(newRTText);
+ ruby.insertBefore(newRT, span);
+}
+</script>
+</head>
+<!-- Inserting a <rt> element, causing a split of block flow to block flow and inline flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">text <div>block</div> <span id="S">more</span> text<rt>ruby text</rt></ruby>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3-expected.txt b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3-expected.txt
new file mode 100644
index 0000000..5a992c5
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3-expected.txt
@@ -0,0 +1,10 @@
+SUCCESS!
+
+
+text
+block
+new ruby text
+more
+text
+ruby text
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3.html b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3.html
new file mode 100644
index 0000000..4e45332
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-insert-rt-block-3.html
@@ -0,0 +1,28 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var span = document.getElementById('S');
+ var newRT = document.createElement('rt');
+ var newRTText = document.createTextNode('new ruby text');
+ newRT.appendChild(newRTText);
+ ruby.insertBefore(newRT, span);
+}
+</script>
+</head>
+<!-- Inserting a <rt> element, causing a split of block flow to block flow and block flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">text <div>block</div> <span id="S">more</span> <div>text</div><rt>ruby text</rt></ruby>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1-expected.txt b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1-expected.txt
new file mode 100644
index 0000000..34b1746
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1-expected.txt
@@ -0,0 +1,7 @@
+SUCCESS!
+
+
+some textmore text
+and a block
+ruby text 2
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1.html b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1.html
new file mode 100644
index 0000000..42c841c
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-1.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var rt = document.getElementById('RT');
+ ruby.removeChild(rt);
+}
+</script>
+</head>
+<!-- Removing a <rt> element, causing a merge of inline flow and block flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">some text<rt id="RT">ruby text 1</rt><span>more text</span> <div>and a block</div><rt>ruby text 2</rt></ruby>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2-expected.txt b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2-expected.txt
new file mode 100644
index 0000000..e000169
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2-expected.txt
@@ -0,0 +1,8 @@
+SUCCESS!
+
+
+text
+block
+more text
+ruby text 2
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2.html b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2.html
new file mode 100644
index 0000000..b4a8d2b
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-2.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var rt = document.getElementById('RT');
+ ruby.removeChild(rt);
+}
+</script>
+</head>
+<!-- Removing a <rt> element, causing a merge of block flow and inline flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">text <div>block</div> <rt id="RT">ruby text 1</rt><span>more</span> text<rt>ruby text 2</rt></ruby>
+</body>
+</html>
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3-expected.txt b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3-expected.txt
new file mode 100644
index 0000000..f828599
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3-expected.txt
@@ -0,0 +1,9 @@
+SUCCESS!
+
+
+text
+block
+more
+text
+ruby text 2
+
diff --git a/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3.html b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3.html
new file mode 100644
index 0000000..3c159be
--- /dev/null
+++ b/LayoutTests/fast/ruby/rubyDOM-remove-rt-block-3.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script>
+function test()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ document.getElementById("result").firstChild.data = 'SUCCESS!';
+
+ var ruby = document.getElementById('R');
+ var rt = document.getElementById('RT');
+ ruby.removeChild(rt);
+}
+</script>
+</head>
+<!-- Removing a <rt> element, causing a merge of block flow and block flow -->
+<!-- As this is a malformed example we don't care about the exact rendering output, only that it doesn't crash -->
+<body onload="test()">
+<div id="result">FAILED!</p>
+<br>
+<br>
+<ruby id="R">text <div>block</div> <rt id="RT">ruby text 1</rt><span>more</span> <div>text</div><rt>ruby text 2</rt></ruby>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3c38084..18a702a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,44 @@
+2010-01-20 Roland Steiner <rolandsteiner at chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ Bug 33266 - WebCore::InlineFlowBox::determineSpacingForFlowBoxes ReadAV at NULL (43c64e8abbda6766e5f5edbd254c2d57)
+ (https://bugs.webkit.org/show_bug.cgi?id=33266)
+
+ Ruby did not handle malformed cases correctly when the ruby base was in
+ block flow. Changed the code to handle all possible cases.
+ Also, added some simplification methods to RenderBlock.
