Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

external-webkit: Commit

external/webkit


Commit MetaInfo

Revision538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3 (tree)
Time2012-02-28 22:16:38
AuthorSteve Block <steveblock@goog...>
CommiterSteve Block

Log Message

Cherry-pick WebKit r100677 to fix a rendering crash

This fixes a crash from positioned generated content under run-in.
See http://trac.webkit.org/changeset/100677.

Bug: 6079158
Change-Id: I3d2012c58f47e71ae500e33551dfab5587b84534

Change Summary

Incremental Difference

--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp
@@ -1561,6 +1561,16 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
15611561
15621562 RenderBlock* currBlock = toRenderBlock(curr);
15631563
1564+ // First we destroy any :before/:after content. It will be regenerated by the new inline.
1565+ // Exception is if the run-in itself is generated.
1566+ if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) {
1567+ RenderObject* generatedContent;
1568+ if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer()))
1569+ generatedContent->destroy();
1570+ if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer()))
1571+ generatedContent->destroy();
1572+ }
1573+
15641574 // Remove the old child.
15651575 children()->removeChildNode(this, blockRunIn);
15661576
@@ -1569,16 +1579,11 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
15691579 RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document());
15701580 inlineRunIn->setStyle(blockRunIn->style());
15711581
1572- bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER;
1573-
1574- // Move the nodes from the old child to the new child, but skip any :before/:after content. It has already
1575- // been regenerated by the new inline.
1582+ // Move the nodes from the old child to the new child
15761583 for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
15771584 RenderObject* nextSibling = runInChild->nextSibling();
1578- if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) {
1579- blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
1580- inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
1581- }
1585+ blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
1586+ inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
15821587 runInChild = nextSibling;
15831588 }
15841589
Show on old repository browser