Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(205)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html

Issue 23972003: Update containtingIsolate to go back all the way to top isolate from current (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt » ('j') | Source/core/rendering/InlineIterator.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
diff --git a/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html b/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
new file mode 100644
index 0000000000000000000000000000000000000000..877cc6bf383c4d24de7ef92bd81130fa663469ef
--- /dev/null
+++ b/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
@@ -0,0 +1,39 @@
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
leviw_travelin_and_unemployed 2013/09/04 22:00:24 <!doctype html>?
jww 2013/09/04 22:37:26 I'm happy to make all of the changes here, but thi
leviw_travelin_and_unemployed 2013/09/04 22:46:25 I'd say yes :)
jww 2013/09/04 23:12:15 Done.
+<script>
+function remove(node)
leviw_travelin_and_unemployed 2013/09/04 22:00:24 This seems somewhat unnecessary.
jww 2013/09/04 22:37:26 See above response.
+{
+ node.parentNode.removeChild(node);
+}
+
+window.onload = function() {
+ document.body.offsetTop;
+ remove(b.lastChild);
+ document.body.offsetTop;
+ remove(a.nextSibling);
+ document.body.offsetTop;
+
+ document.body.appendChild(document.createTextNode("PASS did not crash"));
leviw_travelin_and_unemployed 2013/09/04 22:00:24 I'd probably just use document.write so "foo" and
jww 2013/09/04 22:37:26 See above response.
+}
+</script>
+
+<body>
+ <div id="a">foo</div><div>baz</div><div></div>
+ <div>
+ <output>
+ <span>
+ <output>bar</output>
+ <span id="b">
+ <span>
+ <div style="display:inline-block"></div>
+ <br><br>
+ </span>
+ </span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
« no previous file with comments | « no previous file | LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt » ('j') | Source/core/rendering/InlineIterator.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698