Title: [142788] trunk
- Revision
- 142788
- Author
- [email protected]
- Date
- 2013-02-13 13:36:34 -0800 (Wed, 13 Feb 2013)
Log Message
Crash when encountering <object style="resize:both;">
https://bugs.webkit.org/show_bug.cgi?id=109728
Source/WebCore:
See also https://code.google.com/p/chromium/issues/detail?id=175535
This bug can be reproduced on
http://dramalink.net/tudou.y/?xink=162601060
Patch by Christian Biesinger <[email protected]> on 2013-02-13
Reviewed by Eric Seidel.
Test: fast/css/resize-object-crash.html
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::paint):
Only call paintResizer() if we have a layer and canResize() is true
LayoutTests:
See also https://code.google.com/p/chromium/issues/detail?id=175535
Patch by Christian Biesinger <[email protected]> on 2013-02-13
Reviewed by Eric Seidel.
* fast/css/resize-object-crash-expected.txt: Added.
* fast/css/resize-object-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142787 => 142788)
--- trunk/LayoutTests/ChangeLog 2013-02-13 21:33:18 UTC (rev 142787)
+++ trunk/LayoutTests/ChangeLog 2013-02-13 21:36:34 UTC (rev 142788)
@@ -1,3 +1,15 @@
+2013-02-13 Christian Biesinger <[email protected]>
+
+ Crash when encountering <object style="resize:both;">
+ https://bugs.webkit.org/show_bug.cgi?id=109728
+
+ See also https://code.google.com/p/chromium/issues/detail?id=175535
+
+ Reviewed by Eric Seidel.
+
+ * fast/css/resize-object-crash-expected.txt: Added.
+ * fast/css/resize-object-crash.html: Added.
+
2013-02-13 Kondapally Kalyan <[email protected]>
[WebGL][EFL][GTK][Qt]Add support for OES_vertex_array_object.
Added: trunk/LayoutTests/fast/css/resize-object-crash-expected.txt (0 => 142788)
--- trunk/LayoutTests/fast/css/resize-object-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/resize-object-crash-expected.txt 2013-02-13 21:36:34 UTC (rev 142788)
@@ -0,0 +1,2 @@
+
+PASS
Added: trunk/LayoutTests/fast/css/resize-object-crash.html (0 => 142788)
--- trunk/LayoutTests/fast/css/resize-object-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/resize-object-crash.html 2013-02-13 21:36:34 UTC (rev 142788)
@@ -0,0 +1,21 @@
+<html>
+<head>
+ <title></title>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ }
+ </script>
+ <style>
+ object {
+ resize: both !important;
+ }
+ </style>
+</head>
+<body>
+ <!--
+ Test for https://crbug.com/175535 - Crash with <object style="resize:both">
+ -->
+ <object></object><br>
+ PASS
+</body>
Modified: trunk/Source/WebCore/ChangeLog (142787 => 142788)
--- trunk/Source/WebCore/ChangeLog 2013-02-13 21:33:18 UTC (rev 142787)
+++ trunk/Source/WebCore/ChangeLog 2013-02-13 21:36:34 UTC (rev 142788)
@@ -1,3 +1,20 @@
+2013-02-13 Christian Biesinger <[email protected]>
+
+ Crash when encountering <object style="resize:both;">
+ https://bugs.webkit.org/show_bug.cgi?id=109728
+
+ See also https://code.google.com/p/chromium/issues/detail?id=175535
+ This bug can be reproduced on
+ http://dramalink.net/tudou.y/?xink=162601060
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/css/resize-object-crash.html
+
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::paint):
+ Only call paintResizer() if we have a layer and canResize() is true
+
2013-02-13 Arko Saha <[email protected]>
[Microdata] HTMLPropertiesCollection code cleanup
Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (142787 => 142788)
--- trunk/Source/WebCore/rendering/RenderWidget.cpp 2013-02-13 21:33:18 UTC (rev 142787)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp 2013-02-13 21:36:34 UTC (rev 142788)
@@ -312,7 +312,7 @@
paintInfo.context->fillRect(pixelSnappedIntRect(selectionRect()), selectionBackgroundColor(), style()->colorSpace());
}
- if (style()->resize() != RESIZE_NONE)
+ if (hasLayer() && layer()->canResize())
layer()->paintResizer(paintInfo.context, roundedIntPoint(adjustedPaintOffset), paintInfo.rect);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
