[webkit-changes] [123525] trunk

Tue, 24 Jul 2012 13:59:27 -0700

Title: [123525] trunk
Revision
123525
Author
jchaffr...@webkit.org
Date
2012-07-24 13:59:14 -0700 (Tue, 24 Jul 2012)

Log Message

Crash in RenderTableSection::layoutRows
https://bugs.webkit.org/show_bug.cgi?id=92145

Reviewed by Abhishek Arya.

Source/WebCore:

The crash came from the insertChildNode logic being confused and choosing the wrong
renderer for insertion. This is because after r123159, table anonymous wrappers can
be created as 'inline-table' and wouldn't pass the isAnonymousBlock() check.

This change also aligns the ancestor iteration with RenderBlock::addChildToAnonymousColumnBlocks.

Test: fast/table/crash-table-section-layoutRows.html

* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::insertChildNode):
Changed the code to always get the right child. There is no justification to not
walking up to the |owner|'s direct child in all cases.

LayoutTests:

* fast/table/crash-table-section-layoutRows-expected.txt: Added.
* fast/table/crash-table-section-layoutRows.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (123524 => 123525)


--- trunk/LayoutTests/ChangeLog	2012-07-24 20:53:19 UTC (rev 123524)
+++ trunk/LayoutTests/ChangeLog	2012-07-24 20:59:14 UTC (rev 123525)
@@ -1,3 +1,13 @@
+2012-07-24  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Crash in RenderTableSection::layoutRows
+        https://bugs.webkit.org/show_bug.cgi?id=92145
+
+        Reviewed by Abhishek Arya.
+
+        * fast/table/crash-table-section-layoutRows-expected.txt: Added.
+        * fast/table/crash-table-section-layoutRows.html: Added.
+
 2012-07-24  Caio Marcelo de Oliveira Filho  <caio.olive...@openbossa.org>
 
         [Qt] svg/clip-path rebaseline after new test fonts

Added: trunk/LayoutTests/fast/table/crash-table-section-layoutRows-expected.txt (0 => 123525)


--- trunk/LayoutTests/fast/table/crash-table-section-layoutRows-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-table-section-layoutRows-expected.txt	2012-07-24 20:59:14 UTC (rev 123525)
@@ -0,0 +1,5 @@
+Bug 92145: Crash in WebCore::RenderTableSection::layoutRows
+
+There should be PASSED below and we shouldn't crash or ASSERT.
+
+PASSED.

Added: trunk/LayoutTests/fast/table/crash-table-section-layoutRows.html (0 => 123525)


--- trunk/LayoutTests/fast/table/crash-table-section-layoutRows.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/crash-table-section-layoutRows.html	2012-07-24 20:59:14 UTC (rev 123525)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<style>
+* {
+    display: table-cell;
+}
+</style>
+<p>Bug 92145: Crash in WebCore::RenderTableSection::layoutRows</p>
+<p>There should be PASSED below and we shouldn't crash or ASSERT.</p>
+<div id="firstDiv"><div id=secondDiv></div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function crash() {
+    firstDiv.style.display = "inline";
+    window.scrollBy(5);
+    secondDiv.outerHTML = "PASSED.";
+    
+    // Remove the <style> to avoid having it dumped in the output.
+    var styleTag = document.getElementsByTagName("style")[0];
+    styleTag.parentNode.removeChild(styleTag);
+}
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (123524 => 123525)


--- trunk/Source/WebCore/ChangeLog	2012-07-24 20:53:19 UTC (rev 123524)
+++ trunk/Source/WebCore/ChangeLog	2012-07-24 20:59:14 UTC (rev 123525)
@@ -1,3 +1,23 @@
+2012-07-24  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Crash in RenderTableSection::layoutRows
+        https://bugs.webkit.org/show_bug.cgi?id=92145
+
+        Reviewed by Abhishek Arya.
+
+        The crash came from the insertChildNode logic being confused and choosing the wrong
+        renderer for insertion. This is because after r123159, table anonymous wrappers can
+        be created as 'inline-table' and wouldn't pass the isAnonymousBlock() check.
+
+        This change also aligns the ancestor iteration with RenderBlock::addChildToAnonymousColumnBlocks.
+
+        Test: fast/table/crash-table-section-layoutRows.html
+
+        * rendering/RenderObjectChildList.cpp:
+        (WebCore::RenderObjectChildList::insertChildNode):
+        Changed the code to always get the right child. There is no justification to not
+        walking up to the |owner|'s direct child in all cases.
+
 2012-07-24  Tony Chang  <t...@chromium.org>
 
         Make RenderBlock::paintChildren virtual so sub classes can change the paint order

Modified: trunk/Source/WebCore/rendering/RenderObjectChildList.cpp (123524 => 123525)


--- trunk/Source/WebCore/rendering/RenderObjectChildList.cpp	2012-07-24 20:53:19 UTC (rev 123524)
+++ trunk/Source/WebCore/rendering/RenderObjectChildList.cpp	2012-07-24 20:59:14 UTC (rev 123525)
@@ -234,9 +234,8 @@
     }
 
     ASSERT(!child->parent());
-    while (beforeChild->parent() != owner && beforeChild->parent()->isAnonymousBlock())
+    while (beforeChild->parent() != owner)
         beforeChild = beforeChild->parent();
-    ASSERT(beforeChild->parent() == owner);
 
     ASSERT(!owner->isBlockFlow() || (!child->isTableSection() && !child->isTableRow() && !child->isTableCell()));
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to