[webkit-changes] [107987] trunk

Thu, 16 Feb 2012 15:35:44 -0800

Title: [107987] trunk
Revision
107987
Author
[email protected]
Date
2012-02-16 15:35:17 -0800 (Thu, 16 Feb 2012)

Log Message

Crash with tables in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=78415

Reviewed by Julien Chaffraix.

Source/WebCore:

Multi-column code creates anonymous column blocks directly
under RenderTable, thereby violating table layout assumption.
E.g. Captions in this testcase gets reparented to these anonymous
column blocks and when they go away, they are not able to clear
themselves from table's m_captions list (since RenderTable::removeChild
is not called).

Test: fast/multicol/span/table-multi-column-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::containingColumnsBlock):

LayoutTests:

* fast/multicol/span/table-multi-column-crash-expected.txt: Added.
* fast/multicol/span/table-multi-column-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (107986 => 107987)


--- trunk/LayoutTests/ChangeLog	2012-02-16 23:32:46 UTC (rev 107986)
+++ trunk/LayoutTests/ChangeLog	2012-02-16 23:35:17 UTC (rev 107987)
@@ -1,3 +1,13 @@
+2012-02-16  Abhishek Arya  <[email protected]>
+
+        Crash with tables in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=78415
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/multicol/span/table-multi-column-crash-expected.txt: Added.
+        * fast/multicol/span/table-multi-column-crash.html: Added.
+
 2012-02-16  James Robinson  <[email protected]>
 
         [chromium] Update table pixel expectations. Unreviewed.

Added: trunk/LayoutTests/fast/multicol/span/table-multi-column-crash-expected.txt (0 => 107987)


--- trunk/LayoutTests/fast/multicol/span/table-multi-column-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/table-multi-column-crash-expected.txt	2012-02-16 23:35:17 UTC (rev 107987)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/multicol/span/table-multi-column-crash.html (0 => 107987)


--- trunk/LayoutTests/fast/multicol/span/table-multi-column-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/span/table-multi-column-crash.html	2012-02-16 23:35:17 UTC (rev 107987)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash.
+<style>
+.table_span { -webkit-column-span: all;}
+.table_container { -webkit-column-count: 2; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+table_span = document.createElement('table');
+table_span.setAttribute('class', 'table_span');
+table_container = document.createElement('table');
+table_container.setAttribute('class', 'table_container');
+table_caption = document.createElement('caption');
+table_caption.appendChild(table_span);
+table_container.appendChild(table_caption);
+document.body.appendChild(table_container);
+document.body.offsetTop;
+
+table_caption.parentNode.removeChild(table_caption);
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/multicol/span/table-multi-column-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (107986 => 107987)


--- trunk/Source/WebCore/ChangeLog	2012-02-16 23:32:46 UTC (rev 107986)
+++ trunk/Source/WebCore/ChangeLog	2012-02-16 23:35:17 UTC (rev 107987)
@@ -1,3 +1,22 @@
+2012-02-16  Abhishek Arya  <[email protected]>
+
+        Crash with tables in multi-column layout.
+        https://bugs.webkit.org/show_bug.cgi?id=78415
+
+        Reviewed by Julien Chaffraix.
+
+        Multi-column code creates anonymous column blocks directly
+        under RenderTable, thereby violating table layout assumption.
+        E.g. Captions in this testcase gets reparented to these anonymous
+        column blocks and when they go away, they are not able to clear
+        themselves from table's m_captions list (since RenderTable::removeChild
+        is not called).
+
+        Test: fast/multicol/span/table-multi-column-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::containingColumnsBlock):
+
 2012-02-16  ChangSeok Oh  <[email protected]>
 
         [GTK] File system api build is broken

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (107986 => 107987)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-02-16 23:32:46 UTC (rev 107986)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-02-16 23:35:17 UTC (rev 107987)
@@ -434,6 +434,12 @@
         if (!curr->isRenderBlock() || curr->isFloatingOrPositioned() || curr->isTableCell() || curr->isRoot() || curr->isRenderView() || curr->hasOverflowClip()
             || curr->isInlineBlockOrInlineTable())
             return 0;
+
+        // FIXME: Table manages its own table parts, most of which are RenderBoxes.
+        // Multi-column code cannot handle splitting the flow in table. Disabling it
+        // to prevent crashes.
+        if (curr->isTable())
+            return 0;
         
         RenderBlock* currBlock = toRenderBlock(curr);
         if (!currBlock->createsAnonymousWrapper())

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to