[webkit-changes] cvs commit: WebCore/khtml/rendering render_flow.cpp
Beth
bdakin at opensource.apple.com
Fri Oct 21 18:10:33 PDT 2005
bdakin 05/10/21 18:10:32
Modified: . ChangeLog
. ChangeLog
khtml/rendering render_flow.cpp
Added: fast/css continuationCrash-expected.checksum
continuationCrash-expected.png
continuationCrash-expected.txt
continuationCrash.html
Log:
Revision Changes Path
1.42 +15 -0 LayoutTests/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/LayoutTests/ChangeLog,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- ChangeLog 22 Oct 2005 00:06:42 -0000 1.41
+++ ChangeLog 22 Oct 2005 01:10:27 -0000 1.42
@@ -1,3 +1,18 @@
+2005-10-21 Beth Dakin <bdakin at apple.com>
+
+ Reviewed by Hyatt
+
+ Layout test for fix to <rdar://problem/3947202> certain sequence of DOM
+ method calls involving CSS outline and display crashes Safari
+ (in repaint code).
+
+ The fix is in WebCore.
+
+ * fast/css/continuationCrash-expected.checksum: Added.
+ * fast/css/continuationCrash-expected.png: Added.
+ * fast/css/continuationCrash-expected.txt: Added.
+ * fast/css/continuationCrash.html: Added.
+
2005-10-21 Darin Adler <darin at apple.com>
Reviewed by Eric, landed by Maciej.
1.1 LayoutTests/fast/css/continuationCrash-expected.checksum
Index: continuationCrash-expected.checksum
===================================================================
c9e4fefcb466a16582f8eac284099a4c
1.1 LayoutTests/fast/css/continuationCrash-expected.png
<<Binary file>>
1.1 LayoutTests/fast/css/continuationCrash-expected.txt
Index: continuationCrash-expected.txt
===================================================================
layer at (0,0) size 800x600
RenderCanvas at (0,0) size 800x600
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,8) size 784x576
RenderBlock (anonymous) at (0,0) size 784x0
RenderInline {SPAN} at (0,0) size 0x0
RenderInline {SPAN} at (0,0) size 0x0
RenderText {TEXT} at (0,0) size 0x0
RenderBlock {H4} at (0,0) size 784x18
RenderText {TEXT} at (0,0) size 81x18
text run at (0,0) width 81: "Instructions"
RenderBlock {P} at (0,39) size 784x18
RenderText {TEXT} at (0,0) size 176x18
text run at (0,0) width 176: "Click the following buttons."
RenderBlock {OL} at (0,73) size 784x166
RenderListItem {LI} at (40,0) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 193x18
text run at (0,0) width 193: "Start with the outmost left one."
RenderText {TEXT} at (0,0) size 0x0
RenderListItem {LI} at (40,18) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 135x18
text run at (0,0) width 135: "Click the middle one."
RenderListItem {LI} at (40,36) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 266x18
text run at (0,0) width 266: "(The ouline will not be updated correctly.)"
RenderListItem {LI} at (40,54) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 138x18
text run at (0,0) width 138: "Click the right button."
RenderListItem {LI} at (40,72) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 465x18
text run at (0,0) width 465: "This will crash Safari 1.3 (v176 and v170, no other configurations tested)."
RenderListItem {LI} at (40,90) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 294x18
text run at (0,0) width 294: "The combination 2. 1. 3. will also crash Safari."
RenderListItem {LI} at (40,108) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 447x18
text run at (0,0) width 447: "1. 3. will not crash Safari. (But the outline should vanish. Shouldn't it?)"
RenderListItem {LI} at (40,126) size 744x18
RenderListMarker at (0,0) size 0x14
RenderText {TEXT} at (0,0) size 201x18
text run at (0,0) width 201: "2. 3. will not crash Safari either."
