WebCore:
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Mar 2009 21:25:22 +0000 (21:25 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Mar 2009 21:25:22 +0000 (21:25 +0000)
        Reviewed by Dave Hyatt.

        - fix <rdar://problem/6472150> repro crash in
          RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using
          menus

        Test: fast/inline/continuation-positioned-reparenting.html

        * rendering/RenderInline.cpp:
        (WebCore::RenderInline::splitFlow): When repurposing the existing
        container as the "pre" block, clear its positioned objects list, because
        positioned descendants may end up in a different block after the split.

LayoutTests:

        Reviewed by Dave Hyatt.

        - test for <rdar://problem/6472150> repro crash in
          RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using
          menus

        * fast/inline/continuation-positioned-reparenting-expected.txt: Added.
        * fast/inline/continuation-positioned-reparenting.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@41981 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/inline/continuation-positioned-reparenting-expected.txt [new file with mode: 0644]
LayoutTests/fast/inline/continuation-positioned-reparenting.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderInline.cpp

index 4eb0bff..509e737 100644 (file)
@@ -1,3 +1,14 @@
+2009-03-25  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        - test for <rdar://problem/6472150> repro crash in
+          RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using
+          menus
+
+        * fast/inline/continuation-positioned-reparenting-expected.txt: Added.
+        * fast/inline/continuation-positioned-reparenting.html: Added.
+
 2009-03-24  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Dave Hyatt
diff --git a/LayoutTests/fast/inline/continuation-positioned-reparenting-expected.txt b/LayoutTests/fast/inline/continuation-positioned-reparenting-expected.txt
new file mode 100644 (file)
index 0000000..0b11342
--- /dev/null
@@ -0,0 +1,5 @@
+Test for rdar://problem/6472150 repro crash in RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using menus.
+
+The test passes if it does not crash.
+
+
diff --git a/LayoutTests/fast/inline/continuation-positioned-reparenting.html b/LayoutTests/fast/inline/continuation-positioned-reparenting.html
new file mode 100644 (file)
index 0000000..b65a082
--- /dev/null
@@ -0,0 +1,21 @@
+<p>
+    Test for <i><a href="rdar://problem/6472150">rdar://problem/6472150</a> repro crash in RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using menus</i>.
+</p>
+<p>
+    The test passes if it does not crash.
+</p>
+<div>
+    <div></div><span style="position: relative;"><div id="target" style="display: none;"></div><div id="positioned" style="position: absolute;"></div>
+</div>
+<script>
+    function test()
+    {
+        document.getElementById("target").style.display = "block";
+        document.getElementById("positioned").style.display = "none";
+    }
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    document.body.offsetTop;
+    test();
+</script>
index 9b4f051..e9f01e5 100644 (file)
@@ -1,3 +1,18 @@
+2009-03-25  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        - fix <rdar://problem/6472150> repro crash in
+          RenderBlock::rightmostPosition(bool, bool) const at mercotte.fr using
+          menus
+
+        Test: fast/inline/continuation-positioned-reparenting.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::splitFlow): When repurposing the existing
+        container as the "pre" block, clear its positioned objects list, because
+        positioned descendants may end up in a different block after the split.
+
 2009-03-24  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Dave Hyatt
index dbedd0c..8f98427 100644 (file)
@@ -332,6 +332,7 @@ void RenderInline::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox
     if (block->isAnonymousBlock() && (!block->parent() || !block->parent()->createsAnonymousWrapper())) {
         // We can reuse this block and make it the preBlock of the next continuation.
         pre = block;
+        pre->removePositionedObjects(0);
         block = block->containingBlock();
     } else {
         // No anonymous block available for use.  Make one.