Source/core/rendering/RenderBlock.cpp - Issue 880113002: Fix crash when establishing an inline continuation inside a block continuation.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/rendering/RenderBlock.cpp

Issue 880113002: Fix crash when establishing an inline continuation inside a block continuation. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Remove assertion in LayoutTable::addChildIgnoringContinuation() - crashed fast/table/crash-bad-chil… Created 5 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: Source/core/rendering/RenderBlock.cpp

diff --git a/Source/core/rendering/RenderBlock.cpp b/Source/core/rendering/RenderBlock.cpp

index b99b8b0cdddd720c373e4d4d5506d200e7f45fff..e285e940643ff4bb165b7892253c7ef5f263c24e 100644

--- a/Source/core/rendering/RenderBlock.cpp

+++ b/Source/core/rendering/RenderBlock.cpp

@@ -450,11 +450,25 @@ RenderBlock* RenderBlock::continuationBefore(RenderObject* beforeChild)

void RenderBlock::addChildToContinuation(RenderObject* newChild, RenderObject* beforeChild)

{

RenderBlock* flow = continuationBefore(beforeChild);

- ASSERT(!beforeChild || beforeChild->parent()->isAnonymousColumnSpanBlock() || beforeChild->parent()->isRenderBlock());

RenderBoxModelObject* beforeChildParent = 0;

- if (beforeChild)

+ if (beforeChild) {

beforeChildParent = toRenderBoxModelObject(beforeChild->parent());

- else {

+ // Don't attempt to insert into something that isn't a RenderBlockFlow (block

+ // container). While the DOM nodes of |beforeChild| and |newChild| are siblings, there may

+ // be anonymous table wrapper objects around |beforeChild| on the layout side. Therefore,

+ // find the nearest RenderBlockFlow. If it turns out that the new renderer doesn't belong

+ // inside the anonymous table, this will make sure that it's really put on the outside. If

+ // it turns out that it does belong inside it, the normal child insertion machinery will

+ // make sure it ends up there, and at the right place too. We cannot just guess that it's

+ // going to be right under the parent of |beforeChild|.

+ while (beforeChildParent && !beforeChildParent->isRenderBlockFlow()) {

+ ASSERT(!beforeChildParent->virtualContinuation());

+ ASSERT(beforeChildParent->isAnonymous());

+ RELEASE_ASSERT(beforeChildParent != this);

+ beforeChildParent = toRenderBoxModelObject(beforeChildParent->parent());

+ }

+ ASSERT(beforeChildParent);

+ } else {

RenderBoxModelObject* cont = flow->continuation();

if (cont)

beforeChildParent = cont;

« no previous file with comments | « Source/core/layout/LayoutTable.cpp ('k') | no next file » | no next file with comments »