RenderBlock (anonymous) at (40,144) size 744x22
RenderButton {INPUT} at (2,2) size 137x18
RenderBlock (anonymous) at (8,2) size 121x13
RenderText at (0,0) size 121x13
text run at (0,0) width 121: "1. Set outline property"
RenderText {TEXT} at (141,1) size 4x18
text run at (141,1) width 4: " "
RenderButton {INPUT} at (147,2) size 137x18
RenderBlock (anonymous) at (8,2) size 121x13
RenderText at (0,0) size 121x13
text run at (0,0) width 121: "2. Set display property"
RenderText {TEXT} at (286,1) size 4x18
text run at (286,1) width 4: " "
RenderButton {INPUT} at (292,2) size 151x18
RenderBlock (anonymous) at (8,2) size 135x13
RenderText at (0,0) size 135x13
text run at (0,0) width 135: "3. Replace span-element"
RenderText {TEXT} at (0,0) size 0x0
RenderText {TEXT} at (0,0) size 0x0
1.1 LayoutTests/fast/css/continuationCrash.html
Index: continuationCrash.html
===================================================================
<html>
<head>
<script language="JavaScript">
function setBlock() {
var el = document.getElementById("block");
el.style.display="block";
}
function setOutline() {
var el = document.getElementById("outline");
el.style.outline="2px solid red";
}
function setSpan() {
var newChild = document.createElement("span");
newChild.setAttribute("id", "outline");
var aSpan = document.createElement("span");
aSpan.setAttribute("id", "block");
newChild.appendChild(aSpan);
var oldChild = document.body.firstChild;
document.body.replaceChild(newChild, oldChild);
}
</script>
</head>
<body><span id="outline">
<span id="block">A span-element</span>
</span>
<h4>Instructions</h4>
<p>Click the following buttons.</p>
<ol>
<li>Start with the outmost left one.</id>
<li>Click the middle one.</li>
<li>(The ouline will not be updated correctly.)
<li>Click the right button.</li>
<li>This will crash Safari 1.3 (v176 and v170, no other configurations tested).</li>
<li>The combination 2. 1. 3. will also crash Safari.</li>
<li>1. 3. will not crash Safari. (But the outline should vanish. Shouldn't it?)</li>
<li>2. 3. will not crash Safari either.</li>
<script>
setOutline();
</script>
<script>
setBlock();
</script>
<script>
setSpan();
</script>
<input type="button" value="1. Set outline property" onclick="setOutline()" />
<input type="button" value="2. Set display property" onclick="setBlock()" />
<input type="button" value="3. Replace span-element" onclick="setSpan()" />
</body>
</html>
1.259 +12 -0 WebCore/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/WebCore/ChangeLog,v
retrieving revision 1.258
retrieving revision 1.259
diff -u -r1.258 -r1.259
--- ChangeLog 21 Oct 2005 23:11:03 -0000 1.258
+++ ChangeLog 22 Oct 2005 01:10:28 -0000 1.259
@@ -1,3 +1,15 @@
+2005-10-21 Beth Dakin <bdakin at apple.com>
+
+ Reviewed by Hyatt
+
+ Fix for <rdar://problem/3947202> certain sequence of DOM
+ method calls involving CSS outline and display crashes Safari
+ (in repaint code).
+
+ * khtml/rendering/render_flow.cpp:
+ (RenderFlow::destroy): Need to set m_continuation to 0 after it
+ is destroyed to prevent possible crashes.
+
2005-10-21 Vicki Murley <vicki at apple.com>
Reviewed by John.
1.172 +1 -0 WebCore/khtml/rendering/render_flow.cpp
Index: render_flow.cpp
===================================================================
RCS file: /cvs/root/WebCore/khtml/rendering/render_flow.cpp,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -r1.171 -r1.172
--- render_flow.cpp 18 Oct 2005 03:15:30 -0000 1.171
+++ render_flow.cpp 22 Oct 2005 01:10:32 -0000 1.172
@@ -184,6 +184,7 @@
void RenderFlow::destroy()
{
RenderContainer::destroyChildren();
+ m_continuation = 0;
if (!documentBeingDestroyed()) {
if (m_firstLineBox) {
More information about the webkit-changes
mailing list