Title: [124505] branches/safari-536.26-branch
- Revision
- 124505
- Author
- [email protected]
- Date
- 2012-08-02 14:58:51 -0700 (Thu, 02 Aug 2012)
Log Message
Merged r118592. <rdar://problem/11969445>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124504 => 124505)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-02 21:38:16 UTC (rev 124504)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-02 21:58:51 UTC (rev 124505)
@@ -1,3 +1,17 @@
+2012-08-02 Lucas Forschler <[email protected]>
+
+ Merge 118592
+
+ 2012-05-25 Abhishek Arya <[email protected]>
+
+ Crash in RenderTableSection::paintCell.
+ https://bugs.webkit.org/show_bug.cgi?id=87445
+
+ Reviewed by Eric Seidel and Julien Chaffraix.
+
+ * tables/table-section-overflow-clip-crash-expected.txt: Added.
+ * tables/table-section-overflow-clip-crash.html: Added.
+
2012-07-30 Lucas Forschler <[email protected]>
Merge 123637
Copied: branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt (from rev 118592, trunk/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt) (0 => 124505)
--- branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash-expected.txt 2012-08-02 21:58:51 UTC (rev 124505)
@@ -0,0 +1,2 @@
+WebKit Bug 87445 - RenderTableSection::paintCell.
+Test passes if it does not crash.
Copied: branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash.html (from rev 118592, trunk/LayoutTests/tables/table-section-overflow-clip-crash.html) (0 => 124505)
--- branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/tables/table-section-overflow-clip-crash.html 2012-08-02 21:58:51 UTC (rev 124505)
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test0 {
+ counter-reset: c;
+}
+#test0::after {
+ content: counter(c);
+ counter-reset: c;
+}
+#test1::after {
+ content: counter(c);
+ counter-reset: c;
+}
+#test2 {
+ counter-reset: c;
+ height: 1px;
+ width: 1px;
+ overflow-x: scroll;
+ -webkit-perspective: 1;
+}
+#test3 {
+ content: counter(c);
+ -webkit-animation-name: a;
+ -webkit-animation-duration: 0.01s;
+}
+</style>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function finish() {
+ document.body.innerHTML = "WebKit Bug 87445 - RenderTableSection::paintCell.<br/>Test passes if it does not crash.";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+_onload_ = function() {
+ test0 = document.createElement('div');
+ test0.setAttribute('id', 'test0');
+ document.body.appendChild(test0);
+ test1 = document.createElement('div');
+ test1.setAttribute('id', 'test1');
+ test0.appendChild(test1);
+ test2 = document.createElement('div');
+ test2.setAttribute('id', 'test2');
+ test1.appendChild(test2);
+ test3 = document.createElement('div');
+ test3.setAttribute('id', 'test3');
+ test2.appendChild(test3);
+ test2.style.display = 'table-footer-group';
+ document.body.offsetTop;
+ setTimeout("finish()", 10);
+}
+</script>
+</head>
+<body>
+</body>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124504 => 124505)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-02 21:38:16 UTC (rev 124504)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-02 21:58:51 UTC (rev 124505)
@@ -1,3 +1,33 @@
+2012-08-02 Lucas Forschler <[email protected]>
+
+ Merge 118592
+
+ 2012-05-25 Abhishek Arya <[email protected]>
+
+ Crash in RenderTableSection::paintCell.
+ https://bugs.webkit.org/show_bug.cgi?id=87445
+
+ Reviewed by Eric Seidel and Julien Chaffraix.
+
+ Fix the crash by preventing table parts from being set
+ as layout root. This prevents us from accessing removed
+ table cells which can happen if RenderTableSection::layout
+ is called directly without calling RenderTable::layout first
+ (in case of cell recalc).
+
+ Add ASSERTs to RenderTableSection::layout to prevent
+ layout to happen when we are already pending cell recalc
+ or our table is pending section recalc. In those cases,
+ RenderTable::layout should be called first to relayout
+ the entire table.
+
+ Test: tables/table-section-overflow-clip-crash.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::objectIsRelayoutBoundary):
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::layout):
+
2012-07-30 Lucas Forschler <[email protected]>
Merge 123637
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp (124504 => 124505)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp 2012-08-02 21:38:16 UTC (rev 124504)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderObject.cpp 2012-08-02 21:58:51 UTC (rev 124505)
@@ -594,14 +594,26 @@
static inline bool objectIsRelayoutBoundary(const RenderObject* object)
{
- // FIXME: In future it may be possible to broaden this condition in order to improve performance.
- // Table cells are excluded because even when their CSS height is fixed, their height()
- // may depend on their contents.
- return object->isTextControl()
+ // FIXME: In future it may be possible to broaden these conditions in order to improve performance.
+ if (object->isTextControl())
+ return true;
+
#if ENABLE(SVG)
- || object->isSVGRoot()
+ if (object->isSVGRoot())
+ return true;
#endif
- || (object->hasOverflowClip() && !object->style()->width().isIntrinsicOrAuto() && !object->style()->height().isIntrinsicOrAuto() && !object->style()->height().isPercent() && !object->isTableCell());
+
+ if (!object->hasOverflowClip())
+ return false;
+
+ if (object->style()->width().isIntrinsicOrAuto() || object->style()->height().isIntrinsicOrAuto() || object->style()->height().isPercent())
+ return false;
+
+ // Table parts can't be relayout roots since the table is responsible for layouting all the parts.
+ if (object->isTablePart())
+ return false;
+
+ return true;
}
void RenderObject::markContainingBlocksForLayout(bool scheduleRelayout, RenderObject* newRoot)
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableSection.cpp (124504 => 124505)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableSection.cpp 2012-08-02 21:38:16 UTC (rev 124504)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableSection.cpp 2012-08-02 21:58:51 UTC (rev 124505)
@@ -403,6 +403,8 @@
void RenderTableSection::layout()
{
ASSERT(needsLayout());
+ ASSERT(!needsCellRecalc());
+ ASSERT(!table()->needsSectionRecalc());
LayoutStateMaintainer statePusher(view(), this, locationOffset(), style()->isFlippedBlocksWritingMode());
for (RenderObject* child = children()->firstChild(); child; child = child->nextSibling()) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
