Title: [122125] branches/chromium/1132
- Revision
- 122125
- Author
- [email protected]
- Date
- 2012-07-09 11:57:26 -0700 (Mon, 09 Jul 2012)
Log Message
Merge 120761
BUG=129936
Review URL: https://chromiumcodereview.appspot.com/10765005
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash-expected.txt (from rev 120761, trunk/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash-expected.txt) (0 => 122125)
--- branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash-expected.txt (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash-expected.txt 2012-07-09 18:57:26 UTC (rev 122125)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash.html (from rev 120761, trunk/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash.html) (0 => 122125)
--- branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash.html (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/block/positioning/abspositioned-object-under-split-relpositioned-inline-crash.html 2012-07-09 18:57:26 UTC (rev 122125)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style>
+.class1 { position: relative; }
+.class2 { position: absolute; }
+</style>
+<script>
+window._onload_ = function() {
+ document.designMode="on";
+ document.execCommand("SelectAll");
+ document.execCommand("Strikethrough");
+ document.body.offsetTop;
+ document.body.innerHTML = "PASS. WebKit didn't crash.";
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+}
+</script>
+<i class="class1">
+<span class="class2"></span>
+<div>
+<xmp class="class2">
+A
+</xmp>
+</div>
+</i>
+</body>
+</html>
Copied: branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash-expected.txt (from rev 120761, trunk/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash-expected.txt) (0 => 122125)
--- branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash-expected.txt (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash-expected.txt 2012-07-09 18:57:26 UTC (rev 122125)
@@ -0,0 +1 @@
+PASSED
Copied: branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash.html (from rev 120761, trunk/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash.html) (0 => 122125)
--- branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash.html (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/block/positioning/insert-positioned-in-anonymous-crash.html 2012-07-09 18:57:26 UTC (rev 122125)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <style>
+ .inlineContainer {
+ position: relative;
+ display: inline;
+ }
+ #positioned {
+ position: absolute;
+ }
+ </style>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ function runTest() {
+ document.getElementById('positioned').innerHTML = 'PASSED';
+ }
+ </script>
+ </head>
+ <body _onload_="runTest()">
+ <div class='inlineContainer'>
+ <div>
+ <div id='positioned'>FAILED</div>
+ </div>
+ </div>
+ </body>
+</html>
Modified: branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp (122124 => 122125)
--- branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp 2012-07-09 18:53:45 UTC (rev 122124)
+++ branches/chromium/1132/Source/WebCore/rendering/RenderObject.cpp 2012-07-09 18:57:26 UTC (rev 122125)
@@ -710,7 +710,11 @@
{
RenderObject* o = parent();
if (!isText() && m_style->position() == FixedPosition) {
- while (o && !o->isRenderView() && !(o->hasTransform() && o->isRenderBlock())) {
+ while (o) {
+ if (o->isRenderView())
+ break;
+ if (o->hasTransform() && o->isRenderBlock())
+ break;
#if ENABLE(SVG)
// foreignObject is the containing block for its contents.
if (o->isSVGForeignObject())
@@ -718,18 +722,24 @@
#endif
o = o->parent();
}
+ ASSERT(!o->isAnonymousBlock());
} else if (!isText() && m_style->position() == AbsolutePosition) {
- while (o && (o->style()->position() == StaticPosition || (o->isInline() && !o->isReplaced())) && !o->isRenderView() && !(o->hasTransform() && o->isRenderBlock())) {
+ while (o) {
// For relpositioned inlines, we return the nearest non-anonymous enclosing block. We don't try
// to return the inline itself. This allows us to avoid having a positioned objects
// list in all RenderInlines and lets us return a strongly-typed RenderBlock* result
// from this method. The container() method can actually be used to obtain the
// inline directly.
+ if (!o->style()->position() == StaticPosition && !(o->isInline() && !o->isReplaced()))
+ break;
+ if (o->isRenderView())
+ break;
+ if (o->hasTransform() && o->isRenderBlock())
+ break;
+
if (o->style()->position() == RelativePosition && o->isInline() && !o->isReplaced()) {
- RenderBlock* relPositionedInlineContainingBlock = o->containingBlock();
- while (relPositionedInlineContainingBlock->isAnonymousBlock())
- relPositionedInlineContainingBlock = relPositionedInlineContainingBlock->containingBlock();
- return relPositionedInlineContainingBlock;
+ o = o->containingBlock();
+ break;
}
#if ENABLE(SVG)
if (o->isSVGForeignObject()) //foreignObject is the containing block for contents inside it
@@ -738,6 +748,9 @@
o = o->parent();
}
+
+ while (o && o->isAnonymousBlock())
+ o = o->containingBlock();
} else {
while (o && ((o->isInline() && !o->isReplaced()) || !o->isRenderBlock()))
o = o->parent();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
