[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-60-g76add97

Gustavo Noronha Silva gns at gnome.org
Sun Oct 17 22:28:01 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit 1dd30f922eb34463ec5d121e2874f8d366e6064e
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Aug 25 23:10:28 2010 +0000

    2010-08-25  Cris Neckar  <cdn at chromium.org>
    
            Reviewed by Darin Adler.
    
            Added abort condition for RenderCounters when traversing a detached render tree.
            https://bugs.webkit.org/show_bug.cgi?id=43812
    
            Test: fast/css/counters/counter-traverse-object-crash.html
    
            * rendering/RenderCounter.cpp:
            (WebCore::findPlaceForCounter):
    2010-08-25  Cris Neckar  <cdn at chromium.org>
    
            Reviewed by Darin Adler.
    
            Assertion failure in RenderCounter when traversing a detached render trees.
            https://bugs.webkit.org/show_bug.cgi?id=43812
    
            * fast/css/counters/counter-traverse-object-crash-expected.txt: Added.
            * fast/css/counters/counter-traverse-object-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66052 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2ab61ce..31000c3 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-08-25  Cris Neckar  <cdn at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Assertion failure in RenderCounter when traversing a detached render trees.
+        https://bugs.webkit.org/show_bug.cgi?id=43812
+
+        * fast/css/counters/counter-traverse-object-crash-expected.txt: Added.
+        * fast/css/counters/counter-traverse-object-crash.html: Added.
+
 2010-08-23  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by Dimitri Glazkov.
diff --git a/LayoutTests/fast/css/counters/counter-traverse-object-crash-expected.txt b/LayoutTests/fast/css/counters/counter-traverse-object-crash-expected.txt
new file mode 100644
index 0000000..38634a2
--- /dev/null
+++ b/LayoutTests/fast/css/counters/counter-traverse-object-crash-expected.txt
@@ -0,0 +1,2 @@
+This tests that we do not crash when RenderCounter traverses detached render trees. PASS
+
diff --git a/LayoutTests/fast/css/counters/counter-traverse-object-crash.html b/LayoutTests/fast/css/counters/counter-traverse-object-crash.html
new file mode 100644
index 0000000..5ad3656
--- /dev/null
+++ b/LayoutTests/fast/css/counters/counter-traverse-object-crash.html
@@ -0,0 +1,17 @@
+<html>
+    <script>
+        function test()
+        {
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+            document.getElementsByTagName("div")[0].outerHTML = "PASS";
+        }
+    </script>
+    This tests that we do not crash when RenderCounter traverses detached render trees.
+    <body onload="test()" style="counter-increment: ctr">
+        <object>
+            <b style="counter-increment: ctr"><div></div></b>
+            <menu style="counter-increment: ctr"></menu>
+        </object>
+    </body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 113e8f3..d187b0d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-08-25  Cris Neckar  <cdn at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Added abort condition for RenderCounters when traversing a detached render tree.
+        https://bugs.webkit.org/show_bug.cgi?id=43812
+
+        Test: fast/css/counters/counter-traverse-object-crash.html
+
+        * rendering/RenderCounter.cpp:
+        (WebCore::findPlaceForCounter):
+
 2010-08-23  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by Dimitri Glazkov.
diff --git a/WebCore/rendering/RenderCounter.cpp b/WebCore/rendering/RenderCounter.cpp
index 3cb9a07..6e678e8 100644
--- a/WebCore/rendering/RenderCounter.cpp
+++ b/WebCore/rendering/RenderCounter.cpp
@@ -136,6 +136,11 @@ static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString&
     RenderObject* currentRenderer = counterOwner->previousInPreOrder();
     previousSibling = 0;
     while (currentRenderer) {
+        // A sibling without a parent means that the counter node tree was not constructed correctly so we stop
+        // traversing. In the future RenderCounter should handle RenderObjects that are not connected to the
+        // render tree at counter node creation. See bug 43812.
+        if (previousSibling && !previousSibling->parent())
+            return false;
         CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
         if (searchEndRenderer == currentRenderer) {
             // We may be at the end of our search.

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list