Bug 1406562 - Return first continuation for parent of first-letter in ExpectedOwnerForChild. r?emilio
MozReview-Commit-ID: KkBDMStwQ6r
--- a/layout/base/ServoRestyleManager.cpp
+++ b/layout/base/ServoRestyleManager.cpp
@@ -76,17 +76,20 @@ ExpectedOwnerForChild(const nsIFrame& aF
// So we don't want to end up in the code below, which steps out of anon
// boxes. Just return the parent of the line frame, which is the block.
return parent;
}
if (aFrame.IsLetterFrame()) {
// Ditto for ::first-letter. A first-letter always arrives here via its
// direct parent, except when it's parented to a ::first-line.
- return parent->IsLineFrame() ? parent->GetParent() : parent;
+ if (parent->IsLineFrame()) {
+ parent = parent->GetParent();
+ }
+ return FirstContinuationOrPartOfIBSplit(parent);
}
if (parent->IsLetterFrame()) {
// Things never have ::first-letter as their expected parent. Go
// on up to the ::first-letter's parent.
parent = parent->GetParent();
}
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1406562.html
@@ -0,0 +1,15 @@
+<style>
+.class5 { columns: 0px; }
+li::first-letter { color: red; }
+.class5 { list-style-position: inside; }
+</style>
+<script>
+function jsfuzzer() {
+ htmlvar00001.appendChild(htmlvar00027);
+}
+</script>
+<body onload=jsfuzzer()>
+<a id="htmlvar00001">
+<ul class="class5">
+<li>`</li>
+<li id="htmlvar00027">
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -490,20 +490,21 @@ load 1308848-2.html
load 1338772-1.html
load 1343937.html
asserts(0-1) load 1343606.html # bug 1343948
load 1352380.html
load 1362423-1.html
load 1381323.html
asserts-if(!stylo,1) load 1388625-1.html # bug 1389286
load 1390389.html
+load 1391736.html
load 1395591-1.html
load 1395715-1.html
load 1397398-1.html
load 1397398-2.html
load 1397398-3.html
load 1398500.html
load 1400438-1.html
load 1400599-1.html
load 1401739.html
load 1401840.html
load 1402476.html
-load 1391736.html
+load 1406562.html