+
+ Tests: fast/ruby/ruby-illegal-1.html
+ fast/ruby/ruby-illegal-2.html
+ fast/ruby/ruby-illegal-3.html
+ fast/ruby/ruby-illegal-4.html
+ fast/ruby/ruby-illegal-5.html
+ fast/ruby/ruby-illegal-6.html
+ fast/ruby/ruby-illegal-7.html
+ fast/ruby/ruby-illegal-combined.html
+ fast/ruby/rubyDOM-insert-rt-block-1.html
+ fast/ruby/rubyDOM-insert-rt-block-2.html
+ fast/ruby/rubyDOM-insert-rt-block-3.html
+ fast/ruby/rubyDOM-remove-rt-block-1.html
+ fast/ruby/rubyDOM-remove-rt-block-2.html
+ fast/ruby/rubyDOM-remove-rt-block-3.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::moveAllChildrenTo): useful for anonymous block manipulation
+ (WebCore::RenderBlock::removeChild): making use of moveAllChildrenTo
+ * rendering/RenderBlock.h:
+ * rendering/RenderRubyBase.cpp:
+ (WebCore::RenderRubyBase::hasOnlyWrappedInlineChildren):
+ (WebCore::RenderRubyBase::moveChildren):
+ (WebCore::RenderRubyBase::moveInlineChildren):
+ (WebCore::RenderRubyBase::moveBlockChildren):
+ (WebCore::RenderRubyBase::mergeBlockChildren):
+ * rendering/RenderRubyBase.h:
+ * rendering/RenderRubyRun.cpp:
+ (WebCore::RenderRubyRun::addChild):
+ (WebCore::RenderRubyRun::removeChild):
+
2010-01-19 Dan Bernstein <mitz at apple.com>
Build fix after r53514
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 265c358..3fd10ea 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -411,6 +411,31 @@ void RenderBlock::moveChildTo(RenderObject* to, RenderObjectChildList* toChildLi
toChildList->insertChildNode(to, children()->removeChildNode(this, child, false), beforeChild, false);
}
+void RenderBlock::moveAllChildrenTo(RenderObject* to, RenderObjectChildList* toChildList)
+{
+ RenderObject* nextChild = children()->firstChild();
+ while (nextChild) {
+ RenderObject* child = nextChild;
+ nextChild = child->nextSibling();
+ toChildList->appendChildNode(to, children()->removeChildNode(this, child, false), false);
+ }
+}
+
+void RenderBlock::moveAllChildrenTo(RenderObject* to, RenderObjectChildList* toChildList, RenderObject* beforeChild)
+{
+ ASSERT(!beforeChild || to == beforeChild->parent());
+ if (!beforeChild) {
+ moveAllChildrenTo(to, toChildList);
+ return;
+ }
+ RenderObject* nextChild = children()->firstChild();
+ while (nextChild) {
+ RenderObject* child = nextChild;
+ nextChild = child->nextSibling();
+ toChildList->insertChildNode(to, children()->removeChildNode(this, child, false), beforeChild, false);
+ }
+}
+
void RenderBlock::makeChildrenNonInline(RenderObject *insertionPoint)
{
// makeChildrenNonInline takes a block whose children are *all* inline and it
@@ -517,20 +542,12 @@ void RenderBlock::removeChild(RenderObject* oldChild)
// Take all the children out of the |next| block and put them in
// the |prev| block.
prev->setNeedsLayoutAndPrefWidthsRecalc();
- RenderObject* o = next->firstChild();
-
RenderBlock* nextBlock = toRenderBlock(next);
RenderBlock* prevBlock = toRenderBlock(prev);
- while (o) {
- RenderObject* no = o;
- o = no->nextSibling();
- nextBlock->moveChildTo(prevBlock, prevBlock->children(), no);
- }
-
+ nextBlock->moveAllChildrenTo(prevBlock, prevBlock->children());
+ // Delete the now-empty block's lines and nuke it.
nextBlock->deleteLineBoxTree();
-
- // Nuke the now-empty block.
