Title: [98010] trunk
- Revision
- 98010
- Author
- [email protected]
- Date
- 2011-10-20 12:20:53 -0700 (Thu, 20 Oct 2011)
Log Message
Crash in updateFirstLetter on :after generated content
https://bugs.webkit.org/show_bug.cgi?id=70031
Patch by Ken Buchanan <[email protected]> on 2011-10-20
Reviewed by David Hyatt.
Source/WebCore:
Preventing findBeforeAfterParent() from returning a first-letter block and overwriting its style.
Instead, it returns the block's parent.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::updateFirstLetter):
* rendering/RenderObjectChildList.cpp:
(WebCore::findBeforeAfterParent)
(WebCore::RenderObjectChildList::updateBeforeAfterContent): First-letter siblings now already have style applied, so this clause is redundant
LayoutTests:
Added test for crash condition with a floating first-letter on after content
* fast/css-generated-content/after-with-first-letter-float-crash.html: Added
* fast/css-generated-content/after-with-first-letter-float-crash-expected.txt: Added
Modified Paths
Added Paths
Property Changed
Diff
Modified: trunk/LayoutTests/ChangeLog (98009 => 98010)
--- trunk/LayoutTests/ChangeLog 2011-10-20 19:10:33 UTC (rev 98009)
+++ trunk/LayoutTests/ChangeLog 2011-10-20 19:20:53 UTC (rev 98010)
@@ -1,3 +1,15 @@
+2011-10-20 Ken Buchanan <[email protected]>
+
+ Crash in updateFirstLetter on :after generated content
+ https://bugs.webkit.org/show_bug.cgi?id=70031
+
+ Reviewed by David Hyatt.
+
+ Added test for crash condition with a floating first-letter on after content
+
+ * fast/css-generated-content/after-with-first-letter-float-crash.html: Added
+ * fast/css-generated-content/after-with-first-letter-float-crash-expected.txt: Added
+
2011-10-20 Leandro Pereira <[email protected]>
Unreviewed. Add EFL baselines for the selectors, table, text,
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash-expected.txt (0 => 98010)
--- trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash-expected.txt 2011-10-20 19:20:53 UTC (rev 98010)
@@ -0,0 +1 @@
+PASS, if the script does not cause a crash or ASSERT failure
Property changes on: trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash-expected.txt
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash.html (0 => 98010)
--- trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash.html 2011-10-20 19:20:53 UTC (rev 98010)
@@ -0,0 +1,19 @@
+<html>
+ <body>
+ <style type="text/css">
+ div::first-letter { float: right; content: "AB" }
+ div::after { display: table; content: "CD" }
+ </style>
+ <div></div>
+ PASS, if the script does not cause a crash or ASSERT failure
+ <script>
+ function runTest() {
+ document.body.offsetTop;
+ document.body.style.color = "blue";
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ }
+ window._onload_ = runTest;
+ </script>
+ </body>
+</html>
Property changes on: trunk/LayoutTests/fast/css-generated-content/after-with-first-letter-float-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (98009 => 98010)
--- trunk/Source/WebCore/ChangeLog 2011-10-20 19:10:33 UTC (rev 98009)
+++ trunk/Source/WebCore/ChangeLog 2011-10-20 19:20:53 UTC (rev 98010)
@@ -1,3 +1,19 @@
+2011-10-20 Ken Buchanan <[email protected]>
+
+ Crash in updateFirstLetter on :after generated content
+ https://bugs.webkit.org/show_bug.cgi?id=70031
+
+ Reviewed by David Hyatt.
+
+ Preventing findBeforeAfterParent() from returning a first-letter block and overwriting its style.
+ Instead, it returns the block's parent.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::updateFirstLetter):
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::findBeforeAfterParent)
+ (WebCore::RenderObjectChildList::updateBeforeAfterContent): First-letter siblings now already have style applied, so this clause is redundant
+
2011-10-20 Simon Fraser <[email protected]>
Add a way to print the Frame tree from the debugger.
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (98009 => 98010)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-10-20 19:10:33 UTC (rev 98009)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2011-10-20 19:20:53 UTC (rev 98010)
@@ -5585,6 +5585,7 @@
RenderObject* firstLetter = currChild->parent();
RenderObject* firstLetterContainer = firstLetter->parent();
RenderStyle* pseudoStyle = styleForFirstLetter(firstLetterBlock, firstLetterContainer);
+ ASSERT(firstLetter->isFloating() || firstLetter->isInline());
if (Node::diff(firstLetter->style(), pseudoStyle) == Node::Detach) {
// The first-letter renderer needs to be replaced. Create a new renderer of the right type.
@@ -5615,7 +5616,7 @@
next = next->nextSibling();
}
if (remainingText) {
- ASSERT(remainingText->node()->renderer() == remainingText);
+ ASSERT(remainingText->isAnonymous() || remainingText->node()->renderer() == remainingText);
// Replace the old renderer with the new one.
remainingText->setFirstLetter(newFirstLetter);
}
Modified: trunk/Source/WebCore/rendering/RenderObjectChildList.cpp (98009 => 98010)
--- trunk/Source/WebCore/rendering/RenderObjectChildList.cpp 2011-10-20 19:10:33 UTC (rev 98009)
+++ trunk/Source/WebCore/rendering/RenderObjectChildList.cpp 2011-10-20 19:20:53 UTC (rev 98010)
@@ -286,9 +286,13 @@
if (!(object->isTable() || object->isTableSection() || object->isTableRow()))
return object;
+ // If there is a :first-letter style applied on the :before or :after content,
+ // then we want the parent of the first-letter block
RenderObject* beforeAfterParent = object;
- while (beforeAfterParent && !(beforeAfterParent->isText() || beforeAfterParent->isImage()))
+ while (beforeAfterParent && !(beforeAfterParent->isText() || beforeAfterParent->isImage())
+ && (beforeAfterParent->style()->styleType() != FIRST_LETTER))
beforeAfterParent = beforeAfterParent->firstChild();
+
return beforeAfterParent ? beforeAfterParent->parent() : 0;
}
@@ -449,14 +453,6 @@
ASSERT(genChild->isListMarker() || genChild->style()->styleType() == FIRST_LETTER);
}
}
-
- // Update style on the remaining text fragment after the first-letter.
- if (beforeAfterParent->style()->styleType() == FIRST_LETTER) {
- if (RenderObject* nextSibling = beforeAfterParent->nextSibling()) {
- if (nextSibling->isText() && nextSibling->style()->styleType() == child->style()->styleType())
- nextSibling->setStyle(pseudoElementStyle);
- }
- }
}
return; // We've updated the generated content. That's all we needed to do.
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
