https://bugs.webkit.org/show_bug.cgi?id=82096
Patch by Ken Buchanan <kenrb@chromium.org> on 2012-03-26
Reviewed by Ryosuke Niwa.
Source/WebCore:
The cause of this bug was the call to RenderTextFragment::setTextInternal
resulting from a style change from RenderObject::addChild. The idea here
is to better separate the code path for transforming existing text from
the code path for replacing the underlying text of a node. For
RenderTextFragment this has to be clear because only in the latter case
does the first-letter get reset.
* rendering/RenderObject.cpp:
(WebCore::RenderObject::addChild): Added call to transformText
* rendering/RenderText.cpp:
(WebCore::RenderText::styleDidChange): Added call to transformText
(WebCore::RenderText::transformText): Added
* rendering/RenderText.h:
(WebCore::RenderText::setText): Changed to virtual so RenderTextFragment can override
(WebCore::RenderText::transformText): Added
* rendering/RenderTextFragment.cpp:
(WebCore::RenderTextFragment::styleDidChange): Removed references to
m_allowFragmentReset which was the previous approach to separating the
code paths
(WebCore::RenderTextFragment::setTextInternal): Deleted
(WebCore::RenderTextFragment::setText): Added with most of logic that was
previously in setTextInternal
(WebCore::RenderTextFragment::transformText): Added
* rendering/RenderTextFragment.h:
(WebCore::RenderTextFragment::setText): Added
(WebCore::RenderTextFragment::transformText): Added
(WebCore::RenderTextFragment::setTextInternal): Deleted
LayoutTests:
Test that exercises failure condition in bug 82096.
* fast/css/first-letter-capitalized-edit-select-crash-expected.txt: Added
* fast/css/first-letter-capitalized-edit-select-crash.html: Added
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112200
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-03-26 Ken Buchanan <kenrb@chromium.org>
+
+ Assert failure from capitalized RenderTextFragment
+ https://bugs.webkit.org/show_bug.cgi?id=82096
+
+ Reviewed by Ryosuke Niwa.
+
+ Test that exercises failure condition in bug 82096.
+
+ * fast/css/first-letter-capitalized-edit-select-crash-expected.txt: Added
+ * fast/css/first-letter-capitalized-edit-select-crash.html: Added
+
2012-03-26 Shinya Kawanaka <shinyak@chromium.org>
Triggers assertion if dragging from outside of <meter> in a shadow tree to inside of it.
--- /dev/null
+Pass if no crash or assert in debug
+
+
--- /dev/null
+<style>
+.writable{-webkit-user-modify:read-write;}
+.list{content:normal;display:list-item;}
+*:first-letter{stroke-linecap:round;}
+*:only-child{-webkit-font-variant-ligatures:common-ligatures;text-transform:capitalize;</style>
+</style>
+Pass if no crash or assert in debug
+<span class="writable" id="span">
+<label class="list">
+<code>
+<object></object>
+</code></label></span>
+<script>
+window.onload=function()
+{
+ document.getElementById('span').focus();
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+};
+</script>
+2012-03-26 Ken Buchanan <kenrb@chromium.org>
+
+ Assert failure from capitalized RenderTextFragment
+ https://bugs.webkit.org/show_bug.cgi?id=82096
+
+ Reviewed by Ryosuke Niwa.
+
+ The cause of this bug was the call to RenderTextFragment::setTextInternal
+ resulting from a style change from RenderObject::addChild. The idea here
+ is to better separate the code path for transforming existing text from
+ the code path for replacing the underlying text of a node. For
+ RenderTextFragment this has to be clear because only in the latter case
+ does the first-letter get reset.
