From 538b01d6410e7c7a5b2faabe7b84c80ddc32d5f3 Mon Sep 17 00:00:00 2001 From: Steve Block Date: Tue, 28 Feb 2012 12:21:41 +0000 Subject: [PATCH] Cherry-pick WebKit r100677 to fix a rendering crash This fixes a crash from positioned generated content under run-in. See http://trac.webkit.org/changeset/100677. Bug: 6079158 Change-Id: I3d2012c58f47e71ae500e33551dfab5587b84534 --- Source/WebCore/rendering/RenderBlock.cpp | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp index 373523d2c..a90bf69e3 100644 --- a/Source/WebCore/rendering/RenderBlock.cpp +++ b/Source/WebCore/rendering/RenderBlock.cpp @@ -1561,6 +1561,16 @@ bool RenderBlock::handleRunInChild(RenderBox* child) RenderBlock* currBlock = toRenderBlock(curr); + // First we destroy any :before/:after content. It will be regenerated by the new inline. + // Exception is if the run-in itself is generated. + if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) { + RenderObject* generatedContent; + if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer())) + generatedContent->destroy(); + if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer())) + generatedContent->destroy(); + } + // Remove the old child. children()->removeChildNode(this, blockRunIn); @@ -1569,16 +1579,11 @@ bool RenderBlock::handleRunInChild(RenderBox* child) RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document()); inlineRunIn->setStyle(blockRunIn->style()); - bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER; - - // Move the nodes from the old child to the new child, but skip any :before/:after content. It has already - // been regenerated by the new inline. + // Move the nodes from the old child to the new child for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) { RenderObject* nextSibling = runInChild->nextSibling(); - if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) { - blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false); - inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content. - } + blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false); + inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content. runInChild = nextSibling; } -- 2.11.0