[Webkit-unassigned] [Bug 24247] Crash in WebCore::RenderBlock::deleteLineBoxTree()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 4 09:44:03 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=24247
------- Comment #3 from sky at google.com 2009-03-04 09:44 PDT -------
Created an attachment (id=28266)
--> (https://bugs.webkit.org/attachment.cgi?id=28266&action=view)
Test case for first assertion
This is the first assertion I saw when running the crashing page. I don't know
that this'll fix the crasher, or is representative of the crash, but at least
it'll fix the assertion and hopefully avoid us from getting into a bad state.
The test adds a table to a form via script. When the renderer for the newly
added table is created the parent renderer is a RenderInline. The parent
renderer has a continuation, the child is not inlined or positioned so we end
up in RenderInline::splitFlow. The parent of the form is a render table
section, but the containing block is a table renderer. When splitFlow tries to
move all the children from the table to the anonymous block we we hit this
assert in RenderObjectChildList::appendChildNode:
ASSERT(!owner->isBlockFlow() || (!newChild->isTableSection() &&
!newChild->isTableRow() && !newChild->isTableCell()));
because the newChild is a block and is a table section.
I'm not sure what the right way to fix this is though. Should the anonymous
block get added to the table section (containingBlock() skips table sections)?
Other ideas?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list