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::addChild): Added call to transformText
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::styleDidChange): Added call to transformText
+ (WebCore::RenderText::transformText): Added
+ * rendering/RenderText.h:
+ (WebCore::RenderText::setText): Changed to virtual so RenderTextFragment can override
+ (WebCore::RenderText::transformText): Added
+ * rendering/RenderTextFragment.cpp:
+ (WebCore::RenderTextFragment::styleDidChange): Removed references to
+ m_allowFragmentReset which was the previous approach to separating the
+ code paths
+ (WebCore::RenderTextFragment::setTextInternal): Deleted
+ (WebCore::RenderTextFragment::setText): Added with most of logic that was
+ previously in setTextInternal
+ (WebCore::RenderTextFragment::transformText): Added
+ * rendering/RenderTextFragment.h:
+ (WebCore::RenderTextFragment::setText): Added
+ (WebCore::RenderTextFragment::transformText): Added
+ (WebCore::RenderTextFragment::setTextInternal): Deleted
+
2012-03-26 Adam Klein <adamk@chromium.org>
Always set V8 wrappers via V8DOMWrapper::setJSWrapperFor* instead of WeakReferenceMap::set()
children->insertChildNode(this, newChild, beforeChild);
}
- if (newChild->isText() && newChild->style()->textTransform() == CAPITALIZE) {
- RefPtr<StringImpl> textToTransform = toRenderText(newChild)->originalText();
- if (textToTransform)
- toRenderText(newChild)->setText(textToTransform.release(), true);
- }
+ if (newChild->isText() && newChild->style()->textTransform() == CAPITALIZE)
+ toRenderText(newChild)->transformText();
// SVG creates renderers for <g display="none">, as SVG requires children of hidden
// <g>s to have renderers - at least that's how our implementation works. Consider:
ETextTransform oldTransform = oldStyle ? oldStyle->textTransform() : TTNONE;
ETextSecurity oldSecurity = oldStyle ? oldStyle->textSecurity() : TSNONE;
- if (needsResetText || oldTransform != newStyle->textTransform() || oldSecurity != newStyle->textSecurity()) {
- if (RefPtr<StringImpl> textToTransform = originalText())
- setText(textToTransform.release(), true);
- }
+ if (needsResetText || oldTransform != newStyle->textTransform() || oldSecurity != newStyle->textSecurity())
+ transformText();
}
void RenderText::removeAndDestroyTextBoxes()
setText(text, force);
}
+void RenderText::transformText()
+{
+ if (RefPtr<StringImpl> textToTransform = originalText())
+ setText(textToTransform.release(), true);
+}
+
static inline bool isInlineFlowOrEmptyText(const RenderObject* o)
{
if (o->isRenderInline())
float firstRunX() const;
float firstRunY() const;
- void setText(PassRefPtr<StringImpl>, bool force = false);
+ virtual void setText(PassRefPtr<StringImpl>, bool force = false);
void setTextWithOffset(PassRefPtr<StringImpl>, unsigned offset, unsigned len, bool force = false);
+ virtual void transformText();
+
virtual bool canBeSelectionLeaf() const { return true; }
virtual void setSelectionState(SelectionState s);
virtual LayoutRect selectionRectForRepaint(RenderBoxModelObject* repaintContainer, bool clipToVisibleContent = true);
bool isAllASCII() const { return m_isAllASCII; }
void updateNeedsTranscoding();
- inline void transformText(String&) const;
void secureText(UChar mask);
float m_minWidth; // here to minimize padding in 64-bit.
, m_start(startOffset)
, m_end(length)
, m_firstLetter(0)
- , m_allowFragmentReset(true)
{
}
, m_end(str ? str->length() : 0)
, m_contentString(str)
, m_firstLetter(0)
- , m_allowFragmentReset(true)
{
}
void RenderTextFragment::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
{
- m_allowFragmentReset = false;
RenderText::styleDidChange(diff, oldStyle);
- m_allowFragmentReset = true;
if (RenderBlock* block = blockForAccompanyingFirstLetter()) {
block->style()->removeCachedPseudoStyle(FIRST_LETTER);
RenderText::willBeDestroyed();
}
-void RenderTextFragment::setTextInternal(PassRefPtr<StringImpl> text)
+void RenderTextFragment::setText(PassRefPtr<StringImpl> text, bool force)
{
- RenderText::setTextInternal(text);
-
- if (m_allowFragmentReset) {
- m_start = 0;
- m_end = textLength();
- if (m_firstLetter) {
- ASSERT(!m_contentString);
- m_firstLetter->destroy();
- m_firstLetter = 0;
- if (Node* t = node()) {
- ASSERT(!t->renderer());
- t->setRenderer(this);
- }
+ RenderText::setText(text, force);
+
+ m_start = 0;
+ m_end = textLength();
+ if (m_firstLetter) {
+ ASSERT(!m_contentString);
+ m_firstLetter->destroy();
+ m_firstLetter = 0;
+ if (Node* t = node()) {
+ ASSERT(!t->renderer());
+ t->setRenderer(this);
}
}
}
+void RenderTextFragment::transformText()
+{
+ // Don't reset first-letter here because we are only transforming the truncated fragment.
+ if (RefPtr<StringImpl> textToTransform = originalText())
+ RenderText::setText(textToTransform.release(), true);
+}
+
UChar RenderTextFragment::previousCharacter() const
{
if (start()) {
StringImpl* contentString() const { return m_contentString.get(); }
virtual PassRefPtr<StringImpl> originalText() const;
+ virtual void setText(PassRefPtr<StringImpl>, bool force = false) OVERRIDE;
+
+ virtual void transformText() OVERRIDE;
+
protected:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
private:
virtual void willBeDestroyed();
- virtual void setTextInternal(PassRefPtr<StringImpl>);
virtual UChar previousCharacter() const;
RenderBlock* blockForAccompanyingFirstLetter() const;
unsigned m_end;
RefPtr<StringImpl> m_contentString;
RenderObject* m_firstLetter;
- bool m_allowFragmentReset;
};
inline RenderTextFragment* toRenderTextFragment(RenderObject* object)
projects / profile / ivi / webkit-efl.git / commitdiff