Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Cherry-pick WebKit r100677 to fix a rendering crash

This fixes a crash from positioned generated content under run-in.
See http://trac.webkit.org/changeset/100677.

Bug: 6079158
Change-Id: I3d2012c58f47e71ae500e33551dfab5587b84534
  • Loading branch information...
commit d911316743c0757f8877db9f4d747ed24572b1e9 1 parent 599c05f
Steve Block authored Jean-Baptiste Queru committed
Showing with 13 additions and 8 deletions.
  1. +13 −8 Source/WebCore/rendering/RenderBlock.cpp
View
21 Source/WebCore/rendering/RenderBlock.cpp
@@ -1561,6 +1561,16 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
RenderBlock* currBlock = toRenderBlock(curr);
+ // First we destroy any :before/:after content. It will be regenerated by the new inline.
+ // Exception is if the run-in itself is generated.
+ if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) {
+ RenderObject* generatedContent;
+ if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer()))
+ generatedContent->destroy();
+ if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer()))
+ generatedContent->destroy();
+ }
+
// Remove the old child.
children()->removeChildNode(this, blockRunIn);
@@ -1569,16 +1579,11 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document());
inlineRunIn->setStyle(blockRunIn->style());
- bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER;
-
- // Move the nodes from the old child to the new child, but skip any :before/:after content. It has already
- // been regenerated by the new inline.
+ // Move the nodes from the old child to the new child
for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
RenderObject* nextSibling = runInChild->nextSibling();
- if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) {
- blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
- inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
- }
+ blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
+ inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
runInChild = nextSibling;
}
Please sign in to comment.
Something went wrong with that request. Please try again.