- next->destroy();
+ nextBlock->destroy();
}
RenderBox::removeChild(oldChild);
@@ -543,13 +560,7 @@ void RenderBlock::removeChild(RenderObject* oldChild)
setNeedsLayoutAndPrefWidthsRecalc();
RenderBlock* anonBlock = toRenderBlock(children()->removeChildNode(this, child, false));
setChildrenInline(true);
- RenderObject* o = anonBlock->firstChild();
- while (o) {
- RenderObject* no = o;
- o = no->nextSibling();
- anonBlock->moveChildTo(this, children(), no);
- }
-
+ anonBlock->moveAllChildrenTo(this, children());
// Delete the now-empty block's lines and nuke it.
anonBlock->deleteLineBoxTree();
anonBlock->destroy();
diff --git a/WebCore/rendering/RenderBlock.h b/WebCore/rendering/RenderBlock.h
index 89e9a0a..d7259ce 100644
--- a/WebCore/rendering/RenderBlock.h
+++ b/WebCore/rendering/RenderBlock.h
@@ -141,6 +141,8 @@ public:
protected:
void moveChildTo(RenderObject* to, RenderObjectChildList* toChildList, RenderObject* child);
void moveChildTo(RenderObject* to, RenderObjectChildList* toChildList, RenderObject* beforeChild, RenderObject* child);
+ void moveAllChildrenTo(RenderObject* to, RenderObjectChildList* toChildList);
+ void moveAllChildrenTo(RenderObject* to, RenderObjectChildList* toChildList, RenderObject* beforeChild);
int maxTopPosMargin() const { return m_maxMargin ? m_maxMargin->m_topPos : MaxMargin::topPosDefault(this); }
int maxTopNegMargin() const { return m_maxMargin ? m_maxMargin->m_topNeg : MaxMargin::topNegDefault(this); }
@@ -515,6 +517,10 @@ private:
RenderLineBoxList m_lineBoxes; // All of the root line boxes created for this block flow. For example, <div>Hello<br>world.</div> will have two total lines for the <div>.
mutable int m_lineHeight;
+
+ // RenderRubyBase objects need to be able to split and merge, moving their children around
+ // (calling moveChildTo, moveAllChildrenTo, and makeChildrenNonInline).
+ friend class RenderRubyBase;
};
inline RenderBlock* toRenderBlock(RenderObject* object)
diff --git a/WebCore/rendering/RenderRubyBase.cpp b/WebCore/rendering/RenderRubyBase.cpp
index 5cb25f4..41ac4e3 100644
--- a/WebCore/rendering/RenderRubyBase.cpp
+++ b/WebCore/rendering/RenderRubyBase.cpp
@@ -48,39 +48,139 @@ bool RenderRubyBase::isChildAllowed(RenderObject* child, RenderStyle*) const
return child->isInline();
}
-void RenderRubyBase::splitToLeft(RenderBlock* leftBase, RenderObject* beforeChild)
+bool RenderRubyBase::hasOnlyWrappedInlineChildren(RenderObject* beforeChild) const
{
- // This function removes all children that are before (!) beforeChild
- // and appends them to leftBase.
- ASSERT(leftBase);
+ // Tests whether all children in the base before beforeChild are either floated/positioned,
+ // or inline objects wrapped in anonymous blocks.
+ // Note that beforeChild may be 0, in which case all children are looked at.
+ for (RenderObject* child = firstChild(); child != beforeChild; child = child->nextSibling()) {
+ if (!child->isFloatingOrPositioned() && !(child->isAnonymousBlock() && child->childrenInline()))
+ return false;
+ }
+ return true;
+}
+void RenderRubyBase::moveChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild)
+{
+ // This function removes all children that are before (!) beforeChild
+ // and appends them to toBase.
+ ASSERT(toBase);
+
// First make sure that beforeChild (if set) is indeed a direct child of this.
- // Fallback: climb up the tree to make sure. This may result in somewhat incorrect rendering.
- // FIXME: Can this happen? Is there a better/more correct way to solve this?
- ASSERT(!beforeChild || beforeChild->parent() == this);
- while (beforeChild && beforeChild->parent() != this)
- beforeChild = beforeChild->parent();
-
- RenderObject* child = firstChild();
- while (child != beforeChild) {
- RenderObject* nextChild = child->nextSibling();
- moveChildTo(leftBase, leftBase->children(), child);
- child = nextChild;
+ // Inline children might be wrapped in an anonymous block if there's a continuation.
