Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge r166645 - Add LayoutTest for crash with bidi isolates
Merged from Blink (patch by jww@chromium.org): https://src.chromium.org/viewvc/blink?revision=156580&view=revision http://crbug.com/265838 See Bug 120504: Fix nested unicode-bidi: isolate <https://bugs.webkit.org/show_bug.cgi?id=120504> <http://trac.webkit.org/changeset/155554> * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Added. * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Added.
- Loading branch information
1 parent
e3a8233
commit 66c0d46
Showing
3 changed files
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| bar | ||
|
|
||
|
|
||
| PASS did not crash |
36 changes: 36 additions & 0 deletions
36
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| <!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. --> | ||
| <script> | ||
| function remove(node) | ||
| { | ||
| node.parentNode.removeChild(node); | ||
| } | ||
|
|
||
| window.onload = function() | ||
| { | ||
| document.body.offsetTop; | ||
| remove(b.lastChild); | ||
| document.body.offsetTop; | ||
| remove(a.firstChild); | ||
| document.body.offsetTop; | ||
|
|
||
| document.body.appendChild(document.createTextNode("PASS did not crash")); | ||
| } | ||
| </script> | ||
|
|
||
| <body> | ||
| <div id="a">foo</div> | ||
| <div></div> | ||
| <div> | ||
| <output> | ||
| <output>bar</output> | ||
| <span id="b"> | ||
| <span><div style="display:inline-block"></div><br><br><br></span> | ||
| </span> | ||
| </output> | ||
| </div> | ||
| </body> | ||
|
|
||
| <script> | ||
| if (window.testRunner) | ||
| testRunner.dumpAsText(); | ||
| </script> |