2009-06-23 Adam Langley <agl@google.com>

        Reviewed by Eric Seidel.

        Chromium: Fix crash with inherited font-size in <option>

        https://bugs.webkit.org/show_bug.cgi?id=26656
        http://code.google.com/p/chromium/issues/detail?id=14853

        In r42597 (https://bugs.webkit.org/show_bug.cgi?id=25244), I changed
        the <select> handing for Chromium to fix a rendering bug. However,
        although the font-size is correctly ignored, getRowHeight wasn't
        updated and so was calculating the height of the rows in an
        inconsistent manner. This can lead to a crash.

        * manual-tests/optgroup-empty-and-nested.html: adding test case for crash
        * platform/chromium/PopupMenuChromium.cpp:
        (WebCore::PopupListBox::getRowHeight):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@45038 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dead660135db269e91d6385676004ab877127f79..3a6675021701a348118c232c24e3fd6bf0b3951b 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2009-06-23  Adam Langley  <agl@google.com>
+
+        Reviewed by Eric Seidel.
+
+        Chromium: Fix crash with inherited font-size in <option>
+
+        https://bugs.webkit.org/show_bug.cgi?id=26656
+        http://code.google.com/p/chromium/issues/detail?id=14853
+
+        In r42597 (https://bugs.webkit.org/show_bug.cgi?id=25244), I changed
+        the <select> handing for Chromium to fix a rendering bug. However,
+        although the font-size is correctly ignored, getRowHeight wasn't
+        updated and so was calculating the height of the rows in an
+        inconsistent manner. This can lead to a crash.
+
+        * manual-tests/optgroup-empty-and-nested.html: adding test case for crash
+        * platform/chromium/PopupMenuChromium.cpp:
+        (WebCore::PopupListBox::getRowHeight):
+
 2009-06-23  Brady Eidson  <beidson@apple.com>
 
         Patch by Antti Koivisto.

diff --git a/WebCore/manual-tests/optgroup-empty-and-nested.html b/WebCore/manual-tests/optgroup-empty-and-nested.html
index 062996be6a8c84f2df7c6f7614cfe452482e14db..6aa3e7b6bdb29017e2cab07ff86e6bfaa68a47d4 100644 (file)
--- a/WebCore/manual-tests/optgroup-empty-and-nested.html
+++ b/WebCore/manual-tests/optgroup-empty-and-nested.html
@@ -21,7 +21,11 @@
     <!-- for an optgroup without a label, IE will show an empty, unselectable row.
          Firefox doesn't show it. We /do/ show it because someone might be using
          it as a spacer. -->
-    <optgroup>
+    <!-- Additionally, this has been updated to test the crash fixed in
+         https://bugs.webkit.org/show_bug.cgi?id=26656. When setting the
+         font-size in the <optgroup> to extra large, opening the select element
+         must not leave any unpainted areas of overlapping text. -->
+    <optgroup style="font-size: x-large;">
       <option value="2">Item inside an optgroup without a label</option>
     </optgroup>
 
@@ -70,5 +74,7 @@
   <li>Item four</li>
 </ul>
 
+<p>The text of the rows of the dropdown must not overlap each other.</p>
+
 </body>
 </html>

diff --git a/WebCore/platform/chromium/PopupMenuChromium.cpp b/WebCore/platform/chromium/PopupMenuChromium.cpp
index e349239cdbc7a4811895c0869cc4251e13bf8e88..e9cfc0f971154117c7506a53c315dfba310eb71c 100644 (file)
--- a/WebCore/platform/chromium/PopupMenuChromium.cpp
+++ b/WebCore/platform/chromium/PopupMenuChromium.cpp
@@ -925,7 +925,7 @@ int PopupListBox::getRowHeight(int index)
     if (index < 0)
         return 0;
 
-    return m_popupClient->itemStyle(index).font().height();
+    return getRowFont(index).height();
 }
 
 IntRect PopupListBox::getRowBounds(int index)