Commit 33b3d656 authored by bdakin's avatar bdakin

Reviewed by Maciej, landed by Beth.

        fix http://bugzilla.opendarwin.org/show_bug.cgi?id=3560
        page with use of first-letter crashes reproducibly in 
        RenderObject::renderArena()


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@13356 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 060b5ba2
2006-03-17 Mitz Pettel <opendarwin.org@mitzpettel.com>
Reviewed by Maciej, landed by Beth.
- test for http://bugzilla.opendarwin.org/show_bug.cgi?id=3560
page with use of first-letter crashes reproducibly in
RenderObject::renderArena()
* fast/css/first-letter-detach-expected.checksum: Added.
* fast/css/first-letter-detach-expected.png: Added.
* fast/css/first-letter-detach-expected.txt: Added.
* fast/css/first-letter-detach.html: Added.
2006-03-17 Adele Peterson <adele@apple.com>
Reviewed by Eric.
......
8a18d46db2930f0b446f96f59f3747c2
\ No newline at end of file
layer at (0,0) size 800x600
RenderCanvas at (0,0) size 800x600
layer at (0,0) size 800x600
RenderBlock {HTML} at (0,0) size 800x600
RenderBody {BODY} at (8,8) size 784x576
RenderBlock {P} at (0,0) size 784x36
RenderText {TEXT} at (0,0) size 53x18
text run at (0,0) width 53: "Test for "
RenderInline {I} at (0,0) size 726x36
RenderInline {A} at (0,0) size 348x18 [color=#0000EE]
RenderText {TEXT} at (53,0) size 348x18
text run at (53,0) width 348: "http://bugzilla.opendarwin.org/show_bug.cgi?id=3560"
RenderText {TEXT} at (401,0) size 726x36
text run at (401,0) width 325: " page with use of first-letter crashes reproducibly in"
text run at (0,18) width 189: "RenderObject::renderArena()"
RenderText {TEXT} at (189,18) size 4x18
text run at (189,18) width 4: "."
RenderBlock {P} at (0,52) size 784x18
RenderText {TEXT} at (0,0) size 171x18
text run at (0,0) width 171: "The next line should read \x{201C}"
RenderInline {SPAN} at (0,0) size 9x18 [color=#0000FF]
RenderText {TEXT} at (171,0) size 9x18
text run at (171,0) width 9: "P"
RenderText {TEXT} at (180,0) size 209x18
text run at (180,0) width 209: "ASS\x{201D}, with nothing before the P."
RenderBlock {HR} at (0,86) size 784x2 [border: (1px inset #000000)]
RenderBlock {P} at (0,104) size 784x18
RenderInline (generated) at (0,0) size 9x18 [color=#0000FF]
RenderText {TEXT} at (0,0) size 9x18
text run at (0,0) width 9: "P"
RenderText {TEXT} at (9,0) size 30x18
text run at (9,0) width 30: "ASS"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<style type="text/css">
#target:first-letter { color: blue; }
</style>
<script type="text/javascript">
function test()
{
document.body.offsetTop;
document.getElementById("target").innerHTML = "PASS";
}
</script>
</head>
<body onload="test()">
<p>
Test for <i><a href="http://bugzilla.opendarwin.org/show_bug.cgi?id=3560">http://bugzilla.opendarwin.org/show_bug.cgi?id=3560</a>
page with use of first-letter crashes reproducibly in RenderObject::renderArena()</i>.
</p>
<p>
The next line should read &ldquo;<span style="color: blue;">P</span>ASS&rdquo;, with nothing before the P.
</p>
<hr>
<p id="target">didn&rsquo;t run</p>
</body>
</html>
2006-03-17 Mitz Pettel <opendarwin.org@mitzpettel.com>
Reviewed by Maciej, landed by Beth.
fix http://bugzilla.opendarwin.org/show_bug.cgi?id=3560
page with use of first-letter crashes reproducibly in
RenderObject::renderArena()
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::updateFirstLetter): Pass the first-leter
renderer to the remaining text fragment.
* rendering/RenderContainer.cpp:
(WebCore::RenderContainer::destroyLeftoverChildren): Do not destroy
first-letter renderers since they are destroyed by their remaining
