Unreviewed, rolling out r105828.
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jan 2012 20:21:52 +0000 (20:21 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jan 2012 20:21:52 +0000 (20:21 +0000)
http://trac.webkit.org/changeset/105828
https://bugs.webkit.org/show_bug.cgi?id=77036

Caused many crashes in ClusterFuzz and PerformanceTests
(Requested by inferno-sec on #webkit).

Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-01-25

Source/WebCore:

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):
* rendering/RenderBlock.h:
(RenderBlock):

LayoutTests:

* fast/css-generated-content/float-first-letter-siblings-convert-to-inline-expected.txt: Removed.
* fast/css-generated-content/float-first-letter-siblings-convert-to-inline.html: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@105911 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline-expected.txt [deleted file]
LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline.html [deleted file]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderBlock.h

index a0441a56fabd33b4f7fb522641e516a64402d22d..f6629a01b2f4ada38fa7306dbe58016d3b9a3458 100644 (file)
@@ -1,3 +1,15 @@
+2012-01-25  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r105828.
+        http://trac.webkit.org/changeset/105828
+        https://bugs.webkit.org/show_bug.cgi?id=77036
+
+        Caused many crashes in ClusterFuzz and PerformanceTests
+        (Requested by inferno-sec on #webkit).
+
+        * fast/css-generated-content/float-first-letter-siblings-convert-to-inline-expected.txt: Removed.
+        * fast/css-generated-content/float-first-letter-siblings-convert-to-inline.html: Removed.
+
 2012-01-25  Adam Barth  <abarth@webkit.org>
 
         This test is actually flaky by timing out, not by failing.
diff --git a/LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline-expected.txt b/LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline-expected.txt
deleted file mode 100644 (file)
index 91145d1..0000000
+++ /dev/null
@@ -1 +0,0 @@
-PASS if no crash or assert
diff --git a/LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline.html b/LayoutTests/fast/css-generated-content/float-first-letter-siblings-convert-to-inline.html
deleted file mode 100644 (file)
index 9b05ac2..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-<style>
-.inlineFL::first-letter { overflow: visible; }
-.absolutePosition { position: absolute; }
-.floatFL:first-letter { float: right; }
-</style>
-<script>
-function recreateFirstLetterBlock() {
-  document.getElementById("parent").setAttribute('class', 'inlineFL');
-  if (window.layoutTestController)
-    layoutTestController.notifyDone();
-}
-function removeDiv() {
-  // This causes the parent to only have inline (and floating) children
-  document.getElementById("parent").removeChild(document.getElementById("child"));
-  setTimeout("recreateFirstLetterBlock();", 10);
-}
-
-function changeDivStyle() {
-  document.getElementById("child").setAttribute('class', 'inlineFL');
-  setTimeout("removeDiv();", 10);
-}
-function startTest() {
-  setTimeout("changeDivStyle();", 10);
-  if (window.layoutTestController) {
-    layoutTestController.waitUntilDone();
-    layoutTestController.dumpAsText();
-  }
-}
-window.onload = startTest;
-</script>
-<div id="parent" class="floatFL">
-  <div id="child" class="absolutePosition"></div>
-  PASS if no crash or assert
-</div>
index b0d76de1add6bd0c555bf8675ed6adf6276a84a7..c5302a3489ac9b178643c8e789a46726dc1bdea9 100644 (file)
@@ -1,3 +1,17 @@
+2012-01-25  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r105828.
+        http://trac.webkit.org/changeset/105828
+        https://bugs.webkit.org/show_bug.cgi?id=77036
+
+        Caused many crashes in ClusterFuzz and PerformanceTests
+        (Requested by inferno-sec on #webkit).
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild):
+        * rendering/RenderBlock.h:
+        (RenderBlock):
+
 2012-01-25  Shawn Singh  <shawnsingh@chromium.org>
 
         Fix the semantics of passing contentsVisible flag to GraphicsLayers
index badbc141aec045e6ce9af8a3e05461158eb34b48..ba5b01303b13a38160533a35d718c2c46cead368 100755 (executable)
@@ -1025,17 +1025,6 @@ static bool canMergeContiguousAnonymousBlocks(RenderObject* oldChild, RenderObje
            && prev->isAnonymousColumnSpanBlock() == next->isAnonymousColumnSpanBlock();
 }
 
-void RenderBlock::collapseAnonymousBoxChild(RenderBlock* parent, RenderObject* child)
-{
-    parent->setNeedsLayoutAndPrefWidthsRecalc();
-    parent->setChildrenInline(child->childrenInline());
-    RenderBlock* anonBlock = toRenderBlock(parent->children()->removeChildNode(parent, child, child->hasLayer()));
-    anonBlock->moveAllChildrenTo(parent, child->hasLayer());
-    // Delete the now-empty block's lines and nuke it.
-    anonBlock->deleteLineBoxTree();
-    anonBlock->destroy();
-}
-
 void RenderBlock::removeChild(RenderObject* oldChild)
 {
     // If this child is a block, and if our previous and next siblings are
@@ -1092,17 +1081,13 @@ void RenderBlock::removeChild(RenderObject* oldChild)
         // The removal has knocked us down to containing only a single anonymous
         // box.  We can go ahead and pull the content right back up into our
         // box.
-        collapseAnonymousBoxChild(this, child);
-    } else if ((prev && prev->isAnonymousBlock()) || (next && next->isAnonymousBlock())) {
-        // It's possible that the removal has knocked us down to a single anonymous
-        // block with pseudo-style element siblings (e.g. first-letter). If these
-        // are floating or positioned, then we need to pull the content up also.
-        RenderBlock* anonBlock = toRenderBlock((prev && prev->isAnonymousBlock()) ? prev : next);
-        if ((anonBlock->previousSibling() || anonBlock->nextSibling())
-            && (!anonBlock->previousSibling() || (anonBlock->previousSibling()->style()->styleType() != NOPSEUDO && anonBlock->previousSibling()->isFloatingOrPositioned()))
-            && (!anonBlock->nextSibling() || (anonBlock->nextSibling()->style()->styleType() != NOPSEUDO && anonBlock->nextSibling()->isFloatingOrPositioned()))) {
-            collapseAnonymousBoxChild(this, anonBlock);
-        }
+        setNeedsLayoutAndPrefWidthsRecalc();
+        setChildrenInline(child->childrenInline());
+        RenderBlock* anonBlock = toRenderBlock(children()->removeChildNode(this, child, child->hasLayer()));
+        anonBlock->moveAllChildrenTo(this, child->hasLayer());
+        // Delete the now-empty block's lines and nuke it.
+        anonBlock->deleteLineBoxTree();
+        anonBlock->destroy();
     }
 
     if (!firstChild() && !documentBeingDestroyed()) {
index 1db5deed8c93b71ebb571829083bf59f9aa0dc1c..6506dc8335e1e7760a004273868faab4dc2ca893 100644 (file)
@@ -461,8 +461,6 @@ private:
     void makeChildrenNonInline(RenderObject* insertionPoint = 0);
     virtual void removeLeftoverAnonymousBlock(RenderBlock* child);
 
-    static void collapseAnonymousBoxChild(RenderBlock* parent, RenderObject* child);
-
     virtual void dirtyLinesFromChangedChild(RenderObject* child) { m_lineBoxes.dirtyLinesFromChangedChild(this, child); }
 
     void addChildToContinuation(RenderObject* newChild, RenderObject* beforeChild);