Title: [118592] trunk
- Revision
- 118592
- Author
- [email protected]
- Date
- 2012-05-25 17:28:23 -0700 (Fri, 25 May 2012)
Log Message
Crash in RenderTableSection::paintCell.
https://bugs.webkit.org/show_bug.cgi?id=87445
Reviewed by Eric Seidel and Julien Chaffraix.
Source/WebCore:
Fix the crash by preventing table parts from being set
as layout root. This prevents us from accessing removed
table cells which can happen if RenderTableSection::layout
is called directly without calling RenderTable::layout first
(in case of cell recalc).
Add ASSERTs to RenderTableSection::layout to prevent
layout to happen when we are already pending cell recalc
or our table is pending section recalc. In those cases,
RenderTable::layout should be called first to relayout
the entire table.
Test: tables/table-section-overflow-clip-crash.html
* rendering/RenderObject.cpp:
(WebCore::objectIsRelayoutBoundary):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::layout):
LayoutTests:
* tables/table-section-overflow-clip-crash-expected.txt: Added.
* tables/table-section-overflow-clip-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (118591 => 118592)
--- trunk/LayoutTests/ChangeLog 2012-05-26 00:23:43 UTC (rev 118591)
+++ trunk/LayoutTests/ChangeLog 2012-05-26 00:28:23 UTC (rev 118592)
@@ -1,3 +1,13 @@
+2012-05-25 Abhishek Arya <[email protected]>
+
+ Crash in RenderTableSection::paintCell.
+ https://bugs.webkit.org/show_bug.cgi?id=87445
+
+ Reviewed by Eric Seidel and Julien Chaffraix.
+
+ * tables/table-section-overflow-clip-crash-expected.txt: Added.
+ * tables/table-section-overflow-clip-crash.html: Added.
+
2012-05-25 Jessie Berlin <[email protected]>
Implement spinbutton support in RenderThemeSafari
Added: trunk/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt (0 => 118592)
--- trunk/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt 2012-05-26 00:28:23 UTC (rev 118592)
@@ -0,0 +1,2 @@
+WebKit Bug 87445 - RenderTableSection::paintCell.
+Test passes if it does not crash.
Added: trunk/LayoutTests/tables/table-section-overflow-clip-crash.html (0 => 118592)
--- trunk/LayoutTests/tables/table-section-overflow-clip-crash.html (rev 0)
+++ trunk/LayoutTests/tables/table-section-overflow-clip-crash.html 2012-05-26 00:28:23 UTC (rev 118592)
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test0 {
+ counter-reset: c;
+}
+#test0::after {
+ content: counter(c);
+ counter-reset: c;
+}
+#test1::after {
+ content: counter(c);
+ counter-reset: c;
+}
+#test2 {
+ counter-reset: c;
+ height: 1px;
+ width: 1px;
+ overflow-x: scroll;
+ -webkit-perspective: 1;
+}
+#test3 {
+ content: counter(c);
+ -webkit-animation-name: a;
+ -webkit-animation-duration: 0.01s;
+}
+</style>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function finish() {
+ document.body.innerHTML = "WebKit Bug 87445 - RenderTableSection::paintCell.<br/>Test passes if it does not crash.";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+_onload_ = function() {
+ test0 = document.createElement('div');
+ test0.setAttribute('id', 'test0');
+ document.body.appendChild(test0);
+ test1 = document.createElement('div');
+ test1.setAttribute('id', 'test1');
+ test0.appendChild(test1);
+ test2 = document.createElement('div');
+ test2.setAttribute('id', 'test2');
+ test1.appendChild(test2);
+ test3 = document.createElement('div');
+ test3.setAttribute('id', 'test3');
+ test2.appendChild(test3);
+ test2.style.display = 'table-footer-group';
+ document.body.offsetTop;
+ setTimeout("finish()", 10);
+}
+</script>
+</head>
+<body>
+</body>
+</html>
Property changes on: trunk/LayoutTests/tables/table-section-overflow-clip-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (118591 => 118592)
--- trunk/Source/WebCore/ChangeLog 2012-05-26 00:23:43 UTC (rev 118591)
+++ trunk/Source/WebCore/ChangeLog 2012-05-26 00:28:23 UTC (rev 118592)
@@ -1,3 +1,29 @@
+2012-05-25 Abhishek Arya <[email protected]>
+
+ Crash in RenderTableSection::paintCell.
+ https://bugs.webkit.org/show_bug.cgi?id=87445
+
+ Reviewed by Eric Seidel and Julien Chaffraix.
+
+ Fix the crash by preventing table parts from being set
+ as layout root. This prevents us from accessing removed
+ table cells which can happen if RenderTableSection::layout
+ is called directly without calling RenderTable::layout first
+ (in case of cell recalc).
+
+ Add ASSERTs to RenderTableSection::layout to prevent
+ layout to happen when we are already pending cell recalc
+ or our table is pending section recalc. In those cases,
+ RenderTable::layout should be called first to relayout
+ the entire table.
+
+ Test: tables/table-section-overflow-clip-crash.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::objectIsRelayoutBoundary):
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::layout):
+
2012-05-25 Philip Rogers <[email protected]>
Fix for self-closing <use> tags
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (118591 => 118592)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2012-05-26 00:23:43 UTC (rev 118591)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2012-05-26 00:28:23 UTC (rev 118592)
@@ -595,14 +595,26 @@
static inline bool objectIsRelayoutBoundary(const RenderObject* object)
{
- // FIXME: In future it may be possible to broaden this condition in order to improve performance.
- // Table cells are excluded because even when their CSS height is fixed, their height()
- // may depend on their contents.
- return object->isTextControl()
+ // FIXME: In future it may be possible to broaden these conditions in order to improve performance.
+ if (object->isTextControl())
+ return true;
+
#if ENABLE(SVG)
- || object->isSVGRoot()
+ if (object->isSVGRoot())
+ return true;
#endif
- || (object->hasOverflowClip() && !object->style()->width().isIntrinsicOrAuto() && !object->style()->height().isIntrinsicOrAuto() && !object->style()->height().isPercent() && !object->isTableCell());
+
+ if (!object->hasOverflowClip())
+ return false;
+
+ if (object->style()->width().isIntrinsicOrAuto() || object->style()->height().isIntrinsicOrAuto() || object->style()->height().isPercent())
+ return false;
+
+ // Table parts can't be relayout roots since the table is responsible for layouting all the parts.
+ if (object->isTablePart())
+ return false;
+
+ return true;
}
void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout, RenderObject* newRoot)
Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (118591 => 118592)
--- trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-05-26 00:23:43 UTC (rev 118591)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-05-26 00:28:23 UTC (rev 118592)
@@ -403,6 +403,8 @@
void RenderTableSection::layout()
{
ASSERT(needsLayout());
+ ASSERT(!needsCellRecalc());
+ ASSERT(!table()->needsSectionRecalc());
LayoutStateMaintainer statePusher(view(), this, locationOffset(), style()->isFlippedBlocksWritingMode());
for (RenderObject* child = children()->firstChild(); child; child = child->nextSibling()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
