Skip to site navigation (Press enter)

[webkit-changes] [97907] trunk

jchaffraix Wed, 19 Oct 2011 18:35:34 -0700

Title: [97907] trunk

Revision: 97907
Author: [email protected]
Date: 2011-10-19 18:36:28 -0700 (Wed, 19 Oct 2011)

Log Message

Multiple crashes in RenderTable during layout
https://bugs.webkit.org/show_bug.cgi?id=70392


Reviewed by Simon Fraser.

Source/WebCore:

Tests: fast/table/crash-anonymous-table-computeLogicalWidth.html
       fast/table/crash-anonymous-table-layout.html

r97555 forgot to take into account anonymous tables during layout
where RenderObject::node() is NULL.

* rendering/RenderTable.cpp:
(WebCore::RenderTable::computeLogicalWidth):
(WebCore::RenderTable::layout):
Added a check for node() before calling Node::hasTagName.

LayoutTests:

* fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt: Added.
* fast/table/crash-anonymous-table-computeLogicalWidth.html: Added.
* fast/table/crash-anonymous-table-layout-expected.txt: Added.
* fast/table/crash-anonymous-table-layout.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderTable.cpp

Added Paths

trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt
trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html
trunk/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt
trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html

Diff

Modified: trunk/LayoutTests/ChangeLog (97906 => 97907)


--- trunk/LayoutTests/ChangeLog	2011-10-20 01:24:39 UTC (rev 97906)
+++ trunk/LayoutTests/ChangeLog	2011-10-20 01:36:28 UTC (rev 97907)
@@ -1,3 +1,15 @@
+2011-10-19  Julien Chaffraix  <[email protected]>
+
+        Multiple crashes in RenderTable during layout
+        https://bugs.webkit.org/show_bug.cgi?id=70392
+
+        Reviewed by Simon Fraser.
+
+        * fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt: Added.
+        * fast/table/crash-anonymous-table-computeLogicalWidth.html: Added.
+        * fast/table/crash-anonymous-table-layout-expected.txt: Added.
+        * fast/table/crash-anonymous-table-layout.html: Added.
+
 2011-10-19  Dirk Pranke  <[email protected]>
 
         Update chromium expectations after r97889.

Added: trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt (0 => 97907)


--- trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt	2011-10-20 01:36:28 UTC (rev 97907)
@@ -0,0 +1,2 @@
+Bug 70392: Multiple crashes in RenderTable during layout
+This test passes if it does not CRASH.

Added: trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html (0 => 97907)


--- trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html	2011-10-20 01:36:28 UTC (rev 97907)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.tableBefore:before { display: inline-table; content: url(data:text/plain,foo); width: 10px; }
+</style>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<div class="tableBefore"></div>
+<div>Bug <a href="" Multiple crashes in RenderTable during layout</div>
+<div>This test passes if it does not CRASH.</div>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt (0 => 97907)


--- trunk/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt	2011-10-20 01:36:28 UTC (rev 97907)
@@ -0,0 +1,2 @@
+Bug 70392: Multiple crashes in RenderTable during layout
+This test passes if it does not CRASH.

Added: trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html (0 => 97907)


--- trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html	2011-10-20 01:36:28 UTC (rev 97907)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.tableAfter::after { display: table; content: attr(class); height: 1px; }
+</style>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<div class="tableAfter"></div>
+<div>Bug <a href="" Multiple crashes in RenderTable during layout</div>
+<div>This test passes if it does not CRASH.</div>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (97906 => 97907)


--- trunk/Source/WebCore/ChangeLog	2011-10-20 01:24:39 UTC (rev 97906)
+++ trunk/Source/WebCore/ChangeLog	2011-10-20 01:36:28 UTC (rev 97907)
@@ -1,3 +1,21 @@
+2011-10-19  Julien Chaffraix  <[email protected]>
+
+        Multiple crashes in RenderTable during layout
+        https://bugs.webkit.org/show_bug.cgi?id=70392
+
+        Reviewed by Simon Fraser.
+
+        Tests: fast/table/crash-anonymous-table-computeLogicalWidth.html
+               fast/table/crash-anonymous-table-layout.html
+
+        r97555 forgot to take into account anonymous tables during layout
+        where RenderObject::node() is NULL.
+
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::computeLogicalWidth):
+        (WebCore::RenderTable::layout):
+        Added a check for node() before calling Node::hasTagName.
+
 2011-10-19  Adam Bergkvist  <[email protected]>
 
         Update MediaStream to use WebCore platform interfaces

Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (97906 => 97907)


--- trunk/Source/WebCore/rendering/RenderTable.cpp	2011-10-20 01:24:39 UTC (rev 97906)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp	2011-10-20 01:36:28 UTC (rev 97907)
@@ -239,7 +239,7 @@
         // Percent or fixed table
         // HTML tables size as though CSS width includes border/padding, CSS tables do not.
         LayoutUnit borders = 0;
-        if (!node()->hasTagName(tableTag)) {
+        if (!node() || !node()->hasTagName(tableTag)) {
             bool collapsing = collapseBorders();
             LayoutUnit borderAndPaddingBefore = borderBefore() + (collapsing ? 0 : paddingBefore());
             LayoutUnit borderAndPaddingAfter = borderAfter() + (collapsing ? 0 : paddingAfter());
@@ -369,7 +369,7 @@
     LayoutUnit computedLogicalHeight = 0;
     if (logicalHeightLength.isFixed()) {
         // HTML tables size as though CSS height includes border/padding, CSS tables do not.
-        LayoutUnit borders = node()->hasTagName(tableTag) ? (borderAndPaddingBefore + borderAndPaddingAfter) : 0;
+        LayoutUnit borders = node() && node()->hasTagName(tableTag) ? (borderAndPaddingBefore + borderAndPaddingAfter) : 0;
         computedLogicalHeight = logicalHeightLength.value() - borders;
     } else if (logicalHeightLength.isPercent())
         computedLogicalHeight = computePercentageLogicalHeight(logicalHeightLength);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes