diff options
| author | Steve Block <steveblock@google.com> | 2012-02-28 12:21:41 +0000 |
|---|---|---|
| committer | Steve Block <steveblock@google.com> | 2012-02-28 13:16:38 +0000 |
| commit | 538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3 (patch) | |
| tree | a53703c98d7dd0cfe49f99b6f117709ce8cdedfa /Source | |
| parent | 3c049d2aded213c7bcc49cdb7283cf0fcb509644 (diff) | |
| download | external_webkit-538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3.zip external_webkit-538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3.tar.gz external_webkit-538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3.tar.bz2 | |
Cherry-pick WebKit r100677 to fix a rendering crash
This fixes a crash from positioned generated content under run-in.
See http://trac.webkit.org/changeset/100677.
Bug: 6079158
Change-Id: I3d2012c58f47e71ae500e33551dfab5587b84534
Diffstat (limited to 'Source')
| -rw-r--r-- | Source/WebCore/rendering/RenderBlock.cpp | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp index 373523d..a90bf69 100644 --- a/Source/WebCore/rendering/RenderBlock.cpp +++ b/Source/WebCore/rendering/RenderBlock.cpp @@ -1561,6 +1561,16 @@ bool RenderBlock::handleRunInChild(RenderBox* child) RenderBlock* currBlock = toRenderBlock(curr); + // First we destroy any :before/:after content. It will be regenerated by the new inline. + // Exception is if the run-in itself is generated. + if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) { + RenderObject* generatedContent; + if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer())) + generatedContent->destroy(); + if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer())) + generatedContent->destroy(); + } + // Remove the old child. children()->removeChildNode(this, blockRunIn); @@ -1569,16 +1579,11 @@ bool RenderBlock::handleRunInChild(RenderBox* child) RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document()); inlineRunIn->setStyle(blockRunIn->style()); - bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER; - - // Move the nodes from the old child to the new child, but skip any :before/:after content. It has already - // been regenerated by the new inline. + // Move the nodes from the old child to the new child for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) { RenderObject* nextSibling = runInChild->nextSibling(); - if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) { - blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false); - inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content. - } + blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false); + inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content. runInChild = nextSibling; } |