[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-25-gb2c19be

Gustavo Noronha Silva gns at gnome.org
Mon Sep 6 13:09:14 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit bab92909e0d1d76016562684cc588f92d48fdd06
Author: jhawkins at chromium.org <jhawkins at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Jun 11 23:33:27 2010 +0000

    2010-06-11  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by David Hyatt.
    
            Don't process floats if parent node is not a RenderBlock.
            https://bugs.webkit.org/show_bug.cgi?id=40033
    
            Test: svg/text/clear-floats-crash.svg
    
            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::clearFloats):
    2010-06-11  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by David Hyatt.
    
            Tests that we do not crash when clearing floats during SVG load.
            https://bugs.webkit.org/show_bug.cgi?id=40033
    
            * svg/text/clear-floats-crash-expected.txt: Added.
            * svg/text/clear-floats-crash.svg: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b6a5658..5f8dd65 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-06-11  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Tests that we do not crash when clearing floats during SVG load.
+        https://bugs.webkit.org/show_bug.cgi?id=40033
+
+        * svg/text/clear-floats-crash-expected.txt: Added.
+        * svg/text/clear-floats-crash.svg: Added.
+
 2010-06-10  Tony Chang  <tony at chromium.org>
 
         Reviewed by Kent Tamura.
diff --git a/LayoutTests/svg/text/clear-floats-crash-expected.txt b/LayoutTests/svg/text/clear-floats-crash-expected.txt
new file mode 100644
index 0000000..e2b0929
--- /dev/null
+++ b/LayoutTests/svg/text/clear-floats-crash-expected.txt
@@ -0,0 +1,3 @@
+This test is to ensure that we do not crash when clearing floats during SVG load.
+PASS: Did not crash while rendering the SVG.
+
diff --git a/LayoutTests/svg/text/clear-floats-crash.svg b/LayoutTests/svg/text/clear-floats-crash.svg
new file mode 100644
index 0000000..eef7ac7
--- /dev/null
+++ b/LayoutTests/svg/text/clear-floats-crash.svg
@@ -0,0 +1,25 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <body>
+    This test is to ensure that we do not crash when clearing floats during SVG load.
+    <div id="log"><span style='color: red;'>FAIL:</span> Did not complete test</div>
+    <svg xmlns="http://www.w3.org/2000/svg">
+      <g>
+        <text style="float:right"></text>
+        <text></text>
+      </g>
+    </svg>
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+        var log = document.getElementById("log");
+        while (log.childNodes.length)
+            log.removeChild(log.firstChild);
+        var msg = document.createElementNS("http://www.w3.org/1999/xhtml", "span");
+        msg.style.color = "green";
+        msg.appendChild(document.createTextNode("PASS:"));
+        log.appendChild(msg);
+        log.appendChild(document.createTextNode(" Did not crash while rendering the SVG."));
+    </script>
+  </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ed1f339..24a318f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-06-11  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Don't process floats if parent node is not a RenderBlock.
+        https://bugs.webkit.org/show_bug.cgi?id=40033
+
+        Test: svg/text/clear-floats-crash.svg
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::clearFloats):
+
 2010-06-15  Xan Lopez  <xlopez at igalia.com>
 
         Reviewed by Gustavo Noronha.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index ce34444..cf27cc7 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -2981,6 +2981,12 @@ void RenderBlock::clearFloats()
             m_floatingObjects->clear();
     }
 
+    // We should not process floats if the parent node is not a RenderBlock. Otherwise, we will add 
+    // floats in an invalid context. This will cause a crash arising from a bad cast on the parent.
+    // See <rdar://problem/8049753>, where float property is applied on a text node in a SVG.
+    if (!parent() || !parent()->isRenderBlock())
+        return;
+
     // Attempt to locate a previous sibling with overhanging floats.  We skip any elements that are
     // out of flow (like floating/positioned elements), and we also skip over any objects that may have shifted
     // to avoid floats.

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list