Issue 9232034: Merge 104183 - Source/WebCore: Crash due to reparenting of relpositioned object under anonymous b...

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 9232034: Merge 104183 - Source/WebCore: Crash due to reparenting of relpositioned object under anonymous b... (Closed)

Created:
8 years, 11 months ago by Cris Neckar

Modified:
8 years, 11 months ago

Reviewers:
commit-queue

CC:
chromium-reviews

Base URL:
http://svn.webkit.org/repository/webkit/branches/chromium/912/

Visibility:
Public.

More Reviews

Description

Merge 104183 - Source/WebCore: Crash due to reparenting of relpositioned object under anonymous block https://bugs.webkit.org/show_bug.cgi?id=70848 The associated test case creates a condition where a relative positioned renderer is a descendant of an anonymous block for a table column. The anonymous block is the containingBlock() for the relpositioned renderer. Removal of a div causes the anonymous blocks to be merged, and the renderer becomes a descendant of a different block. Since the new containingBlock() has an empty positionedObject list, the relpositioned renderer does not get layout after being dirtied. This patch changes containingBlock() so that it returns the container of an anonymous block for positioned objects, not the anonymous block itself. It also adds an ASSERT to insertPositionedObject() to flag any other cases where something is trying to create a positioned object list on an anonymous block. Patch by Ken Buchanan <kenrb@chromium.org>; on 2012-01-05 Reviewed by David Hyatt. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::insertPositionedObject): * rendering/RenderObject.cpp: (WebCore::RenderObject::containingBlock): LayoutTests: Crash due to reparenting of relpositioned object in table https://bugs.webkit.org/show_bug.cgi?id=70848 Adding test that exercises the crash condition in bug 70848. Patch by Ken Buchanan <kenrb@chromium.org>; on 2012-01-05 Reviewed by David Hyatt. * fast/css/relative-position-replaced-in-table-display-crash-expected.txt: Added * fast/css/relative-position-replaced-in-table-display-crash.html: Added Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=105337

Patch Set 1 #

Created: 8 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+7 lines, -1 line)			Patch
A +	LayoutTests/fast/css/relative-position-replaced-in-table-display-crash.html	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
A +	LayoutTests/fast/css/relative-position-replaced-in-table-display-crash-expected.txt	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/WebCore/rendering/RenderBlock.cpp	View	1 chunk	+2 lines, -0 lines	0 comments	Download
M	Source/WebCore/rendering/RenderObject.cpp	View	1 chunk	+7 lines, -3 lines	0 comments	Download

Messages

Total messages: 1 (0 generated)

Expand Messages | Collapse Messages