Bug 30944

Summary: [Crash (debug)] Combination of list-item and :after causes assertion failure
Product: WebKit Reporter: Yuta Kitamura <yutak>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Test case
none
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
none
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). none

Yuta Kitamura
Reported 2009-10-29 19:30:50 PDT
Steps to reproduce: 1. Open the attached HTML using debug version of WebKit. 2. Move your mouse pointer to the text. 3. Observe the browser is crashing with the following message: ASSERTION FAILED: genChild->style()->styleType() == FIRST_LETTER (/Users/yutak/WebKit/WebCore/rendering/RenderObjectChildList.cpp:374 void WebCore::RenderObjectChildList::updateBeforeAfterContent(WebCore::RenderObject*, WebCore::PseudoId, WebCore::RenderObject*)) This is derived from a Chromium bug: http://crbug.com/20686
Attachments
Test case (374 bytes, text/html)
2009-10-29 19:31 PDT, Yuta Kitamura 		no flags
Details
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). (4.50 KB, patch)
2009-10-30 04:09 PDT, Yuta Kitamura 		no flags
DetailsFormatted DiffDiff
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). (4.51 KB, patch)
2009-10-30 04:12 PDT, Yuta Kitamura 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yuta Kitamura
Comment 1 2009-10-29 19:31:31 PDT
Created attachment 42171 [details] Test case
Yuta Kitamura
Comment 2 2009-10-30 04:09:16 PDT
Created attachment 42204 [details] Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
Yuta Kitamura
Comment 3 2009-10-30 04:12:34 PDT
Created attachment 42205 [details] Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
Darin Adler
Comment 4 2009-10-30 10:41:25 PDT
Comment on attachment 42205 [details] Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). For an assertion-only change, I don't think a test case is required. The test says "passes if it does not crash", but that's misleading. This only ever asserted, it wouldn't crash in a non-debug build. r=me
Eric Seidel (no email)
Comment 5 2009-10-30 15:25:34 PDT
Comment on attachment 42205 [details] Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). LGTM too. Adding to the commit-queue.
WebKit Commit Bot
Comment 6 2009-11-01 08:03:36 PST
Comment on attachment 42205 [details] Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). Clearing flags on attachment: 42205 Committed r50386: <http://trac.webkit.org/changeset/50386>
WebKit Commit Bot
Comment 7 2009-11-01 08:03:41 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.