Crash due to first-letter block processing
https://bugs.webkit.org/show_bug.cgi?id=74009
Source/WebCore:
Fixing the way updateFirstLetter() finds the remaining text fragment
for a given first-letter. Previously this was unreliable in some
circumstances.
This patch provides a reliable mechanism to identify the remaining
text by storing first-letter to remaining text associations in a
hash map, managed by methods in RenderBoxModelObject.
Patch by Ken Buchanan <kenrb@chromium.org> on 2012-01-05
Reviewed by David Hyatt.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::updateFirstLetter)
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::willBeDestroyed):
(WebCore::RenderBoxModelObject::setFirstLetterRemainingText): Added
(WebCore::RenderBoxModelObject::firstLetterRemainingText): Added
* rendering/RenderBoxModelObject.h:
(WebCore::RenderBoxModelObject::setFirstLetterRemainingText): Added
(WebCore::RenderBoxModelObject::firstLetterRemainingText): Added
LayoutTests:
Test for crashing condition in 74009.
Patch by Ken Buchanan <kenrb@chromium.org> on 2012-01-05
Reviewed by David Hyatt.
* fast/css/first-letter-inline-flow-split-table-crash-expected.txt: Added
* fast/css/first-letter-inline-flow-split-table-crash.html: Added
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104123 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7 files changed
