Title: [105685] trunk
- Revision
- 105685
- Author
- [email protected]
- Date
- 2012-01-23 20:15:06 -0800 (Mon, 23 Jan 2012)
Log Message
Crash in WebCore::RenderTableSection::rowLogicalHeightChanged
https://webkit.org/b/76842
Reviewed by Darin Adler.
Source/WebCore:
Test: fast/table/crash-section-logical-height-changed-needsCellRecalc.html
The issue was that we would access our section's structure when it was dirty.
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::rowLogicalHeightChanged):
Bail out if we need cells recalculation as our internal structure is not up-to-date
and we will recompute all the rows' heights as part of the recomputation anyway.
LayoutTests:
* fast/table/crash-section-logical-height-changed-needsCellRecalc-expected.txt: Added.
* fast/table/crash-section-logical-height-changed-needsCellRecalc.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (105684 => 105685)
--- trunk/LayoutTests/ChangeLog 2012-01-24 04:07:56 UTC (rev 105684)
+++ trunk/LayoutTests/ChangeLog 2012-01-24 04:15:06 UTC (rev 105685)
@@ -1,3 +1,13 @@
+2012-01-23 Julien Chaffraix <[email protected]>
+
+ Crash in WebCore::RenderTableSection::rowLogicalHeightChanged
+ https://webkit.org/b/76842
+
+ Reviewed by Darin Adler.
+
+ * fast/table/crash-section-logical-height-changed-needsCellRecalc-expected.txt: Added.
+ * fast/table/crash-section-logical-height-changed-needsCellRecalc.html: Added.
+
2012-01-23 Dmitry Lomov <[email protected]>
[Chromium] Implement layoutTestController.workerThreadCount in DRT
Added: trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc-expected.txt (0 => 105685)
--- trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc-expected.txt 2012-01-24 04:15:06 UTC (rev 105685)
@@ -0,0 +1,5 @@
+Bug 76842: Crash in WebCore::RenderTableSection::rowLogicalHeightChanged
+
+This test passes if it does not crash nor ASSERT.
+
+
Added: trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc.html (0 => 105685)
--- trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc.html (rev 0)
+++ trunk/LayoutTests/fast/table/crash-section-logical-height-changed-needsCellRecalc.html 2012-01-24 04:15:06 UTC (rev 105685)
@@ -0,0 +1,53 @@
+<style>
+.c3 { position: fixed; }
+.c12:first-letter { visibility: inherit; }
+.c12 { -webkit-appearance: button; }
+.c13 { display: table-row; }
+.c13:nth-last-child(odd) { height: 80%; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function boom() {
+ var quote = document.createElement('q');
+ document.documentElement.appendChild(quote);
+
+ base = document.createElement('base');
+ base2 = document.createElement('base');
+ base2.setAttribute('class', 'c3');
+ quote.appendChild(base2);
+
+ var ins = document.createElement('ins');
+ base2.appendChild(ins);
+
+ var sub = document.createElement('sub');
+ var quote3 = document.createElement('q');
+ quote3.setAttribute('class', 'c12');
+ sub.appendChild(quote3);
+
+ figureRow = document.createElement('figure');
+ figureRow.setAttribute('class', 'c13');
+ document.documentElement.appendChild(figureRow);
+
+ var col = document.createElement('col');
+ col.setAttribute('class', 'c13');
+ document.documentElement.appendChild(col);
+
+ var select = document.createElement('select');
+ document.documentElement.appendChild(select);
+
+ code = document.createElement('code');
+ document.documentElement.appendChild(code);
+
+ quote2 = document.createElement('q');
+ setTimeout('quote2.appendChild(code);', 321);
+ ins.appendChild(sub);
+ setTimeout('base.appendChild(figureRow);', 251);
+ text = document.createTextNode('-1435037881');
+ setTimeout('figureRow.appendChild(text);', 206);
+}
+window._onload_ = boom;
+</script>
+<p>Bug <a href="" Crash in WebCore::RenderTableSection::rowLogicalHeightChanged</p>
+<p>This test passes if it does not crash nor ASSERT.</p>
Modified: trunk/Source/WebCore/ChangeLog (105684 => 105685)
--- trunk/Source/WebCore/ChangeLog 2012-01-24 04:07:56 UTC (rev 105684)
+++ trunk/Source/WebCore/ChangeLog 2012-01-24 04:15:06 UTC (rev 105685)
@@ -1,3 +1,19 @@
+2012-01-23 Julien Chaffraix <[email protected]>
+
+ Crash in WebCore::RenderTableSection::rowLogicalHeightChanged
+ https://webkit.org/b/76842
+
+ Reviewed by Darin Adler.
+
+ Test: fast/table/crash-section-logical-height-changed-needsCellRecalc.html
+
+ The issue was that we would access our section's structure when it was dirty.
+
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::rowLogicalHeightChanged):
+ Bail out if we need cells recalculation as our internal structure is not up-to-date
+ and we will recompute all the rows' heights as part of the recomputation anyway.
+
2012-01-23 Kentaro Hara <[email protected]>
[Refactoring] Make finish() of CodeGeneratorJS.pm empty
Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (105684 => 105685)
--- trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-01-24 04:07:56 UTC (rev 105684)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-01-24 04:15:06 UTC (rev 105685)
@@ -1198,6 +1198,9 @@
// FIXME: This function could be made O(1) in certain cases (like for the non-most-constrainive cells' case).
void RenderTableSection::rowLogicalHeightChanged(unsigned rowIndex)
{
+ if (needsCellRecalc())
+ return;
+
setRowLogicalHeightToRowStyleLogicalHeightIfNotRelative(m_grid[rowIndex]);
for (RenderObject* cell = m_grid[rowIndex].rowRenderer->firstChild(); cell; cell = cell->nextSibling()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
