[webkit-changes] [109387] branches/chromium/963

[cevans]

Title: [109387] branches/chromium/963

Revision

109387

Author

cev...@google.com

Date

2012-03-01 12:13:53 -0800 (Thu, 01 Mar 2012)

Log Message

Merge 108372
BUG=114219
Review URL: https://chromiumcodereview.appspot.com/9567020

Modified Paths

branches/chromium/963/Source/WebCore/rendering/RenderTableSection.cpp


Added Paths

branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt
branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash.html

Diff

Copied: branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt (from rev 108372, trunk/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt) (0 => 109387)

--- branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash-expected.txt	2012-03-01 20:13:53 UTC (rev 109387)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Copied: branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash.html (from rev 108372, trunk/LayoutTests/fast/table/table-section-node-at-point-crash.html) (0 => 109387)

--- branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash.html	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/table/table-section-node-at-point-crash.html	2012-03-01 20:13:53 UTC (rev 109387)
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash.
+<style>
+#test1 {
+    display: table-cell;
+    content: counter(c);
+    counter-reset: c;
+    width: 1000px;
+    height: 1000px;
+}
+#test1::after {
+    content: counter(c);
+    counter-reset: c;
+}
+#test2 {
+    -webkit-flow-into: a;
+}
+#test2::before {
+    content: counter(c);
+    counter-reset: c;
+}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function crash() {
+    test1 = document.createElement('div');
+    test1.setAttribute('id', 'test1');
+    document.body.appendChild(test1);
+    test2 = document.createElement('div'); 
+    test2.setAttribute('id', 'test2');
+    test1.appendChild(test2);
+    document.body.offsetTop;
+    document.body.style.zoom = 2;
+	if (window.layoutTestController) {
+	    GCController.collect();
+        eventSender.mouseMoveTo(500, 500);
+        layoutTestController.notifyDone();
+	}
+}
+window._onload_ = crash;
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: branches/chromium/963/Source/WebCore/rendering/RenderTableSection.cpp (109386 => 109387)

--- branches/chromium/963/Source/WebCore/rendering/RenderTableSection.cpp	2012-03-01 20:04:09 UTC (rev 109386)
+++ branches/chromium/963/Source/WebCore/rendering/RenderTableSection.cpp	2012-03-01 20:13:53 UTC (rev 109387)
@@ -1250,6 +1250,9 @@
     }
 
     LayoutUnit offsetInColumnDirection = style()->isHorizontalWritingMode() ? location.y() : location.x();
+    
+    recalcCellsIfNeeded();
+
     // Find the first row that starts after offsetInColumnDirection.
     unsigned nextRow = std::upper_bound(m_rowPos.begin(), m_rowPos.end(), offsetInColumnDirection) - m_rowPos.begin();
     if (nextRow == m_rowPos.size())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes