[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e

inferno at chromium.org inferno at chromium.org
Fri Jan 21 14:58:11 UTC 2011 

The following commit has been merged in the debian/experimental branch:
commit 67a47c8ae2c4b12b943be76f3609c868de7190fe
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jan 5 18:58:06 2011 +0000

    2011-01-05  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dave Hyatt.
    
            Do not merge anonymous blocks when one of them is the one getting removed.
            https://bugs.webkit.org/show_bug.cgi?id=51919
    
            Test: fast/block/merge-anonymous-block-remove-child-crash.html
    
            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::removeChild):
    2011-01-05  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dave Hyatt.
    
            Tests that we do not crash when trying to merge two anonymous blocks,
            one of which is getting removed.
            https://bugs.webkit.org/show_bug.cgi?id=51919
    
            * fast/block/merge-anonymous-block-remove-child-crash-expected.txt: Added.
            * fast/block/merge-anonymous-block-remove-child-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75082 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8c6cee9..d505242 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2011-01-05  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dave Hyatt.
+
+        Tests that we do not crash when trying to merge two anonymous blocks,
+        one of which is getting removed.
+        https://bugs.webkit.org/show_bug.cgi?id=51919
+
+        * fast/block/merge-anonymous-block-remove-child-crash-expected.txt: Added.
+        * fast/block/merge-anonymous-block-remove-child-crash.html: Added.
+
 2011-01-05  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/block/merge-anonymous-block-remove-child-crash-expected.txt
diff --git a/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash.html b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash.html
new file mode 100644
index 0000000..7fb458c
--- /dev/null
+++ b/LayoutTests/fast/block/merge-anonymous-block-remove-child-crash.html
@@ -0,0 +1,38 @@
+<html>
+<body onload="runTest();">
+<span style="display: run-in" id="runIn">
+</span>
+<span style="display: list-item" id="listItem">
+</span>
+<div id="result"></div>
+<script>
+if (window.layoutTestController)
+{
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+    document.body.offsetTop;
+    var runIn = document.getElementById('runIn');
+    var listItem = document.getElementById('listItem');
+
+    runIn.appendChild(document.createElement('menu'));
+    
+    ol = document.createElement('ol');
+    listItem.appendChild(ol);
+    listItem.appendChild(document.createElement('i'));
+    
+    document.body.offsetTop;
+    listItem.removeChild(ol);
+    document.body.removeChild(runIn);
+    document.body.removeChild(listItem);
+
+    document.getElementById('result').innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 20d672b..8c0be51 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-05  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dave Hyatt.
+
+        Do not merge anonymous blocks when one of them is the one getting removed.
+        https://bugs.webkit.org/show_bug.cgi?id=51919
+
+        Test: fast/block/merge-anonymous-block-remove-child-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild):
+
 2011-01-05  Ryosuke Niwa  <rniwa at webkit.org>
 
         Reviewed by Eric Seidel.
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 5b7dd8e..94fb382 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -988,11 +988,25 @@ void RenderBlock::removeChild(RenderObject* oldChild)
             // Take all the children out of the |next| block and put them in
             // the |prev| block.
             nextBlock->moveAllChildrenTo(prevBlock, nextBlock->hasLayer() || prevBlock->hasLayer());
-       
+
+            // FIXME: When we destroy nextBlock, it might happen that nextBlock's next sibling block and
+            // oldChild can get merged. Since oldChild is getting removed, we do not want to move
+            // nextBlock's next sibling block's children into it. By setting a fake continuation,
+            // we prevent this from happening.
+            RenderBlock* oldChildBlock;
+            if (oldChild->isAnonymous() && oldChild->isRenderBlock() && !toRenderBlock(oldChild)->continuation()) {
+                oldChildBlock = toRenderBlock(oldChild);
+                oldChildBlock->setContinuation(oldChildBlock);                
+            }          
+            
             // Delete the now-empty block's lines and nuke it.
             nextBlock->deleteLineBoxTree();
             nextBlock->destroy();
             next = 0;
+
+            // FIXME: Revert the continuation change done above.
+            if (oldChildBlock)
+                oldChildBlock->setContinuation(0);
         }
     }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list