+ // Theoretically, in ruby bases, this can happen with only the first such a child,
+ // so it should be OK to just climb the tree.
+ while (fromBeforeChild && fromBeforeChild->parent() != this)
+ fromBeforeChild = fromBeforeChild->parent();
+
+ if (childrenInline())
+ moveInlineChildren(toBase, fromBeforeChild);
+ else
+ moveBlockChildren(toBase, fromBeforeChild);
+
+ setNeedsLayoutAndPrefWidthsRecalc();
+ toBase->setNeedsLayoutAndPrefWidthsRecalc();
+}
+
+void RenderRubyBase::moveInlineChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild)
+{
+ RenderBlock* toBlock;
+
+ if (toBase->childrenInline()) {
+ // The standard and easy case: move the children into the target base
+ toBlock = toBase;
+ } else {
+ // We need to wrap the inline objects into an anonymous block.
+ // If toBase has a suitable block, we re-use it, otherwise create a new one.
+ RenderObject* lastChild = toBase->lastChild();
+ if (lastChild && lastChild->isAnonymousBlock() && lastChild->childrenInline())
+ toBlock = toRenderBlock(lastChild);
+ else {
+ toBlock = toBase->createAnonymousBlock();
+ toBase->children()->appendChildNode(toBase, toBlock);
+ }
}
+ // Move our inline children into the target block we determined above.
+ for (RenderObject* child = firstChild(); child != fromBeforeChild; child = firstChild())
+ moveChildTo(toBlock, toBlock->children(), child);
}
-void RenderRubyBase::mergeWithRight(RenderBlock* rightBase)
+void RenderRubyBase::moveBlockChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild)
{
- // This function removes all children and prepends (!) them to rightBase.
- ASSERT(rightBase);
-
- RenderObject* firstPos = rightBase->firstChild();
- RenderObject* child = lastChild();
- while (child) {
- moveChildTo(rightBase, rightBase->children(), firstPos, child);
- firstPos = child;
- child = lastChild();
+ if (toBase->childrenInline()) {
+ // First check whether we move only wrapped inline objects.
+ if (hasOnlyWrappedInlineChildren(fromBeforeChild)) {
+ // The reason why the base is in block flow must be after beforeChild.
+ // We therefore can extract the inline objects and move them to toBase.
+ for (RenderObject* child = firstChild(); child != fromBeforeChild; child = firstChild()) {
+ if (child->isAnonymousBlock()) {
+ RenderBlock* anonBlock = toRenderBlock(child);
+ ASSERT(anonBlock->childrenInline());
+ ASSERT(!anonBlock->inlineContinuation());
+ anonBlock->moveAllChildrenTo(toBase, toBase->children());
+ anonBlock->deleteLineBoxTree();
+ anonBlock->destroy();
+ } else {
+ ASSERT(child->isFloatingOrPositioned());
+ moveChildTo(toBase, toBase->children(), child);
+ }
+ }
+ } else {
+ // Moving block children -> have to set toBase as block flow
+ toBase->makeChildrenNonInline();
+ // Move children, potentially collapsing anonymous block wrappers.
+ mergeBlockChildren(toBase, fromBeforeChild);
+
+ // Now we need to check if the leftover children are all inline.
+ // If so, make this base inline again.
+ if (hasOnlyWrappedInlineChildren()) {
+ RenderObject* next = 0;
+ for (RenderObject* child = firstChild(); child; child = next) {
+ next = child->nextSibling();
+ if (child->isFloatingOrPositioned())
+ continue;
+ ASSERT(child->isAnonymousBlock());
+
+ RenderBlock* anonBlock = toRenderBlock(child);
+ ASSERT(anonBlock->childrenInline());
+ ASSERT(!anonBlock->inlineContinuation());
+ // Move inline children out of anonymous block.
