Skip to site navigation (Press enter)

[webkit-changes] [125472] trunk

commit-queue Mon, 13 Aug 2012 17:11:12 -0700

Title: [125472] trunk

Revision: 125472
Author: [email protected]
Date: 2012-08-13 17:11:35 -0700 (Mon, 13 Aug 2012)

Log Message

Bad cast in RenderBox::computeReplacedLogicalHeightUsing
https://bugs.webkit.org/show_bug.cgi?id=93875


Patch by Pravin D <[email protected]> on 2012-08-13
Reviewed by Abhishek Arya.

Source/WebCore:

Pointer to the container of a replaced element was being type casted to renderbox
without checking if the container is a renderbox or not.

Test: fast/replaced/render-inline-cast-to-render-box-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::computeReplacedLogicalHeightUsing):
 Scrollbar height is retrieved only if the container is a renderBox. Otherwise scrollbar is taken as zero.

LayoutTests:

* fast/replaced/render-inline-cast-to-render-box-crash-expected.txt: Added.
* fast/replaced/render-inline-cast-to-render-box-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBox.cpp

Added Paths

trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt
trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (125471 => 125472)


--- trunk/LayoutTests/ChangeLog	2012-08-14 00:05:22 UTC (rev 125471)
+++ trunk/LayoutTests/ChangeLog	2012-08-14 00:11:35 UTC (rev 125472)
@@ -1,3 +1,13 @@
+2012-08-13  Pravin D  <[email protected]>
+
+        Bad cast in RenderBox::computeReplacedLogicalHeightUsing
+        https://bugs.webkit.org/show_bug.cgi?id=93875
+
+        Reviewed by Abhishek Arya.
+
+        * fast/replaced/render-inline-cast-to-render-box-crash-expected.txt: Added.
+        * fast/replaced/render-inline-cast-to-render-box-crash.html: Added.
+
 2012-08-13  Dean Jackson  <[email protected]>
 
         REGRESSION (r125450): 4 canvas/philip/tests tests failing on Apple Lion Release WK1 (Tests)

Added: trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt (0 => 125472)


--- trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt	2012-08-14 00:11:35 UTC (rev 125472)
@@ -0,0 +1 @@
+ PASS. WebKit didn't crash.

Added: trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html (0 => 125472)


--- trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html	2012-08-14 00:11:35 UTC (rev 125472)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+span {
+    position: relative;
+    height:100px;
+}
+img {
+    position: absolute;
+    height: 50%;
+}
+</style>
+<body>
+<span>
+ <img />
+</span>
+PASS. WebKit didn't crash.
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (125471 => 125472)


--- trunk/Source/WebCore/ChangeLog	2012-08-14 00:05:22 UTC (rev 125471)
+++ trunk/Source/WebCore/ChangeLog	2012-08-14 00:11:35 UTC (rev 125472)
@@ -1,3 +1,19 @@
+2012-08-13  Pravin D  <[email protected]>
+
+        Bad cast in RenderBox::computeReplacedLogicalHeightUsing
+        https://bugs.webkit.org/show_bug.cgi?id=93875
+
+        Reviewed by Abhishek Arya.
+
+        Pointer to the container of a replaced element was being type casted to renderbox
+        without checking if the container is a renderbox or not.
+
+        Test: fast/replaced/render-inline-cast-to-render-box-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::computeReplacedLogicalHeightUsing):
+         Scrollbar height is retrieved only if the container is a renderBox. Otherwise scrollbar is taken as zero.
+
 2012-08-13  James Robinson  <[email protected]>
 
         [chromium] Make WebAnimation a pure virtual interface to hide implementation and avoid unresolved symbols

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (125471 => 125472)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2012-08-14 00:05:22 UTC (rev 125471)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2012-08-14 00:11:35 UTC (rev 125472)
@@ -2270,7 +2270,7 @@
                 }
             }
             availableHeight = computeContentBoxLogicalHeight(valueForLength(logicalHeight, availableHeight));
-            if (cb->style()->logicalHeight().isFixed())
+            if (cb->isBox() && cb->style()->logicalHeight().isFixed())
                 availableHeight = max<LayoutUnit>(0, availableHeight - toRenderBox(cb)->scrollbarLogicalHeight());
             return availableHeight;
         }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes