Title: [119632] branches/chromium/1132
- Revision
- 119632
- Author
- [email protected]
- Date
- 2012-06-06 16:04:10 -0700 (Wed, 06 Jun 2012)
Log Message
Merge 118816
BUG=129947
Review URL: https://chromiumcodereview.appspot.com/10533037
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt (from rev 118816, trunk/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt) (0 => 119632)
--- branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash-expected.txt 2012-06-06 23:04:10 UTC (rev 119632)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html (from rev 118816, trunk/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html) (0 => 119632)
--- branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/text/text-fragment-first-letter-update-crash.html 2012-06-06 23:04:10 UTC (rev 119632)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+#el0 { -webkit-columns: 1; }
+#el2:first-of-type { }
+#el2:first-letter { content: counter(c); }
+#el3 { -webkit-column-span: all; content: counter(c) attr(A); }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+el0 = document.createElement('div');
+el0.setAttribute('id', 'el0');
+document.body.appendChild(el0);
+el1=document.createElement('b');
+el0.appendChild(el1);
+el1.appendChild(document.createTextNode('A'));
+el2=document.createElement('div');
+el2.setAttribute('id','el2');
+el0.appendChild(el2);
+el3=document.createElement('div');
+el3.setAttribute('id', 'el3');
+el2.appendChild(el3);
+document.designMode = 'on';
+document.execCommand('selectall');
+el2.appendChild(document.createTextNode('AA'));
+document.designMode = 'on';
+document.execCommand('selectall');
+document.execCommand('removeFormat');
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp (119631 => 119632)
--- branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp 2012-06-06 22:59:14 UTC (rev 119631)
+++ branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp 2012-06-06 23:04:10 UTC (rev 119632)
@@ -1782,9 +1782,15 @@
if (m_style->outlineWidth() > 0 && m_style->outlineSize() > maximalOutlineSize(PaintPhaseOutline))
toRenderView(document()->renderer())->setMaximalOutlineSize(m_style->outlineSize());
+ bool doesNotNeedLayout = !m_parent || isText();
+
styleDidChange(diff, oldStyle.get());
- if (!m_parent || isText())
+ // FIXME: |this| might be destroyed here. This can currently happen for a RenderTextFragment when
+ // its first-letter block gets an update in RenderTextFragment::styleDidChange. For RenderTextFragment(s),
+ // we will safely bail out with the doesNotNeedLayout flag. We might want to broaden this condition
+ // in the future as we move renderer changes out of layout and into style changes.
+ if (doesNotNeedLayout)
return;
// Now that the layer (if any) has been updated, we need to adjust the diff again,
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
