5 files changed, 64 insertions, 8 deletions

diff --git a/third_party/WebKit/LayoutTests/ChangeLog b/third_party/WebKit/LayoutTests/ChangeLog
index ba61fe4..fb41e74 100755
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-11-17  Ken Buchanan <kenrb@chromium.org>
+
+        Crash from positioned generated content under run-in
+        https://bugs.webkit.org/show_bug.cgi?id=70456
+
+        Reviewed by David Hyatt.
+
+        Layout test for crash condition.
+
+        * fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.html: Added
+        * fast/css-generated-content/positioned-generated-content-under-run-in-crash.html: Added
+
 2011-11-17  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r100652.
diff --git a/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt b/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt
new file mode 100755
index 0000000..a1846ea
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash-expected.txt
@@ -0,0 +1,2 @@
+PASS, if no exceptions or crash observed
+
diff --git a/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html b/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html
new file mode 100755
index 0000000..60d02a4
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/css-generated-content/positioned-generated-content-under-run-in-crash.html
@@ -0,0 +1,22 @@
+<style>
+.testclass::before { position: absolute; content: ""; }
+.testclass { display: run-in; }
+</style>
+PASS, if no exceptions or crash observed
+<script>
+function runTest() 
+{
+    test1 = document.createElement('div');
+    test1.setAttribute('class', 'testclass');
+    document.documentElement.appendChild(test1);
+    test2 = document.createElement('b');
+    test2.setAttribute('class', 'testclass');
+    document.documentElement.appendChild(test2);
+    test3 = document.createElement('div');
+    document.documentElement.appendChild(test3);
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+}
+window.onload = runTest;
+</script>
+
diff --git a/third_party/WebKit/Source/WebCore/ChangeLog b/third_party/WebKit/Source/WebCore/ChangeLog
index 7dd593b..59432dc 100644..100755
--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-11-17  Ken Buchanan <kenrb@chromium.org>
+
+        Crash from positioned generated content under run-in
+        https://bugs.webkit.org/show_bug.cgi?id=70456
+
+        Reviewed by David Hyatt.
+
+        Modified handling of run-in children to clear generated children
+        before removing the parent from the render tree. This caused problems
+        with absolute positioned children being not properly removed from the
+        positioned object list of the RenderView.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::handleRunInChild):
+
 2011-11-17  Peter Kasting  <pkasting@google.com>
 
         Unreviewed, rolling out r100572.
diff --git a/third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp b/third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp
index 46ffbc5..bae6175 100755
--- a/third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp
+++ b/third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp
@@ -1582,6 +1582,16 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
 
     RenderBlock* currBlock = toRenderBlock(curr);
 
+    // First we destroy any :before/:after content. It will be regenerated by the new inline.
+    // Exception is if the run-in itself is generated.
+    if (child->style()->styleType() != BEFORE && child->style()->styleType() != AFTER) {
+        RenderObject* generatedContent;
+        if (child->getCachedPseudoStyle(BEFORE) && (generatedContent = child->beforePseudoElementRenderer()))
+            generatedContent->destroy();
+        if (child->getCachedPseudoStyle(AFTER) && (generatedContent = child->afterPseudoElementRenderer()))
+            generatedContent->destroy();
+    }
+
     // Remove the old child.
     children()->removeChildNode(this, blockRunIn);
 
@@ -1590,16 +1600,11 @@ bool RenderBlock::handleRunInChild(RenderBox* child)
     RenderInline* inlineRunIn = new (renderArena()) RenderInline(runInNode ? runInNode : document());
     inlineRunIn->setStyle(blockRunIn->style());
 
-    bool runInIsGenerated = child->style()->styleType() == BEFORE || child->style()->styleType() == AFTER;
-
-    // Move the nodes from the old child to the new child, but skip any :before/:after content.  It has already
-    // been regenerated by the new inline.
+    // Move the nodes from the old child to the new child
     for (RenderObject* runInChild = blockRunIn->firstChild(); runInChild;) {
         RenderObject* nextSibling = runInChild->nextSibling();
-        if (runInIsGenerated || (runInChild->style()->styleType() != BEFORE && runInChild->style()->styleType() != AFTER)) {
-            blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
-            inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
-        }
+        blockRunIn->children()->removeChildNode(blockRunIn, runInChild, false);
+        inlineRunIn->addChild(runInChild); // Use addChild instead of appendChildNode since it handles correct placement of the children relative to :after-generated content.
         runInChild = nextSibling;
     }