Title: [134272] branches/chromium/1312
- Revision
- 134272
- Author
- [email protected]
- Date
- 2012-11-12 11:44:42 -0800 (Mon, 12 Nov 2012)
Log Message
Merge 133717
BUG=158898
Review URL: https://codereview.chromium.org/11360203
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash-expected.txt (from rev 133717, trunk/LayoutTests/fast/block/colspan-under-button-crash-expected.txt) (0 => 134272)
--- branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash-expected.txt (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash-expected.txt 2012-11-12 19:44:42 UTC (rev 134272)
@@ -0,0 +1 @@
+PASS if no crash or assert in debug
Copied: branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash.html (from rev 133717, trunk/LayoutTests/fast/block/colspan-under-button-crash.html) (0 => 134272)
--- branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash.html (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/block/colspan-under-button-crash.html 2012-11-12 19:44:42 UTC (rev 134272)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<style>
+.c0 { display: inherit; }
+.c10 { display: table-column-group; -webkit-column-span: all; }
+.c11[class$="c11"] { vertical-align: -10; -webkit-column-width: 1px; }
+.c17 { overflow: hidden; position: fixed; }
+.c17::after { position: inherit; content: no-close-quote;</style>
+<script>
+window._onload_ = function() {
+ pElem = document.createElement('p');
+ pElem.setAttribute('class', 'c11');
+
+ citeElem = document.createElement('cite');
+ citeElem.setAttribute('class', 'c10');
+
+ buttonElem = document.createElement('button');
+ buttonElem.setAttribute('class', 'c0');
+
+ document.documentElement.appendChild(pElem);
+ pElem.appendChild(buttonElem);
+ buttonElem.appendChild(citeElem);
+
+ document.documentElement.offsetHeight;
+ buttonElem.setAttribute('class', 'c17');
+ document.documentElement.offsetHeight;
+ document.documentElement.removeChild(pElem);
+
+ document.body.innerHTML = "PASS if no crash or assert in debug";
+ if (window.testRunner)
+ testRunner.dumpAsText();
+}
+</script>
+</html>
Modified: branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp (134271 => 134272)
--- branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp 2012-11-12 19:42:44 UTC (rev 134271)
+++ branches/chromium/1312/Source/WebCore/rendering/RenderBlock.cpp 2012-11-12 19:44:42 UTC (rev 134272)
@@ -533,7 +533,10 @@
// FIXME: Table manages its own table parts, most of which are RenderBoxes.
// Multi-column code cannot handle splitting the flow in table. Disabling it
// to prevent crashes.
- if (curr->isTable())
+ // Similarly, RenderButton maintains an anonymous block child and overrides
+ // addChild() to prevent itself from having additional direct children. This
+ // causes problems for split flows.
+ if (curr->isTable() || curr->isRenderButton())
return 0;
RenderBlock* currBlock = toRenderBlock(curr);
Modified: branches/chromium/1312/Source/WebCore/rendering/RenderButton.cpp (134271 => 134272)
--- branches/chromium/1312/Source/WebCore/rendering/RenderButton.cpp 2012-11-12 19:42:44 UTC (rev 134271)
+++ branches/chromium/1312/Source/WebCore/rendering/RenderButton.cpp 2012-11-12 19:44:42 UTC (rev 134272)
@@ -60,7 +60,11 @@
void RenderButton::removeChild(RenderObject* oldChild)
{
- if (oldChild == m_inner || !m_inner) {
+ // m_inner should be the only child, but checking for direct children who
+ // are not m_inner prevents security problems when that assumption is
+ // violated.
+ if (oldChild == m_inner || !m_inner || oldChild->parent() == this) {
+ ASSERT(oldChild == m_inner || !m_inner);
RenderDeprecatedFlexibleBox::removeChild(oldChild);
m_inner = 0;
} else
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
