Add LayoutTest for crash with bidi isolates
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 Apr 2014 14:52:23 +0000 (14:52 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 Apr 2014 14:52:23 +0000 (14:52 +0000)
Merged from Blink (patch by jww@chromium.org):
https://src.chromium.org/viewvc/blink?revision=156580&view=revision
http://crbug.com/265838

See Bug 120504: Fix nested unicode-bidi: isolate
<https://bugs.webkit.org/show_bug.cgi?id=120504>
<http://trac.webkit.org/changeset/155554>

* fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166645 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt [new file with mode: 0644]
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html [new file with mode: 0644]

index 44796ef86e1a428b8fde29fc29f5902ba6a69377..02b555abf0f4892320069bf45f57005d413fddbf 100644 (file)
@@ -1,3 +1,18 @@
+2014-04-02  David Kilzer  <ddkilzer@apple.com>
+
+        Add LayoutTest for crash with bidi isolates
+
+        Merged from Blink (patch by jww@chromium.org):
+        https://src.chromium.org/viewvc/blink?revision=156580&view=revision
+        http://crbug.com/265838
+
+        See Bug 120504: Fix nested unicode-bidi: isolate
+        <https://bugs.webkit.org/show_bug.cgi?id=120504>
+        <http://trac.webkit.org/changeset/155554>
+
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Added.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Added.
+
 2014-04-02  Ion Rosca  <rosca@adobe.com>
 
         [CSS Blending] Compositing requirements for blending are not computed correctly
diff --git a/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt b/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt
new file mode 100644 (file)
index 0000000..ac917dd
--- /dev/null
@@ -0,0 +1,4 @@
+ bar                      
+
+
+PASS did not crash
diff --git a/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html b/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html
new file mode 100644 (file)
index 0000000..8d02134
--- /dev/null
@@ -0,0 +1,36 @@
+<!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+function remove(node)
+{
+    node.parentNode.removeChild(node);
+}
+
+window.onload = function()
+{
+    document.body.offsetTop;
+    remove(b.lastChild);
+    document.body.offsetTop;
+    remove(a.firstChild);
+    document.body.offsetTop;
+
+    document.body.appendChild(document.createTextNode("PASS did not crash"));
+}
+</script>
+
+<body>
+  <div id="a">foo</div>
+  <div></div>
+  <div>
+    <output>
+        <output>bar</output>
+        <span id="b">
+            <span><div style="display:inline-block"></div><br><br><br></span>
+        </span>
+    </output>
+  </div>
+</body>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>