Skip to site navigation (Press enter)

[webkit-changes] [100677] trunk

commit-queue Thu, 17 Nov 2011 14:34:35 -0800

Title: [100677] trunk

Revision: 100677
Author: [email protected]
Date: 2011-11-17 14:34:27 -0800 (Thu, 17 Nov 2011)

Log Message

Crash from positioned generated content under run-in
https://bugs.webkit.org/show_bug.cgi?id=70456


Patch by Ken Buchanan <[email protected]> on 2011-11-17
Reviewed by David Hyatt.

Source/WebCore:

Modified handling of run-in children to clear generated children
before removing the parent from the render tree. This caused problems
with absolute positioned children being not properly removed from the
positioned object list of the RenderView.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::handleRunInChild):

LayoutTests:

Layout test for crash condition.

* fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.html: Added
* fast/css-generated-content/positioned-generated-content-under-run-in-crash.html: Added

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp

Added Paths

trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt
trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html

Property Changed

trunk/Source/WebCore/ChangeLog

Diff

Modified: trunk/LayoutTests/ChangeLog (100676 => 100677)


--- trunk/LayoutTests/ChangeLog	2011-11-17 22:32:49 UTC (rev 100676)
+++ trunk/LayoutTests/ChangeLog	2011-11-17 22:34:27 UTC (rev 100677)
@@ -1,3 +1,15 @@
+2011-11-17  Ken Buchanan <[email protected]>
+
+        Crash from positioned generated content under run-in
+        https://bugs.webkit.org/show_bug.cgi?id=70456
+
+        Reviewed by David Hyatt.
+
+        Layout test for crash condition.
+
+        * fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.html: Added
+        * fast/css-generated-content/positioned-generated-content-under-run-in-crash.html: Added
+
 2011-11-17  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r100652.

Added: trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt (0 => 100677)


--- trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt	2011-11-17 22:34:27 UTC (rev 100677)
@@ -0,0 +1,2 @@
+PASS, if no exceptions or crash observed
+
Property changes on: trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html (0 => 100677)


--- trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html	2011-11-17 22:34:27 UTC (rev 100677)
@@ -0,0 +1,22 @@
+<style>
+.testclass::before { position: absolute; content: ""; }
+.testclass { display: run-in; }
+</style>
+PASS, if no exceptions or crash observed
+<script>
+function runTest() 
+{
+    test1 = document.createElement('div');
+    test1.setAttribute('class', 'testclass');
+    document.documentElement.appendChild(test1);
+    test2 = document.createElement('b');
+    test2.setAttribute('class', 'testclass');
+    document.documentElement.appendChild(test2);
+    test3 = document.createElement('div');
+    document.documentElement.appendChild(test3);
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+}
+window._onload_ = runTest;
+</script>
+
Property changes on: trunk/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (100676 => 100677)


--- trunk/Source/WebCore/ChangeLog	2011-11-17 22:32:49 UTC (rev 100676)
+++ trunk/Source/WebCore/ChangeLog	2011-11-17 22:34:27 UTC (rev 100677)
@@ -1,3 +1,18 @@
+2011-11-17  Ken Buchanan <[email protected]>
+
+        Crash from positioned generated content under run-in
+        https://bugs.webkit.org/show_bug.cgi?id=70456
+
+        Reviewed by David Hyatt.
+
+        Modified handling of run-in children to clear generated children
+        before removing the parent from the render tree. This caused problems
+        with absolute positioned children being not properly removed from the
+        positioned object list of the RenderView.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::handleRunInChild):
+
 2011-11-17  Peter Kasting  <[email protected]>
 
         Unreviewed, rolling out r100572.
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (100676 => 100677)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-11-17 22:32:49 UTC (rev 100676)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-11-17 22:34:27 UTC (rev 100677)
@@ -1582,6 +1582,16 @@
 
     RenderBlock* currBlock = toRenderBlock(curr);
 
+    // First we destroy any :before/:after content. It will be regenerated by the new inline.
+    // Exception is if the run-in itself is generated.
+    if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) {
+        RenderObject* generatedContent;
+        if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer()))
+            generatedContent->destroy();
+        if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer()))
+            generatedContent->destroy();
+    }
+
     // Remove the old child.
     children()->removeChildNode(this, blockRunIn);
 
@@ -1590,16 +1600,11 @@
     RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document());
     inlineRunIn->setStyle(blockRunIn->style());
 
-    bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER;
-
-    // Move the nodes from the old child to the new child, but skip any :before/:after content.  It has already
-    // been regenerated by the new inline.
+    // Move the nodes from the old child to the new child
     for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
         RenderObject* nextSibling = runInChild->nextSibling();
-        if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) {
-            blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
-            inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
-        }
+        blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
+        inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
         runInChild = nextSibling;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes