Diff
Modified: trunk/LayoutTests/ChangeLog (126832 => 126833)
--- trunk/LayoutTests/ChangeLog 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/LayoutTests/ChangeLog 2012-08-28 01:26:00 UTC (rev 126833)
@@ -1,5 +1,15 @@
2012-08-27 Julien Chaffraix <[email protected]>
+ Crash in RenderTable::removeCaption
+ https://bugs.webkit.org/show_bug.cgi?id=95090
+
+ Reviewed by Abhishek Arya.
+
+ * fast/table/table-caption-moved-crash-expected.txt: Added.
+ * fast/table/table-caption-moved-crash.html: Added.
+
+2012-08-27 Julien Chaffraix <[email protected]>
+
Even more unreviewed rebaselining after r126683.
* platform/chromium/TestExpectations:
Added: trunk/LayoutTests/fast/table/table-caption-moved-crash-expected.txt (0 => 126833)
--- trunk/LayoutTests/fast/table/table-caption-moved-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/table-caption-moved-crash-expected.txt 2012-08-28 01:26:00 UTC (rev 126833)
@@ -0,0 +1,3 @@
+Bug 95090: Crash in RenderTable::removeCaption
+This test PASSED as it did not crash.
+
Added: trunk/LayoutTests/fast/table/table-caption-moved-crash.html (0 => 126833)
--- trunk/LayoutTests/fast/table/table-caption-moved-crash.html (rev 0)
+++ trunk/LayoutTests/fast/table/table-caption-moved-crash.html 2012-08-28 01:26:00 UTC (rev 126833)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<style>
+.c15:nth-last-of-type(-n+6) { display: table; }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function crash() {
+ span = document.createElement('span');
+ document.documentElement.appendChild(span);
+ quote = document.createElement('q');
+ quote.setAttribute('class', 'c15');
+ document.documentElement.appendChild(quote);
+ caption = document.createElement('caption');
+ quote.appendChild(caption);
+ span.offsetTop;
+ span.appendChild(caption);
+ span.offsetTop;
+ span.innerHTML = "<a href=''>Bug 95090</a>: Crash in RenderTable::removeCaption<br/>This test PASSED as it did not crash.";
+}
+window._onload_ = crash;
+</script>
Modified: trunk/Source/WebCore/ChangeLog (126832 => 126833)
--- trunk/Source/WebCore/ChangeLog 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/Source/WebCore/ChangeLog 2012-08-28 01:26:00 UTC (rev 126833)
@@ -1,3 +1,39 @@
+2012-08-27 Julien Chaffraix <[email protected]>
+
+ Crash in RenderTable::removeCaption
+ https://bugs.webkit.org/show_bug.cgi?id=95090
+
+ Reviewed by Abhishek Arya.
+
+ The issue came from the caption addition logic not being called when
+ we move the caption due to being hooked on RenderTable::addChild
+ and not RenderTableCaption::insertedIntoTree. This change implemented
+ the previous hook and simplified our caption handling.
+
+ Test: fast/table/table-caption-moved-crash.html
+
+ * rendering/RenderTable.cpp:
+ (WebCore::RenderTable::addChild):
+ Removed the add-a-caption code as it is now executed from RenderTableCaption::insertedIntoTree.
+
+ (WebCore::RenderTable::addCaption):
+ Added this helper method.
+
+ (WebCore::RenderTable::removeCaption):
+ Changed this function to be more bullet-proof. The old code was checking |index| as it wasn't
+ bullet proof so let's keep it.
+
+ (WebCore::RenderTable::recalcSections):
+ Removed the caption handling code as we should properly handle them now.
+
+ * rendering/RenderTable.h:
+ Added addCaption.
+
+ * rendering/RenderTableCaption.cpp:
+ (WebCore::RenderTableCaption::insertedIntoTree):
+ * rendering/RenderTableCaption.h:
+ Added insertedIntoTree.
