Title: [166601] trunk
- Revision
- 166601
- Author
- dba...@webkit.org
- Date
- 2014-04-01 12:38:13 -0700 (Tue, 01 Apr 2014)
Log Message
RenderQuote must destroy remaining text renderer before first letter renderer
https://bugs.webkit.org/show_bug.cgi?id=78023
<rdar://problem/10830009>
Reviewed by Brent Fulgham.
Merged from Blink (patch by Abhishek Arya):
https://src.chromium.org/viewvc/blink?view=rev&revision=151270
Source/WebCore:
Following the fix for <https://bugs.webkit.org/show_bug.cgi?id=114586>, a
RenderQuote may have child render objects for the first letter of its text
and everything following the first letter so as to support the CSS first-
letter property. The latter renderer is responsible for destroying the former
on destruction. It's sufficient to reverse the destruction of the children of
RenderQuote to ensure that we destroy the remaining text renderer before we
destroy the first letter renderer.
Test: fast/css-generated-content/quote-first-letter-crash.html
* rendering/RenderQuote.cpp:
(WebCore::RenderQuote::updateText):
LayoutTests:
* fast/css-generated-content/quote-first-letter-crash-expected.txt: Added.
* fast/css-generated-content/quote-first-letter-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (166600 => 166601)
--- trunk/LayoutTests/ChangeLog 2014-04-01 19:21:34 UTC (rev 166600)
+++ trunk/LayoutTests/ChangeLog 2014-04-01 19:38:13 UTC (rev 166601)
@@ -1,3 +1,17 @@
+2014-04-01 Daniel Bates <daba...@apple.com>
+
+ RenderQuote must destroy remaining text renderer before first letter renderer
+ https://bugs.webkit.org/show_bug.cgi?id=78023
+ <rdar://problem/10830009>
+
+ Reviewed by Brent Fulgham.
+
+ Merged from Blink (patch by Abhishek Arya):
+ https://src.chromium.org/viewvc/blink?view=rev&revision=151270
+
+ * fast/css-generated-content/quote-first-letter-crash-expected.txt: Added.
+ * fast/css-generated-content/quote-first-letter-crash.html: Added.
+
2014-04-01 David Kilzer <ddkil...@apple.com>
Do not allow HTTP refresh headers to refresh to _javascript_: URLs
Added: trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash-expected.txt (0 => 166601)
--- trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash-expected.txt 2014-04-01 19:38:13 UTC (rev 166601)
@@ -0,0 +1 @@
+PASS. Test didn't crash.
Added: trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash.html (0 => 166601)
--- trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash.html 2014-04-01 19:38:13 UTC (rev 166601)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<style>
+.class1::first-letter { position: inherit; }
+.class1:after { visibility: inherit; content: open-quote; }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function crash() {
+ element1 = document.createElement('hr');
+ element1.setAttribute('class', 'class1');
+ document.documentElement.appendChild(element1);
+ element2 = document.createElement('td');
+ element2.setAttribute('class', 'class1');
+ document.documentElement.appendChild(element2);
+ document.documentElement.offsetTop;
+ document.open();
+ document.write("PASS. Test didn't crash.");
+ document.close();
+}
+window._onload_ = crash;
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/css-generated-content/quote-first-letter-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (166600 => 166601)
--- trunk/Source/WebCore/ChangeLog 2014-04-01 19:21:34 UTC (rev 166600)
+++ trunk/Source/WebCore/ChangeLog 2014-04-01 19:38:13 UTC (rev 166601)
@@ -1,3 +1,27 @@
+2014-04-01 Daniel Bates <daba...@apple.com>
+
+ RenderQuote must destroy remaining text renderer before first letter renderer
+ https://bugs.webkit.org/show_bug.cgi?id=78023
+ <rdar://problem/10830009>
+
+ Reviewed by Brent Fulgham.
+
+ Merged from Blink (patch by Abhishek Arya):
+ https://src.chromium.org/viewvc/blink?view=rev&revision=151270
+
+ Following the fix for <https://bugs.webkit.org/show_bug.cgi?id=114586>, a
+ RenderQuote may have child render objects for the first letter of its text
+ and everything following the first letter so as to support the CSS first-
+ letter property. The latter renderer is responsible for destroying the former
+ on destruction. It's sufficient to reverse the destruction of the children of
+ RenderQuote to ensure that we destroy the remaining text renderer before we
+ destroy the first letter renderer.
+
+ Test: fast/css-generated-content/quote-first-letter-crash.html
+
+ * rendering/RenderQuote.cpp:
+ (WebCore::RenderQuote::updateText):
+
2014-04-01 David Kilzer <ddkil...@apple.com>
Do not allow HTTP refresh headers to refresh to _javascript_: URLs
Modified: trunk/Source/WebCore/rendering/RenderQuote.cpp (166600 => 166601)
--- trunk/Source/WebCore/rendering/RenderQuote.cpp 2014-04-01 19:21:34 UTC (rev 166600)
+++ trunk/Source/WebCore/rendering/RenderQuote.cpp 2014-04-01 19:38:13 UTC (rev 166601)
@@ -343,7 +343,7 @@
if (m_text == text)
return;
- while (RenderObject* child = firstChild())
+ while (RenderObject* child = lastChild())
child->destroy();
if (text == emptyString() || text == String()) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
