Skip to site navigation (Press enter)

[webkit-changes] [118316] trunk

jchaffraix Wed, 23 May 2012 20:41:37 -0700

Title: [118316] trunk

Revision: 118316
Author: [email protected]
Date: 2012-05-23 20:42:27 -0700 (Wed, 23 May 2012)

Log Message

Crash in RenderTableCol::nextColumn
https://bugs.webkit.org/show_bug.cgi?id=87314


Reviewed by Abhishek Arya.

Source/WebCore:

Tests: fast/table/canvas-column-in-column-group.html
       fast/table/columngroup-inside-columngroup.html

The issue comes from elements not abiding by the display property (e.g. canvas). This means
that any renderer with display: table-column would pass the current isChildAllowed check and
would confuse our algorithm to iterate.

We were getting away with allowing those children as table columns or column groups don't
paint themselves but it's better to just not allow such children in the first place.

* rendering/RenderTableCol.cpp:
(WebCore::RenderTableCol::isChildAllowed):
Fixed the logic to only accept proper column renderer (RenderTableCol with display: column
to ignore column-groups). Also removed an unneeded NULL-check.

LayoutTests:

* fast/table/canvas-column-in-column-group-expected.txt: Added.
* fast/table/canvas-column-in-column-group.html: Added.
* fast/table/columngroup-inside-columngroup-expected.txt: Added.
* fast/table/columngroup-inside-columngroup.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderTableCol.cpp

Added Paths

trunk/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt
trunk/LayoutTests/fast/table/canvas-column-in-column-group.html
trunk/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt
trunk/LayoutTests/fast/table/columngroup-inside-columngroup.html

Diff

Modified: trunk/LayoutTests/ChangeLog (118315 => 118316)


--- trunk/LayoutTests/ChangeLog	2012-05-24 03:11:50 UTC (rev 118315)
+++ trunk/LayoutTests/ChangeLog	2012-05-24 03:42:27 UTC (rev 118316)
@@ -1,3 +1,15 @@
+2012-05-23  Julien Chaffraix  <[email protected]>
+
+        Crash in RenderTableCol::nextColumn
+        https://bugs.webkit.org/show_bug.cgi?id=87314
+
+        Reviewed by Abhishek Arya.
+
+        * fast/table/canvas-column-in-column-group-expected.txt: Added.
+        * fast/table/canvas-column-in-column-group.html: Added.
+        * fast/table/columngroup-inside-columngroup-expected.txt: Added.
+        * fast/table/columngroup-inside-columngroup.html: Added.
+
 2012-05-23  Raphael Kubo da Costa  <[email protected]>
 
         [EFL] Gardening after r118203 and r118171.

Added: trunk/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt (0 => 118316)


--- trunk/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt	2012-05-24 03:42:27 UTC (rev 118316)
@@ -0,0 +1,3 @@
+Test for bug 87314: Crash in RenderTableCol::nextColumn
+
+PASSED, this test didn't crash or ASSERT.

Added: trunk/LayoutTests/fast/table/canvas-column-in-column-group.html (0 => 118316)


--- trunk/LayoutTests/fast/table/canvas-column-in-column-group.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/canvas-column-in-column-group.html	2012-05-24 03:42:27 UTC (rev 118316)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<p>Test for bug <a href="" Crash in RenderTableCol::nextColumn</p>
+<table>
+    <colgroup>
+    </colgroup>
+    <tbody>
+        <td></td>
+    </tbody>
+</table>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    var canvas = document.createElement("canvas");
+    canvas.style.display = "table-column";
+    document.getElementsByTagName("colgroup")[0].appendChild(canvas);
+    document.body.offsetTop;
+    document.body.appendChild(document.createTextNode("PASSED, this test didn't crash or ASSERT."));
+</script>

Added: trunk/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt (0 => 118316)


--- trunk/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt	2012-05-24 03:42:27 UTC (rev 118316)
@@ -0,0 +1,3 @@
+Test for bug 87314: Crash in RenderTableCol::nextColumn
+
+PASSED, this test didn't crash or ASSERT.

Added: trunk/LayoutTests/fast/table/columngroup-inside-columngroup.html (0 => 118316)


--- trunk/LayoutTests/fast/table/columngroup-inside-columngroup.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/columngroup-inside-columngroup.html	2012-05-24 03:42:27 UTC (rev 118316)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<p>Test for bug <a href="" Crash in RenderTableCol::nextColumn</p>
+<table>
+    <colgroup>
+    </colgroup>
+    <tbody>
+        <td></td>
+    </tbody>
+</table>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    var colgroup = document.createElement("colgroup");
+    document.getElementsByTagName("colgroup")[0].appendChild(colgroup);
+    document.body.offsetTop;
+    document.body.appendChild(document.createTextNode("PASSED, this test didn't crash or ASSERT."));
+</script>

Modified: trunk/Source/WebCore/ChangeLog (118315 => 118316)


--- trunk/Source/WebCore/ChangeLog	2012-05-24 03:11:50 UTC (rev 118315)
+++ trunk/Source/WebCore/ChangeLog	2012-05-24 03:42:27 UTC (rev 118316)
@@ -1,3 +1,25 @@
+2012-05-23  Julien Chaffraix  <[email protected]>
+
+        Crash in RenderTableCol::nextColumn
+        https://bugs.webkit.org/show_bug.cgi?id=87314
+
+        Reviewed by Abhishek Arya.
+
+        Tests: fast/table/canvas-column-in-column-group.html
+               fast/table/columngroup-inside-columngroup.html
+
+        The issue comes from elements not abiding by the display property (e.g. canvas). This means
+        that any renderer with display: table-column would pass the current isChildAllowed check and
+        would confuse our algorithm to iterate.
+
+        We were getting away with allowing those children as table columns or column groups don't
+        paint themselves but it's better to just not allow such children in the first place.
+
+        * rendering/RenderTableCol.cpp:
+        (WebCore::RenderTableCol::isChildAllowed):
+        Fixed the logic to only accept proper column renderer (RenderTableCol with display: column
+        to ignore column-groups). Also removed an unneeded NULL-check.
+
 2012-05-23  Jer Noble  <[email protected]>
 
         REGRESSION: compositing/video/video-poster.html fails on Mac

Modified: trunk/Source/WebCore/rendering/RenderTableCol.cpp (118315 => 118316)


--- trunk/Source/WebCore/rendering/RenderTableCol.cpp	2012-05-24 03:11:50 UTC (rev 118315)
+++ trunk/Source/WebCore/rendering/RenderTableCol.cpp	2012-05-24 03:42:27 UTC (rev 118316)
@@ -71,7 +71,7 @@
 
 bool RenderTableCol::isChildAllowed(RenderObject* child, RenderStyle* style) const
 {
-    return !child->isText() && style && (style->display() == TABLE_COLUMN);
+    return child->isTableCol() && style->display() == TABLE_COLUMN;
 }
 
 bool RenderTableCol::canHaveChildren() const

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes