Bug 1406562 - Return first continuation for parent of first-letter in ExpectedOwnerForChild. r=emilio, a=ritu
authorXidorn Quan <me@upsuper.org>
Mon, 09 Oct 2017 11:07:17 +1100
changeset 434779 76296f08f28382a5d2197af3684549166318281d
parent 434778 4dea9389c27bfc64707d975cefe3d0cc87fe9a9e
child 434780 f8a4d5043ad77d124892493fbbf31af8f1b7dd42
push id1567
push userjlorenzo@mozilla.com
push dateThu, 02 Nov 2017 12:36:05 +0000
treeherdermozilla-release@e512c14a0406 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersemilio, ritu
bugs1406562
milestone57.0
Bug 1406562 - Return first continuation for parent of first-letter in ExpectedOwnerForChild. r=emilio, a=ritu MozReview-Commit-ID: KkBDMStwQ6r
layout/base/ServoRestyleManager.cpp
layout/base/crashtests/1406562.html
layout/base/crashtests/crashtests.list
--- a/layout/base/ServoRestyleManager.cpp
+++ b/layout/base/ServoRestyleManager.cpp
@@ -76,17 +76,20 @@ ExpectedOwnerForChild(const nsIFrame& aF
     // So we don't want to end up in the code below, which steps out of anon
     // boxes.  Just return the parent of the line frame, which is the block.
     return parent;
   }
 
   if (aFrame.IsLetterFrame()) {
     // Ditto for ::first-letter. A first-letter always arrives here via its
     // direct parent, except when it's parented to a ::first-line.
-    return parent->IsLineFrame() ? parent->GetParent() : parent;
+    if (parent->IsLineFrame()) {
+      parent = parent->GetParent();
+    }
+    return FirstContinuationOrPartOfIBSplit(parent);
   }
 
   if (parent->IsLetterFrame()) {
     // Things never have ::first-letter as their expected parent.  Go
     // on up to the ::first-letter's parent.
     parent = parent->GetParent();
   }
 
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1406562.html
@@ -0,0 +1,15 @@
+<style>
+.class5 { columns: 0px; }
+li::first-letter { color: red; }
+.class5 { list-style-position: inside; }
+</style>
+<script>
+function jsfuzzer() {
+  htmlvar00001.appendChild(htmlvar00027);
+}
+</script>
+<body onload=jsfuzzer()>
+<a id="htmlvar00001">
+<ul class="class5">
+<li>`</li>
+<li id="htmlvar00027">
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -502,8 +502,9 @@ load 1397398-1.html
 load 1397398-2.html
 load 1397398-3.html
 load 1398500.html
 load 1400438-1.html
 load 1400599-1.html
 load 1401739.html
 load 1401840.html
 load 1402476.html
+load 1406562.html