Bug 1406562 - Return first continuation for parent of first-letter in ExpectedOwnerForChild. r=emilio
authorXidorn Quan <me@upsuper.org>
Mon, 09 Oct 2017 11:07:17 +1100
changeset 385089 3fac14728144a6c51da4320fe171bf3d5cb7b9e7
parent 385088 ef2a97daf3088ce1c5a7794a9842b80a08a3cb2e
child 385090 ca1126dea7c833ab9b0d26f62d2599e07eb84982
push id32646
push userarchaeopteryx@coole-files.de
push dateMon, 09 Oct 2017 21:47:29 +0000
treeherdermozilla-central@4afc55e7033c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersemilio
bugs1406562
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1406562 - Return first continuation for parent of first-letter in ExpectedOwnerForChild. r=emilio MozReview-Commit-ID: KkBDMStwQ6r
layout/base/ServoRestyleManager.cpp
layout/base/crashtests/1406562.html
layout/base/crashtests/crashtests.list
--- a/layout/base/ServoRestyleManager.cpp
+++ b/layout/base/ServoRestyleManager.cpp
@@ -76,17 +76,20 @@ ExpectedOwnerForChild(const nsIFrame& aF
     // So we don't want to end up in the code below, which steps out of anon
     // boxes.  Just return the parent of the line frame, which is the block.
     return parent;
   }
 
   if (aFrame.IsLetterFrame()) {
     // Ditto for ::first-letter. A first-letter always arrives here via its
     // direct parent, except when it's parented to a ::first-line.
-    return parent->IsLineFrame() ? parent->GetParent() : parent;
+    if (parent->IsLineFrame()) {
+      parent = parent->GetParent();
+    }
+    return FirstContinuationOrPartOfIBSplit(parent);
   }
 
   if (parent->IsLetterFrame()) {
     // Things never have ::first-letter as their expected parent.  Go
     // on up to the ::first-letter's parent.
     parent = parent->GetParent();
   }
 
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1406562.html
@@ -0,0 +1,15 @@
+<style>
+.class5 { columns: 0px; }
+li::first-letter { color: red; }
+.class5 { list-style-position: inside; }
+</style>
+<script>
+function jsfuzzer() {
+  htmlvar00001.appendChild(htmlvar00027);
+}
+</script>
+<body onload=jsfuzzer()>
+<a id="htmlvar00001">
+<ul class="class5">
+<li>`</li>
+<li id="htmlvar00027">
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -490,20 +490,21 @@ load 1308848-2.html
 load 1338772-1.html
 load 1343937.html
 asserts(0-1) load 1343606.html # bug 1343948
 load 1352380.html
 load 1362423-1.html
 load 1381323.html
 asserts-if(!stylo,1) load 1388625-1.html # bug 1389286
 load 1390389.html
+load 1391736.html
 load 1395591-1.html
 load 1395715-1.html
 load 1397398-1.html
 load 1397398-2.html
 load 1397398-3.html
 load 1398500.html
 load 1400438-1.html
 load 1400599-1.html
 load 1401739.html
 load 1401840.html
 load 1402476.html
-load 1391736.html
+load 1406562.html