[Webkit-unassigned] [Bug 13558] REGRESSION: Crash when loading document with absolutely positioned generated content on inline element

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=13558





------- Comment #4 from mitz at webkit.org  2007-05-01 07:00 PDT -------
The test case generates a positioned inline. The pseudo element's initial style
is display: inline; position: absolute. adjustRenderStyle fixes it, changing
display to block. But then updateBeforeAfterContentForContainer has the
following:

    if (isInlineFlow() && !pseudoElementStyle->isDisplayInlineType())
        // According to the CSS2 spec (the end of section 12.1), the only
allowed
        // display values for the pseudo style are NONE and INLINE for inline
flows.
        // FIXME: CSS2.1 lifted this restriction, but block display types will
crash.
        // For now we at least relax the restriction to allow all inline types
like inline-block
        // and inline-table.
        pseudoElementStyle->setDisplay(INLINE);

which resets display to inline, leading to the crash.

I don't know what crash the comment is talking about. Firefox 3 still seems to
enforce the inline/none rule, but Opera allows block.

To fix this bug, you can either allow block for positioned generated content
(assuming it won't trigger the crash the comment talks about), disallow
positioned generated content (which would mimic Firefox, it seems), or allow
block for all generated content (and fix the mysterious crash from the comment,
if it still exists; that would match Opera).


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.