[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75

mitz at apple.com mitz at apple.com
Thu Oct 29 20:43:31 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit 8068bedbd5edba7d57e5518c6ceab3a8845bab37
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Oct 12 23:49:46 2009 +0000

    WebCore: Fix <rdar://problem/7094146> Reproducible crash at
    RenderObject::localToAbsolute()
    
    Reviewed by Simon Fraser.
    
    Test: fast/dynamic/position-absolute-to-fixed-crash.html
    
    The crash was caused by stale positioned objects lists following an
    object transitioning from being absolutely position to being fixed
    positioned.
    
    * rendering/RenderBox.cpp:
    (WebCore::RenderBox::styleWillChange): In case of a transition between
    absolute and fixed position, mark the parent as having a child needing
    layout, so that this object will get inserted into its new container's
    positioned objects list.
    * rendering/RenderObject.cpp:
    (WebCore::RenderObject::styleWillChange): Changed a condition to cover
    this transition, so that this object gets removed from its current
    container's positioned objects list.
    
    LayoutTests: Test for <rdar://problem/7094146> Reproducible crash at
    RenderObject::localToAbsolute()
    
    Reviewed by Simon Fraser.
    
    * fast/dynamic/position-absolute-to-fixed-crash-expected.txt: Added.
    * fast/dynamic/position-absolute-to-fixed-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49484 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index fdfd851..67509d5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-12  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Test for <rdar://problem/7094146> Reproducible crash at
+        RenderObject::localToAbsolute()
+
+        * fast/dynamic/position-absolute-to-fixed-crash-expected.txt: Added.
+        * fast/dynamic/position-absolute-to-fixed-crash.html: Added.
+
 2009-10-12  Dirk Schulze  <krit at webkit.org>
 
         Reviewed by Nikolas Zimmermann.
diff --git a/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash-expected.txt b/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash-expected.txt
new file mode 100644
index 0000000..ca718bd
--- /dev/null
+++ b/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash-expected.txt
@@ -0,0 +1,5 @@
+Test for rdar://problem/7094146 Reproducible crash at RenderObject::localToAbsolute().
+
+This crash occurred after an object’s position changed directly from absolute to fixed, and it was not added to the RenderView’s positioned objects list nor removed from its old container’s list.
+
+
diff --git a/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash.html b/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash.html
new file mode 100644
index 0000000..0b46028
--- /dev/null
+++ b/LayoutTests/fast/dynamic/position-absolute-to-fixed-crash.html
@@ -0,0 +1,35 @@
+<head>
+    <script>
+        if (layoutTestController)
+            layoutTestController.dumpAsText();
+
+        function test()
+        {
+            document.body.offsetTop;
+            var s = document.getElementById("target").style;
+            s.setProperty("position", "fixed");
+            document.body.offsetTop;
+            s.setProperty("overflow", "hidden");
+            s.setProperty("height", "0");
+            s.setProperty("width", "0");
+            document.body.offsetTop;
+            s.setProperty("display", "none");
+        }
+    </script>
+</head>
+<body onload="test()">
+    <p>
+        Test for <i><a href="rdar://problem/7094146">rdar://problem/7094146</a>
+        Reproducible crash at RenderObject::localToAbsolute()</i>.
+    </p>
+    <p>
+        This crash occurred after an object&rsquo;s position changed directly
+        from absolute to fixed, and it was not added to the RenderView&rsquo;s
+        positioned objects list nor removed from its old container&rsquo;s list. 
+    </p>
+    <div style="position: relative;">
+        <div id="target" style="top: 50px; position: absolute;">
+            <div style="height: 50px; width: 50px; background-color: red;"></div>
+        </div>
+    </div>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e78a5ec..f82cde7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2009-10-12  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Fix <rdar://problem/7094146> Reproducible crash at
+        RenderObject::localToAbsolute()
+
+        Test: fast/dynamic/position-absolute-to-fixed-crash.html
+
+        The crash was caused by stale positioned objects lists following an
+        object transitioning from being absolutely position to being fixed
+        positioned.
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::styleWillChange): In case of a transition between
+        absolute and fixed position, mark the parent as having a child needing
+        layout, so that this object will get inserted into its new container's
+        positioned objects list.
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::styleWillChange): Changed a condition to cover
+        this transition, so that this object gets removed from its current
+        container's positioned objects list.
+
 2009-10-12  Kenneth Rohde Christiansen  <kenneth at webkit.org>
 
         Reviewed by Simon Hausmann.
diff --git a/WebCore/rendering/RenderBox.cpp b/WebCore/rendering/RenderBox.cpp
index 4e045af..1df82a4 100644
--- a/WebCore/rendering/RenderBox.cpp
+++ b/WebCore/rendering/RenderBox.cpp
@@ -139,6 +139,8 @@ void RenderBox::styleWillChange(StyleDifference diff, const RenderStyle* newStyl
             markContainingBlocksForLayout();
             if (style()->position() == StaticPosition)
                 repaint();
+            else if (newStyle->position() == AbsolutePosition || newStyle->position() == FixedPosition)
+                parent()->setChildNeedsLayout(true);
             if (isFloating() && !isPositioned() && (newStyle->position() == AbsolutePosition || newStyle->position() == FixedPosition))
                 removeFloatingOrPositionedChildFromBlockLists();
         }
diff --git a/WebCore/rendering/RenderObject.cpp b/WebCore/rendering/RenderObject.cpp
index fe0f197..a10ffd9 100644
--- a/WebCore/rendering/RenderObject.cpp
+++ b/WebCore/rendering/RenderObject.cpp
@@ -1568,7 +1568,7 @@ void RenderObject::styleWillChange(StyleDifference diff, const RenderStyle* newS
             // For changes in float styles, we need to conceivably remove ourselves
             // from the floating objects list.
             toRenderBox(this)->removeFloatingOrPositionedChildFromBlockLists();
-        else if (isPositioned() && (newStyle->position() != AbsolutePosition && newStyle->position() != FixedPosition))
+        else if (isPositioned() && (m_style->position() != newStyle->position()))
             // For changes in positioning styles, we need to conceivably remove ourselves
             // from the positioned objects list.
             toRenderBox(this)->removeFloatingOrPositionedChildFromBlockLists();

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list