+ anonBlock->moveAllChildrenTo(this, children(), anonBlock);
+ anonBlock->deleteLineBoxTree();
+ anonBlock->destroy();
+ }
+ setChildrenInline(true);
+ }
+ }
+ } else
+ mergeBlockChildren(toBase, fromBeforeChild);
+}
+
+void RenderRubyBase::mergeBlockChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild)
+{
+ // This function removes all children that are before fromBeforeChild and appends them to toBase.
+ ASSERT(!childrenInline());
+ ASSERT(toBase);
+ ASSERT(!toBase->childrenInline());
+
+ // Quick check whether we have anything to do, to simplify the following code.
+ if (fromBeforeChild != firstChild())
+ return;
+
+ // If an anonymous block would be put next to another such block, then merge those.
+ RenderObject* firstChildHere = firstChild();
+ RenderObject* lastChildThere = toBase->lastChild();
+ if (firstChildHere && firstChildHere->isAnonymousBlock() && firstChildHere->childrenInline()
+ && lastChildThere && lastChildThere->isAnonymousBlock() && lastChildThere->childrenInline()) {
+ RenderBlock* anonBlockHere = toRenderBlock(firstChildHere);
+ RenderBlock* anonBlockThere = toRenderBlock(lastChildThere);
+ anonBlockHere->moveAllChildrenTo(anonBlockThere, anonBlockThere->children());
+ anonBlockHere->deleteLineBoxTree();
+ anonBlockHere->destroy();
}
+ // Move all remaining children normally.
+ for (RenderObject* child = firstChild(); child != fromBeforeChild; child = firstChild())
+ moveChildTo(toBase, toBase->children(), child);
}
} // namespace WebCore
diff --git a/WebCore/rendering/RenderRubyBase.h b/WebCore/rendering/RenderRubyBase.h
index 57baf99..c029bd5 100644
--- a/WebCore/rendering/RenderRubyBase.h
+++ b/WebCore/rendering/RenderRubyBase.h
@@ -46,8 +46,16 @@ public:
virtual bool isChildAllowed(RenderObject*, RenderStyle*) const;
- void splitToLeft(RenderBlock* leftBase, RenderObject* beforeChild);
- void mergeWithRight(RenderBlock* rightBase);
+private:
+ bool hasOnlyWrappedInlineChildren(RenderObject* beforeChild = 0) const;
+
+ void moveChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild = 0);
+ void moveInlineChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild = 0);
+ void moveBlockChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild = 0);
+ void mergeBlockChildren(RenderRubyBase* toBase, RenderObject* fromBeforeChild = 0);
+
+ // Allow RenderRubyRun to manipulate the children within ruby bases.
+ friend class RenderRubyRun;
};
} // namespace WebCore
diff --git a/WebCore/rendering/RenderRubyRun.cpp b/WebCore/rendering/RenderRubyRun.cpp
index 8578c55..a3e6281 100644
--- a/WebCore/rendering/RenderRubyRun.cpp
+++ b/WebCore/rendering/RenderRubyRun.cpp
@@ -148,7 +148,7 @@ void RenderRubyRun::addChild(RenderObject* child, RenderObject* beforeChild)
RenderRubyRun* newRun = staticCreateRubyRun(ruby);
ruby->addChild(newRun, this);
newRun->addChild(child);
- rubyBaseSafe()->splitToLeft(newRun->rubyBaseSafe(), beforeChild);
+ rubyBaseSafe()->moveChildren(newRun->rubyBaseSafe(), beforeChild);
}
} else {
// child is not a text -> insert it into the base
@@ -170,7 +170,11 @@ void RenderRubyRun::removeChild(RenderObject* child)
// Ruby run without a base can happen only at the first run.
RenderRubyRun* rightRun = static_cast<RenderRubyRun*>(rightNeighbour);
ASSERT(rightRun->hasRubyBase());
- base->mergeWithRight(rightRun->rubyBaseSafe());
+ RenderRubyBase* rightBase = rightRun->rubyBaseSafe();
+ // Collect all children in a single base, then swap the bases.
+ rightBase->moveChildren(base);
+ moveChildTo(rightRun, rightRun->children(), base);
+ rightRun->moveChildTo(this, children(), rightBase);
// The now empty ruby base will be removed below.
}
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list