+
2012-08-27 Nikhil Bhargava <[email protected]>
Add new file to xcode project -- Update to Bug 95107
Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (126832 => 126833)
--- trunk/Source/WebCore/rendering/RenderTable.cpp 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp 2012-08-28 01:26:00 UTC (rev 126833)
@@ -117,10 +117,9 @@
bool wrapInAnonymousSection = !child->isOutOfFlowPositioned();
- if (child->isTableCaption()) {
- m_captions.append(toRenderTableCaption(child));
+ if (child->isTableCaption())
wrapInAnonymousSection = false;
- } else if (child->isRenderTableCol()) {
+ else if (child->isRenderTableCol()) {
m_hasColElements = true;
wrapInAnonymousSection = false;
} else if (child->isTableSection()) {
@@ -197,18 +196,25 @@
section->addChild(child);
}
+void RenderTable::addCaption(const RenderTableCaption* caption)
+{
+ ASSERT(m_captions.find(caption) == notFound);
+ m_captions.append(const_cast<RenderTableCaption*>(caption));
+}
+
void RenderTable::removeCaption(const RenderTableCaption* oldCaption)
{
size_t index = m_captions.find(oldCaption);
ASSERT(index != notFound);
+ if (index == notFound)
+ return;
+
m_captions.remove(index);
// FIXME: The rest of this function is probably not needed since we have
// implemented proper multiple captions support (see bug 58249).
if (node())
node()->setNeedsStyleRecalc();
-
- setNeedsSectionRecalc();
}
void RenderTable::computeLogicalWidth()
@@ -776,17 +782,12 @@
m_foot = 0;
m_firstBody = 0;
m_hasColElements = false;
- m_captions.clear();
// We need to get valid pointers to caption, head, foot and first body again
RenderObject* nextSibling;
for (RenderObject* child = firstChild(); child; child = nextSibling) {
nextSibling = child->nextSibling();
switch (child->style()->display()) {
- case TABLE_CAPTION:
- if (child->isTableCaption())
- m_captions.append(toRenderTableCaption(child));
- break;
case TABLE_COLUMN:
case TABLE_COLUMN_GROUP:
m_hasColElements = true;
Modified: trunk/Source/WebCore/rendering/RenderTable.h (126832 => 126833)
--- trunk/Source/WebCore/rendering/RenderTable.h 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/Source/WebCore/rendering/RenderTable.h 2012-08-28 01:26:00 UTC (rev 126833)
@@ -231,6 +231,7 @@
const BorderValue& tableStartBorderAdjoiningCell(const RenderTableCell*) const;
const BorderValue& tableEndBorderAdjoiningCell(const RenderTableCell*) const;
+ void addCaption(const RenderTableCaption*);
void removeCaption(const RenderTableCaption*);
protected:
Modified: trunk/Source/WebCore/rendering/RenderTableCaption.cpp (126832 => 126833)
--- trunk/Source/WebCore/rendering/RenderTableCaption.cpp 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/Source/WebCore/rendering/RenderTableCaption.cpp 2012-08-28 01:26:00 UTC (rev 126833)
@@ -39,6 +39,13 @@
return cb->logicalWidth();
}
+void RenderTableCaption::insertedIntoTree()
+{
+ RenderBlock::insertedIntoTree();
+
+ table()->addCaption(this);
+}
+
void RenderTableCaption::willBeRemovedFromTree()
{
RenderBlock::willBeRemovedFromTree();
Modified: trunk/Source/WebCore/rendering/RenderTableCaption.h (126832 => 126833)
--- trunk/Source/WebCore/rendering/RenderTableCaption.h 2012-08-28 01:14:30 UTC (rev 126832)
+++ trunk/Source/WebCore/rendering/RenderTableCaption.h 2012-08-28 01:26:00 UTC (rev 126833)
@@ -35,6 +35,7 @@
private:
virtual bool isTableCaption() const OVERRIDE { return true; }
+ virtual void insertedIntoTree() OVERRIDE;
virtual void willBeRemovedFromTree() OVERRIDE;
RenderTable* table() const;
