Title: [109384] branches/chromium/963
- Revision
- 109384
- Author
- [email protected]
- Date
- 2012-03-01 12:00:24 -0800 (Thu, 01 Mar 2012)
Log Message
Merge 108417
BUG=114054
Review URL: https://chromiumcodereview.appspot.com/9568027
Modified Paths
Added Paths
Diff
Copied: branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt (from rev 108417, trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt) (0 => 109384)
--- branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt (rev 0)
+++ branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt 2012-03-01 20:00:24 UTC (rev 109384)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html (from rev 108417, trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html) (0 => 109384)
--- branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html (rev 0)
+++ branches/chromium/963/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html 2012-03-01 20:00:24 UTC (rev 109384)
@@ -0,0 +1,31 @@
+<style>
+ #el0 {
+ visibility: collapse;
+ }
+ #el1::first-letter {
+ height: 1;
+</style>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function crash(){
+ el0=document.createElement('div')
+ document.body.appendChild(el0)
+ el0.setAttribute('id','el0')
+ el1=document.createElement('div')
+ document.body.appendChild(el1)
+ el1.setAttribute('id','el1')
+ el0.appendChild(document.createTextNode(unescape(Array(40).join('A')+'%ufed5')));
+ el1.appendChild(document.createTextNode(unescape('A%u074b')));
+ document.body.offsetTop;
+ setTimeout(function () {
+ document.body.innerHTML = "PASS. WebKit didn't crash.";
+ layoutTestController.notifyDone();
+ }, 0);
+}
+window.scrollTop;
+window._onload_=crash
+</script>
Modified: branches/chromium/963/Source/WebCore/editing/TextIterator.cpp (109383 => 109384)
--- branches/chromium/963/Source/WebCore/editing/TextIterator.cpp 2012-03-01 19:58:33 UTC (rev 109383)
+++ branches/chromium/963/Source/WebCore/editing/TextIterator.cpp 2012-03-01 20:00:24 UTC (rev 109384)
@@ -487,25 +487,20 @@
return true;
}
- if (!renderer->firstTextBox() && str.length() > 0) {
- if (!m_handledFirstLetter && renderer->isTextFragment()) {
- handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
- if (m_firstLetterText) {
- handleTextBox();
- return false;
- }
- }
+ if (renderer->firstTextBox())
+ m_textBox = renderer->firstTextBox();
+
+ bool shouldHandleFirstLetter = !m_handledFirstLetter && renderer->isTextFragment() && !m_offset;
+ if (shouldHandleFirstLetter)
+ handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
+
+ if (!renderer->firstTextBox() && str.length() > 0 && !shouldHandleFirstLetter) {
if (renderer->style()->visibility() != VISIBLE && !m_ignoresStyleVisibility)
return false;
m_lastTextNodeEndedWithCollapsedSpace = true; // entire block is collapsed space
return true;
}
-
- m_textBox = renderer->firstTextBox();
- if (!m_handledFirstLetter && renderer->isTextFragment() && !m_offset)
- handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
-
if (m_firstLetterText)
renderer = m_firstLetterText;
@@ -562,6 +557,7 @@
nextTextBox = m_sortedTextBoxes[m_sortedTextBoxesPosition + 1];
} else
nextTextBox = m_textBox->nextTextBox();
+ ASSERT(!nextTextBox || nextTextBox->renderer() == renderer);
if (runStart < runEnd) {
// Handle either a single newline character (which becomes a space),
@@ -630,6 +626,7 @@
m_handledFirstLetter = true;
m_remainingTextBox = m_textBox;
m_textBox = firstLetter->firstTextBox();
+ m_sortedTextBoxes.clear();
m_firstLetterText = firstLetter;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
