Title: [126251] trunk
- Revision
- 126251
- Author
- [email protected]
- Date
- 2012-08-21 19:16:02 -0700 (Tue, 21 Aug 2012)
Log Message
Crash in RenderTableSection::setCellLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=94291
Reviewed by Abhishek Arya.
Source/WebCore:
This issue was that splitAnonymousBoxesAroundChild would move a table section
into a newly created table *without* marking it as needing cell recalc. The table
would thus never build its structure to match its sections. The fix is to hop on
the new willBeRemovedFromTree signal so that the section invalidates itself properly.
Test: fast/table/crash-split-table-section-no-cell-recalc.html
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::willBeRemovedFromTree):
* rendering/RenderTableSection.h:
Replaced willBeDestroyed by willBeRemovedFromTree in RenderTableSection. This ensures that it is called
when moving sections in the tree to mark them as needing cell recalc.
LayoutTests:
* fast/table/crash-split-table-section-no-cell-recalc-expected.txt: Added.
* fast/table/crash-split-table-section-no-cell-recalc.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (126250 => 126251)
--- trunk/LayoutTests/ChangeLog 2012-08-22 02:05:51 UTC (rev 126250)
+++ trunk/LayoutTests/ChangeLog 2012-08-22 02:16:02 UTC (rev 126251)
@@ -1,3 +1,13 @@
+2012-08-21 Julien Chaffraix <[email protected]>
+
+ Crash in RenderTableSection::setCellLogicalWidths
+ https://bugs.webkit.org/show_bug.cgi?id=94291
+
+ Reviewed by Abhishek Arya.
+
+ * fast/table/crash-split-table-section-no-cell-recalc-expected.txt: Added.
+ * fast/table/crash-split-table-section-no-cell-recalc.html: Added.
+
2012-08-21 Yoshifumi Inoue <[email protected]>
[Forms] multiple fields time input UI should not have two focus ring.
Added: trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc-expected.txt (0 => 126251)
--- trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc-expected.txt 2012-08-22 02:16:02 UTC (rev 126251)
@@ -0,0 +1,2 @@
+94291: Crash in RenderTableSection::setCellLogicalWidths
+This test has PASSED as it didn't CRASH or ASSERT.
Added: trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc.html (0 => 126251)
--- trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc.html (rev 0)
+++ trunk/LayoutTests/fast/table/crash-split-table-section-no-cell-recalc.html 2012-08-22 02:16:02 UTC (rev 126251)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+A<div></div>
+<div id="div1"></div>
+<style>
+* { display: table-cell; }
+.class1 { -webkit-appearance: sliderthumb-vertical; }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.addEventListener("DOMContentLoaded", crash, false);
+function crash() {
+ div1 = document.getElementById("div1");
+ div1.style.display = "table-row-group";
+ document.documentElement.offsetTop;
+ div1.setAttribute("class", "class1");
+ document.documentElement.offsetTop;
+ document.documentElement.innerHTML = "<a href=''>94291</a>: Crash in RenderTableSection::setCellLogicalWidths<br/>This test has PASSED as it didn't CRASH or ASSERT.";
+}
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (126250 => 126251)
--- trunk/Source/WebCore/ChangeLog 2012-08-22 02:05:51 UTC (rev 126250)
+++ trunk/Source/WebCore/ChangeLog 2012-08-22 02:16:02 UTC (rev 126251)
@@ -1,3 +1,23 @@
+2012-08-21 Julien Chaffraix <[email protected]>
+
+ Crash in RenderTableSection::setCellLogicalWidths
+ https://bugs.webkit.org/show_bug.cgi?id=94291
+
+ Reviewed by Abhishek Arya.
+
+ This issue was that splitAnonymousBoxesAroundChild would move a table section
+ into a newly created table *without* marking it as needing cell recalc. The table
+ would thus never build its structure to match its sections. The fix is to hop on
+ the new willBeRemovedFromTree signal so that the section invalidates itself properly.
+
+ Test: fast/table/crash-split-table-section-no-cell-recalc.html
+
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::willBeRemovedFromTree):
+ * rendering/RenderTableSection.h:
+ Replaced willBeDestroyed by willBeRemovedFromTree in RenderTableSection. This ensures that it is called
+ when moving sections in the tree to mark them as needing cell recalc.
+
2012-08-21 Yoshifumi Inoue <[email protected]>
[Forms] multiple fields time input UI should not have two focus ring.
Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (126250 => 126251)
--- trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-08-22 02:05:51 UTC (rev 126250)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp 2012-08-22 02:16:02 UTC (rev 126251)
@@ -114,16 +114,13 @@
table->invalidateCollapsedBorders();
}
-void RenderTableSection::willBeDestroyed()
+void RenderTableSection::willBeRemovedFromTree()
{
- RenderTable* recalcTable = table();
-
- RenderBox::willBeDestroyed();
-
- // recalc cell info because RenderTable has unguarded pointers
- // stored that point to this RenderTableSection.
- if (recalcTable)
- recalcTable->setNeedsSectionRecalc();
+ RenderBox::willBeRemovedFromTree();
+
+ // Preventively invalidate our cells as we may be re-inserted into
+ // a new table which would require us to rebuild our structure.
+ setNeedsCellRecalc();
}
void RenderTableSection::addChild(RenderObject* child, RenderObject* beforeChild)
Modified: trunk/Source/WebCore/rendering/RenderTableSection.h (126250 => 126251)
--- trunk/Source/WebCore/rendering/RenderTableSection.h 2012-08-22 02:05:51 UTC (rev 126250)
+++ trunk/Source/WebCore/rendering/RenderTableSection.h 2012-08-22 02:16:02 UTC (rev 126251)
@@ -206,7 +206,7 @@
virtual bool isTableSection() const { return true; }
- virtual void willBeDestroyed();
+ virtual void willBeRemovedFromTree() OVERRIDE;
virtual void layout();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
