Bug 30944

Summary: [Crash (debug)] Combination of list-item and :after causes assertion failure
Product: WebKit Reporter: Yuta Kitamura <yutak>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Test case
none
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
none
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent(). none

Description Yuta Kitamura 2009-10-29 19:30:50 PDT 
Steps to reproduce:
1. Open the attached HTML using debug version of WebKit.
2. Move your mouse pointer to the text.
3. Observe the browser is crashing with the following message:

ASSERTION FAILED: genChild->style()->styleType() == FIRST_LETTER
(/Users/yutak/WebKit/WebCore/rendering/RenderObjectChildList.cpp:374 void WebCore::RenderObjectChildList::updateBeforeAfterContent(WebCore::RenderObject*, WebCore::PseudoId, WebCore::RenderObject*))

This is derived from a Chromium bug: http://crbug.com/20686
Comment 1 Yuta Kitamura 2009-10-29 19:31:31 PDT 
Created attachment 42171 [details]
Test case
Comment 2 Yuta Kitamura 2009-10-30 04:09:16 PDT 
Created attachment 42204 [details]
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
Comment 3 Yuta Kitamura 2009-10-30 04:12:34 PDT 
Created attachment 42205 [details]
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().
Comment 4 Darin Adler 2009-10-30 10:41:25 PDT 
Comment on attachment 42205 [details]
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().

For an assertion-only change, I don't think a test case is required.

The test says "passes if it does not crash", but that's misleading. This only ever asserted, it wouldn't crash in a non-debug build.

r=me
Comment 5 Eric Seidel (no email) 2009-10-30 15:25:34 PDT 
Comment on attachment 42205 [details]
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().

LGTM too.  Adding to the commit-queue.
Comment 6 WebKit Commit Bot 2009-11-01 08:03:36 PST 
Comment on attachment 42205 [details]
Fix assertion falure in RenderObjectChildList::updateBeforeAfterContent().

Clearing flags on attachment: 42205

Committed r50386: <http://trac.webkit.org/changeset/50386>
Comment 7 WebKit Commit Bot 2009-11-01 08:03:41 PST 
All reviewed patches have been landed.  Closing bug.