Title: [142920] branches/chromium/1410
- Revision
- 142920
- Author
- [email protected]
- Date
- 2013-02-14 14:30:27 -0800 (Thu, 14 Feb 2013)
Log Message
Merge 142788. Requested by Christian Biesinger <[email protected]>.
> Crash when encountering <object style="resize:both;">
> https://bugs.webkit.org/show_bug.cgi?id=109728
>
> Source/WebCore:
>
> See also https://code.google.com/p/chromium/issues/detail?id=175535
> This bug can be reproduced on
> http://dramalink.net/tudou.y/?xink=162601060
>
> Patch by Christian Biesinger <[email protected]> on 2013-02-13
> Reviewed by Eric Seidel.
>
> Test: fast/css/resize-object-crash.html
>
> * rendering/RenderWidget.cpp:
> (WebCore::RenderWidget::paint):
> Only call paintResizer() if we have a layer and canResize() is true
>
> LayoutTests:
>
> See also https://code.google.com/p/chromium/issues/detail?id=175535
>
> Patch by Christian Biesinger <[email protected]> on 2013-02-13
> Reviewed by Eric Seidel.
>
> * fast/css/resize-object-crash-expected.txt: Added.
> * fast/css/resize-object-crash.html: Added.
[email protected]
Review URL: https://codereview.chromium.org/12252048
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1410/LayoutTests/fast/css/resize-object-crash-expected.txt (from rev 142788, trunk/LayoutTests/fast/css/resize-object-crash-expected.txt) (0 => 142920)
--- branches/chromium/1410/LayoutTests/fast/css/resize-object-crash-expected.txt (rev 0)
+++ branches/chromium/1410/LayoutTests/fast/css/resize-object-crash-expected.txt 2013-02-14 22:30:27 UTC (rev 142920)
@@ -0,0 +1,2 @@
+
+PASS
Copied: branches/chromium/1410/LayoutTests/fast/css/resize-object-crash.html (from rev 142788, trunk/LayoutTests/fast/css/resize-object-crash.html) (0 => 142920)
--- branches/chromium/1410/LayoutTests/fast/css/resize-object-crash.html (rev 0)
+++ branches/chromium/1410/LayoutTests/fast/css/resize-object-crash.html 2013-02-14 22:30:27 UTC (rev 142920)
@@ -0,0 +1,21 @@
+<html>
+<head>
+ <title></title>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ }
+ </script>
+ <style>
+ object {
+ resize: both !important;
+ }
+ </style>
+</head>
+<body>
+ <!--
+ Test for https://crbug.com/175535 - Crash with <object style="resize:both">
+ -->
+ <object></object><br>
+ PASS
+</body>
Modified: branches/chromium/1410/Source/WebCore/rendering/RenderWidget.cpp (142919 => 142920)
--- branches/chromium/1410/Source/WebCore/rendering/RenderWidget.cpp 2013-02-14 22:27:52 UTC (rev 142919)
+++ branches/chromium/1410/Source/WebCore/rendering/RenderWidget.cpp 2013-02-14 22:30:27 UTC (rev 142920)
@@ -312,7 +312,7 @@
paintInfo.context->fillRect(pixelSnappedIntRect(selectionRect()), selectionBackgroundColor(), style()->colorSpace());
}
- if (style()->resize() != RESIZE_NONE)
+ if (hasLayer() && layer()->canResize())
layer()->paintResizer(paintInfo.context, roundedIntPoint(adjustedPaintOffset), paintInfo.rect);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
