-
zoltan@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=111594 Patch by Bem Jones-Bey <bjonesbe@adobe.com> on 2013-04-05 Reviewed by David Hyatt. Source/WebCore: Swapping the bases was causing any floats in the right base to be lost, so change the code so that it no longer swaps the bases. Test: fast/ruby/float-object-doesnt-crash.html * rendering/RenderRubyRun.cpp: (WebCore::RenderRubyRun::removeChild): Don't swap the bases anymore. LayoutTests: Add test to verify that the use-after-free is fixed. Note that it will only crash when run under a memory checking tool like ASAN. * fast/ruby/float-object-doesnt-crash-expected.txt: Added. * fast/ruby/float-object-doesnt-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147765 268f45cc-cd09-0410-ab3c-d52691b4dbfc
50d1bc7d