Integrate WebKit security fix

http://trac.webkit.org/changeset/50466 Fix http://b/issue?id=2268722
author: Grace Kloba <klobag@google.com> 2009-11-17 18:07:26 -0800
committer: Grace Kloba <klobag@google.com> 2009-11-17 18:07:26 -0800
commit: ffe27b58c77e71641efd3bd4258323cd4c29c39a (patch)
tree: c5cbaad45d810d8d11d30073b5cd455192547511 /WebCore/rendering
parent: a56054997e46fcd04621cc67d650b6daf85f7b59 (diff)
download: external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.zip
external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.tar.gz
external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.tar.bz2
2 files changed, 18 insertions, 12 deletions
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index e10c331..b568a4f 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -172,14 +172,17 @@ RenderBlock::~RenderBlock()
 
 void RenderBlock::destroy()
 {
-    // Detach our continuation first.
-    if (m_inlineContinuation)
+    // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will 
+    // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise. 
+    children()->destroyLeftoverChildren(); 
+
+    // Destroy our continuation before anything other than anonymous children. 
+    // The reason we don't destroy it before anonymous children is that they may 
+    // have continuations of their own that are anonymous children of our continuation. 
+    if (m_inlineContinuation) { 
         m_inlineContinuation->destroy();
-    m_inlineContinuation = 0;
-    
-    // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
-    // properly dirty line boxes that they are removed from.  Effects that do :before/:after only on hover could crash otherwise.
-    children()->destroyLeftoverChildren();
+        m_inlineContinuation = 0; 
+    }
 
     if (!documentBeingDestroyed()) {
         if (firstLineBox()) {
diff --git a/WebCore/rendering/RenderInline.cpp b/WebCore/rendering/RenderInline.cpp
index 53962d2..223255e 100644
--- a/WebCore/rendering/RenderInline.cpp
+++ b/WebCore/rendering/RenderInline.cpp
@@ -51,15 +51,18 @@ RenderInline::RenderInline(Node* node)
 
 void RenderInline::destroy()
 {
-    // Detach our continuation first.
-    if (m_continuation)
-        m_continuation->destroy();
-    m_continuation = 0;
-    
     // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will
     // properly dirty line boxes that they are removed from.  Effects that do :before/:after only on hover could crash otherwise.
     children()->destroyLeftoverChildren();
 
+    // Destroy our continuation before anything other than anonymous children. 
+    // The reason we don't destroy it before anonymous children is that they may 
+    // have continuations of their own that are anonymous children of our continuation. 
+    if (m_continuation) { 
+        m_continuation->destroy(); 
+        m_continuation = 0; 
+    } 
+
     if (!documentBeingDestroyed()) {
         if (firstLineBox()) {
             // We can't wait for RenderBoxModelObject::destroy to clear the selection,
author	Grace Kloba <klobag@google.com>	2009-11-17 18:07:26 -0800
committer	Grace Kloba <klobag@google.com>	2009-11-17 18:07:26 -0800
commit	ffe27b58c77e71641efd3bd4258323cd4c29c39a (patch)
tree	c5cbaad45d810d8d11d30073b5cd455192547511 /WebCore/rendering
parent	a56054997e46fcd04621cc67d650b6daf85f7b59 (diff)
download	external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.zip external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.tar.gz external_webkit-ffe27b58c77e71641efd3bd4258323cd4c29c39a.tar.bz2