[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e
inferno at chromium.org
inferno at chromium.org
Fri Jan 21 14:47:31 UTC 2011
The following commit has been merged in the debian/experimental branch:
commit 3b358ec4293aab06662b4cb50bf6c827a7b5b8f6
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 30 06:36:30 2010 +0000
2010-12-29 Abhishek Arya <inferno at chromium.org>
Reviewed by Darin Adler.
ASSERT(oldchild->parent() == owner) fails.
https://bugs.webkit.org/show_bug.cgi?id=50480
In RenderBlock removeChild function, when the inlineChildrenBlock(equal to prev or next)
is reparented to blockChildrenBlock, it is no longer a child of "this". This causes the
assertion failure when removeChildNode executes on the child(equal to prev or next).
Fix a typo in canMergeContiguousAnonymousBlocks.
Test: fast/multicol/span/double-merge-anonymous-block-crash.html
* rendering/RenderBlock.cpp:
(WebCore::canMergeContiguousAnonymousBlocks): fix typo, change prev to next.
(WebCore::RenderBlock::removeChild): if prev or not is reparented, then set it to zero.
2010-12-29 Abhishek Arya <inferno at chromium.org>
Reviewed by Darin Adler.
Tests that we do not crash when merging anonymous blocks.
https://bugs.webkit.org/show_bug.cgi?id=50480
* fast/multicol/span/double-merge-anonymous-block-crash-expected.txt: Added.
* fast/multicol/span/double-merge-anonymous-block-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74781 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8bdcace..e2d8d80 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-12-29 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Tests that we do not crash when merging anonymous blocks.
+ https://bugs.webkit.org/show_bug.cgi?id=50480
+
+ * fast/multicol/span/double-merge-anonymous-block-crash-expected.txt: Added.
+ * fast/multicol/span/double-merge-anonymous-block-crash.html: Added.
+
2010-12-29 Justin Schuh <jschuh at chromium.org>
Reviewed by Darin Adler.
diff --git a/JavaScriptCore/AllInOneFile.cpp b/LayoutTests/fast/multicol/span/double-merge-anonymous-block-crash-expected.txt
similarity index 100%
copy from JavaScriptCore/AllInOneFile.cpp
copy to LayoutTests/fast/multicol/span/double-merge-anonymous-block-crash-expected.txt
diff --git a/LayoutTests/fast/multicol/span/double-merge-anonymous-block-crash.html b/LayoutTests/fast/multicol/span/double-merge-anonymous-block-crash.html
new file mode 100644
index 0000000..2dbdff2
--- /dev/null
+++ b/LayoutTests/fast/multicol/span/double-merge-anonymous-block-crash.html
@@ -0,0 +1,27 @@
+<html>
+ <head>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ </head>
+ <style>
+ div {
+ border: 5px solid maroon;
+ -webkit-column-count: 2;
+ margin: 1em 0;
+ }
+ summary {
+ -webkit-column-span: all;
+ background-color: #eeeeee;
+ color: black;
+ }
+ </style>
+ <body onload="document.open()">
+ <div>
+ <label>AAA
+ <summary>BBB
+ </div>
+ </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4842aec..65133ce 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-12-29 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ ASSERT(oldchild->parent() == owner) fails.
+ https://bugs.webkit.org/show_bug.cgi?id=50480
+
+ In RenderBlock removeChild function, when the inlineChildrenBlock(equal to prev or next)
+ is reparented to blockChildrenBlock, it is no longer a child of "this". This causes the
+ assertion failure when removeChildNode executes on the child(equal to prev or next).
+ Fix a typo in canMergeContiguousAnonymousBlocks.
+
+ Test: fast/multicol/span/double-merge-anonymous-block-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::canMergeContiguousAnonymousBlocks): fix typo, change prev to next.
+ (WebCore::RenderBlock::removeChild): if prev or not is reparented, then set it to zero.
+
2010-12-29 Justin Schuh <jschuh at chromium.org>
Reviewed by Darin Adler.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 9c07a6c..5b7dd8e 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -943,7 +943,7 @@ static bool canMergeContiguousAnonymousBlocks(RenderObject* oldChild, RenderObje
// Make sure the types of the anonymous blocks match up.
return prev->isAnonymousColumnsBlock() == next->isAnonymousColumnsBlock()
- && prev->isAnonymousColumnSpanBlock() == prev->isAnonymousColumnSpanBlock();
+ && prev->isAnonymousColumnSpanBlock() == next->isAnonymousColumnSpanBlock();
}
void RenderBlock::removeChild(RenderObject* oldChild)
@@ -977,6 +977,13 @@ void RenderBlock::removeChild(RenderObject* oldChild)
blockChildrenBlock->children()->insertChildNode(blockChildrenBlock, inlineChildrenBlock, prev == inlineChildrenBlock ? blockChildrenBlock->firstChild() : 0,
inlineChildrenBlock->hasLayer() || blockChildrenBlock->hasLayer());
next->setNeedsLayoutAndPrefWidthsRecalc();
+
+ // inlineChildrenBlock got reparented to blockChildrenBlock, so it is no longer a child
+ // of "this". we null out prev or next so that is not used later in the function.
+ if (inlineChildrenBlock == prevBlock)
+ prev = 0;
+ else
+ next = 0;
} else {
// Take all the children out of the |next| block and put them in
// the |prev| block.
@@ -985,6 +992,7 @@ void RenderBlock::removeChild(RenderObject* oldChild)
// Delete the now-empty block's lines and nuke it.
nextBlock->deleteLineBoxTree();
nextBlock->destroy();
+ next = 0;
}
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list