[webkit-changes] [108372] trunk

[inferno]

Title: [108372] trunk

Revision

108372

Author

infe...@chromium.org

Date

2012-02-21 11:10:05 -0800 (Tue, 21 Feb 2012)

Log Message

Crash in RenderTableSection::nodeAtPoint.
https://bugs.webkit.org/show_bug.cgi?id=78922

Reviewed by Julien Chaffraix.

Source/WebCore:

Test: fast/table/table-section-node-at-point-crash.html

* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::nodeAtPoint): recalc cells if the
m_needsCellRecalc is set. Otherwise, we will end up accessing
removed table cells.

LayoutTests:

* fast/table/table-section-node-at-point-crash-expected.txt: Added.
* fast/table/table-section-node-at-point-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderTableSection.cpp

Added Paths

• trunk/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt
• trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (108371 => 108372)

--- trunk/LayoutTests/ChangeLog	2012-02-21 18:54:53 UTC (rev 108371)
+++ trunk/LayoutTests/ChangeLog	2012-02-21 19:10:05 UTC (rev 108372)
@@ -1,3 +1,13 @@
+2012-02-21  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in RenderTableSection::nodeAtPoint.
+        https://bugs.webkit.org/show_bug.cgi?id=78922
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/table/table-section-node-at-point-crash-expected.txt: Added.
+        * fast/table/table-section-node-at-point-crash.html: Added.
+
 2012-02-21  James Robinson  <jam...@chromium.org>
 
         [chromium] Unreviewed, update chromium leopard baselines for r108364

Added: trunk/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt (0 => 108372)

--- trunk/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt	2012-02-21 19:10:05 UTC (rev 108372)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html (0 => 108372)

--- trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html	2012-02-21 19:10:05 UTC (rev 108372)
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash.
+<style>
+#test1 {
+    display: table-cell;
+    content: counter(c);
+    counter-reset: c;
+    width: 1000px;
+    height: 1000px;
+}
+#test1::after {
+    content: counter(c);
+    counter-reset: c;
+}
+#test2 {
+    -webkit-flow-into: a;
+}
+#test2::before {
+    content: counter(c);
+    counter-reset: c;
+}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function crash() {
+    test1 = document.createElement('div');
+    test1.setAttribute('id', 'test1');
+    document.body.appendChild(test1);
+    test2 = document.createElement('div'); 
+    test2.setAttribute('id', 'test2');
+    test1.appendChild(test2);
+    document.body.offsetTop;
+    document.body.style.zoom = 2;
+	if (window.layoutTestController) {
+	    GCController.collect();
+        eventSender.mouseMoveTo(500, 500);
+        layoutTestController.notifyDone();
+	}
+}
+window._onload_ = crash;
+</script>
+</body>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (108371 => 108372)

--- trunk/Source/WebCore/ChangeLog	2012-02-21 18:54:53 UTC (rev 108371)
+++ trunk/Source/WebCore/ChangeLog	2012-02-21 19:10:05 UTC (rev 108372)
@@ -1,3 +1,17 @@
+2012-02-21  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in RenderTableSection::nodeAtPoint.
+        https://bugs.webkit.org/show_bug.cgi?id=78922
+
+        Reviewed by Julien Chaffraix.
+
+        Test: fast/table/table-section-node-at-point-crash.html
+
+        * rendering/RenderTableSection.cpp:
+        (WebCore::RenderTableSection::nodeAtPoint): recalc cells if the
+        m_needsCellRecalc is set. Otherwise, we will end up accessing
+        removed table cells.
+
 2012-02-21  Antti Koivisto  <an...@apple.com>
 
         Move PropertySetCSSStyleDeclaration to a file of its own

Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (108371 => 108372)

--- trunk/Source/WebCore/rendering/RenderTableSection.cpp	2012-02-21 18:54:53 UTC (rev 108371)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp	2012-02-21 19:10:05 UTC (rev 108372)
@@ -1306,6 +1306,9 @@
     }
 
     LayoutUnit offsetInColumnDirection = style()->isHorizontalWritingMode() ? location.y() : location.x();
+    
+    recalcCellsIfNeeded();
+
     // Find the first row that starts after offsetInColumnDirection.
     unsigned nextRow = std::upper_bound(m_rowPos.begin(), m_rowPos.end(), offsetInColumnDirection) - m_rowPos.begin();
     if (nextRow == m_rowPos.size())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes