Title: [113759] trunk
- Revision
- 113759
- Author
- [email protected]
- Date
- 2012-04-10 13:32:16 -0700 (Tue, 10 Apr 2012)
Log Message
Crash due to captions list not updated after section recalc.
https://bugs.webkit.org/show_bug.cgi?id=83552
Reviewed by Julien Chaffraix.
Source/WebCore:
Test: fast/table/table-caption-not-removed-crash.html
* rendering/RenderTable.cpp:
(WebCore::RenderTable::addChild): no need to set the need for
section recalc. It was needed in old code when we had more than
one caption and we need to call section recalc to destroy the other
captions.
(WebCore::RenderTable::recalcSections): need to rebuild captions list.
This is how the old code worked before r100177. Basically, children can
moved without calling RenderTable::removeChild, so we should depend on
recalcSections to update our captions list. Also, fix a style nit of aligning
case labels with the switch statement.
LayoutTests:
* fast/table/table-caption-not-removed-crash-expected.txt: Added.
* fast/table/table-caption-not-removed-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (113758 => 113759)
--- trunk/LayoutTests/ChangeLog 2012-04-10 20:09:08 UTC (rev 113758)
+++ trunk/LayoutTests/ChangeLog 2012-04-10 20:32:16 UTC (rev 113759)
@@ -1,3 +1,13 @@
+2012-04-10 Abhishek Arya <[email protected]>
+
+ Crash due to captions list not updated after section recalc.
+ https://bugs.webkit.org/show_bug.cgi?id=83552
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/table/table-caption-not-removed-crash-expected.txt: Added.
+ * fast/table/table-caption-not-removed-crash.html: Added.
+
2012-04-10 Anders Carlsson <[email protected]>
Unreviewed, rolling out r113611.
Added: trunk/LayoutTests/fast/table/table-caption-not-removed-crash-expected.txt (0 => 113759)
--- trunk/LayoutTests/fast/table/table-caption-not-removed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/table-caption-not-removed-crash-expected.txt 2012-04-10 20:32:16 UTC (rev 113759)
@@ -0,0 +1,3 @@
+Webkit bug 83552 - Crash due to captions list not updated after section recalc.
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/table/table-caption-not-removed-crash.html (0 => 113759)
--- trunk/LayoutTests/fast/table/table-caption-not-removed-crash.html (rev 0)
+++ trunk/LayoutTests/fast/table/table-caption-not-removed-crash.html 2012-04-10 20:32:16 UTC (rev 113759)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+Webkit bug 83552 - Crash due to captions list not updated after section recalc.<br />
+Test passes if it does not crash.
+<style>
+.flexbox1 + .caption1 { display: table-caption; }
+.flexbox1 { display: -webkit-inline-box; }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ div1 = document.createElement('div');
+ document.documentElement.appendChild(div1);
+ div2 = document.createElement('div');
+ div1.appendChild(div2);
+ cell1 = document.createElement('td');
+ cell1.setAttribute('class', 'caption1');
+ div1.appendChild(cell1);
+ div1.setAttribute('class', 'flexbox1');
+ document.body.offsetTop;
+ div2.setAttribute('class', 'flexbox1');
+ document.body.offsetTop;
+ div2.setAttribute('class', '');
+}
+window._onload_ = runTest;
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/table/table-caption-not-removed-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (113758 => 113759)
--- trunk/Source/WebCore/ChangeLog 2012-04-10 20:09:08 UTC (rev 113758)
+++ trunk/Source/WebCore/ChangeLog 2012-04-10 20:32:16 UTC (rev 113759)
@@ -1,3 +1,23 @@
+2012-04-10 Abhishek Arya <[email protected]>
+
+ Crash due to captions list not updated after section recalc.
+ https://bugs.webkit.org/show_bug.cgi?id=83552
+
+ Reviewed by Julien Chaffraix.
+
+ Test: fast/table/table-caption-not-removed-crash.html
+
+ * rendering/RenderTable.cpp:
+ (WebCore::RenderTable::addChild): no need to set the need for
+ section recalc. It was needed in old code when we had more than
+ one caption and we need to call section recalc to destroy the other
+ captions.
+ (WebCore::RenderTable::recalcSections): need to rebuild captions list.
+ This is how the old code worked before r100177. Basically, children can
+ moved without calling RenderTable::removeChild, so we should depend on
+ recalcSections to update our captions list. Also, fix a style nit of aligning
+ case labels with the switch statement.
+
2012-04-10 Anders Carlsson <[email protected]>
Unreviewed, rolling out r113611.
Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (113758 => 113759)
--- trunk/Source/WebCore/rendering/RenderTable.cpp 2012-04-10 20:09:08 UTC (rev 113758)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp 2012-04-10 20:32:16 UTC (rev 113759)
@@ -118,7 +118,6 @@
if (child->isTableCaption()) {
m_captions.append(toRenderTableCaption(child));
- setNeedsSectionRecalc();
wrapInAnonymousSection = false;
} else if (child->isTableCol()) {
m_hasColElements = true;
@@ -791,46 +790,51 @@
m_foot = 0;
m_firstBody = 0;
m_hasColElements = false;
+ m_captions.clear();
// We need to get valid pointers to caption, head, foot and first body again
RenderObject* nextSibling;
for (RenderObject* child = firstChild(); child; child = nextSibling) {
nextSibling = child->nextSibling();
switch (child->style()->display()) {
- case TABLE_COLUMN:
- case TABLE_COLUMN_GROUP:
- m_hasColElements = true;
- break;
- case TABLE_HEADER_GROUP:
- if (child->isTableSection()) {
- RenderTableSection* section = toRenderTableSection(child);
- if (!m_head)
- m_head = section;
- else if (!m_firstBody)
- m_firstBody = section;
- section->recalcCellsIfNeeded();
- }
- break;
- case TABLE_FOOTER_GROUP:
- if (child->isTableSection()) {
- RenderTableSection* section = toRenderTableSection(child);
- if (!m_foot)
- m_foot = section;
- else if (!m_firstBody)
- m_firstBody = section;
- section->recalcCellsIfNeeded();
- }
- break;
- case TABLE_ROW_GROUP:
- if (child->isTableSection()) {
- RenderTableSection* section = toRenderTableSection(child);
- if (!m_firstBody)
- m_firstBody = section;
- section->recalcCellsIfNeeded();
- }
- break;
- default:
- break;
+ case TABLE_CAPTION:
+ if (child->isTableCaption())
+ m_captions.append(toRenderTableCaption(child));
+ break;
+ case TABLE_COLUMN:
+ case TABLE_COLUMN_GROUP:
+ m_hasColElements = true;
+ break;
+ case TABLE_HEADER_GROUP:
+ if (child->isTableSection()) {
+ RenderTableSection* section = toRenderTableSection(child);
+ if (!m_head)
+ m_head = section;
+ else if (!m_firstBody)
+ m_firstBody = section;
+ section->recalcCellsIfNeeded();
+ }
+ break;
+ case TABLE_FOOTER_GROUP:
+ if (child->isTableSection()) {
+ RenderTableSection* section = toRenderTableSection(child);
+ if (!m_foot)
+ m_foot = section;
+ else if (!m_firstBody)
+ m_firstBody = section;
+ section->recalcCellsIfNeeded();
+ }
+ break;
+ case TABLE_ROW_GROUP:
+ if (child->isTableSection()) {
+ RenderTableSection* section = toRenderTableSection(child);
+ if (!m_firstBody)
+ m_firstBody = section;
+ section->recalcCellsIfNeeded();
+ }
+ break;
+ default:
+ break;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