text now.
* rendering/RenderTextFragment.cpp:
(khtml::RenderTextFragment::RenderTextFragment):
(khtml::RenderTextFragment::destroy): Destroy the first-letter
renderer.
* rendering/RenderTextFragment.h:
(khtml::RenderTextFragment::firstLetter):
2006-03-17 Adele Peterson <adele@apple.com>
Reviewed by Eric.
......@@ -3373,7 +3373,7 @@ void RenderBlock::updateFirstLetter()
// construct text fragment for the text after the first letter
// NOTE: this might empty
RenderTextFragment* remainingText =
new (renderArena()) RenderTextFragment(textObj->node(), oldText.get(), length, oldText->length() - length);
new (renderArena()) RenderTextFragment(textObj->node(), oldText.get(), length, oldText->length() - length, firstLetter);
remainingText->setStyle(textObj->style());
if (remainingText->element())
remainingText->element()->setRenderer(remainingText);
......
......@@ -64,8 +64,8 @@ void RenderContainer::destroy()
void RenderContainer::destroyLeftoverChildren()
{
while (m_first) {
if (m_first->isListMarker())
m_first->remove(); // List markers are owned by their enclosing list and so don't get destroyed by this container.
if (m_first->isListMarker() || m_first->style()->styleType() == RenderStyle::FIRST_LETTER)
m_first->remove(); // List markers are owned by their enclosing list and so don't get destroyed by this container. Similarly, first letters are destroyed by their remaining text fragment.
else {
// Destroy any anonymous children remaining in the render tree, as well as implicit (shadow) DOM elements like those used in the engine-based text fields.
if (m_first->element())
......
......@@ -29,13 +29,13 @@ using namespace DOM;
namespace khtml {
RenderTextFragment::RenderTextFragment(DOM::NodeImpl* node, DOM::DOMStringImpl* str, int startOffset, int length)
: RenderText(node, str ? str->substring(startOffset, length) : 0), m_start(startOffset), m_end(length)
RenderTextFragment::RenderTextFragment(DOM::NodeImpl* node, DOM::DOMStringImpl* str, int startOffset, int length, RenderObject* firstLetter)
: RenderText(node, str ? str->substring(startOffset, length) : 0), m_start(startOffset), m_end(length), m_firstLetter(firstLetter)
{
}
RenderTextFragment::RenderTextFragment(DOM::NodeImpl* node, DOM::DOMStringImpl* str)
: RenderText(node, str), m_start(0), m_end(str ? str->length() : 0), m_generatedContentStr(str)
: RenderText(node, str), m_start(0), m_end(str ? str->length() : 0), m_generatedContentStr(str), m_firstLetter(0)
{
}
......@@ -56,4 +56,10 @@ PassRefPtr<DOMStringImpl> RenderTextFragment::originalString() const
return result;
}
void RenderTextFragment::destroy()
{
if (firstLetter())
firstLetter()->destroy();
RenderText::destroy();
}
}
......@@ -41,13 +41,16 @@ namespace khtml
class RenderTextFragment : public RenderText
{
public:
RenderTextFragment(DOM::NodeImpl*, DOM::DOMStringImpl*, int startOffset, int length);
RenderTextFragment(DOM::NodeImpl*, DOM::DOMStringImpl*, int startOffset, int length, RenderObject* firstLetter = 0);
RenderTextFragment(DOM::NodeImpl*, DOM::DOMStringImpl*);
virtual bool isTextFragment() const;
virtual void destroy();
uint start() const { return m_start; }
uint end() const { return m_end; }
RenderObject* firstLetter() const { return m_firstLetter; }
DOM::DOMStringImpl* contentString() const { return m_generatedContentStr.get(); }
virtual PassRefPtr<DOM::DOMStringImpl> originalString() const;
......@@ -56,6 +59,7 @@ private:
uint m_start;
uint m_end;
RefPtr<DOM::DOMStringImpl> m_generatedContentStr;
RenderObject* m_firstLetter;
};
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment