Skip to site navigation (Press enter)

[webkit-changes] [167672] trunk

bfulgham Tue, 22 Apr 2014 11:37:14 -0700

Title: [167672] trunk

Revision: 167672
Author: bfulg...@apple.com
Date: 2014-04-22 11:36:52 -0700 (Tue, 22 Apr 2014)

Log Message

Check (rather than assume) element is a RenderTableSection before using it
https://bugs.webkit.org/show_bug.cgi?id=121858


Reviewed by David Kilzer.


Source/WebCore: 
Test: fast/table/table-insert-object-before-td-crash.html

* rendering/RenderTable.cpp:
(WebCore::RenderTable::addChild): Check that lastBox is a table section before
using the node as if it was one.

LayoutTests: 
* fast/table/table-insert-object-before-td-crash-expected.txt: Added.
* fast/table/table-insert-object-before-td-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderTable.cpp

Added Paths

trunk/LayoutTests/fast/table/table-insert-object-before-td-crash-expected.txt
trunk/LayoutTests/fast/table/table-insert-object-before-td-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (167671 => 167672)


--- trunk/LayoutTests/ChangeLog	2014-04-22 18:36:23 UTC (rev 167671)
+++ trunk/LayoutTests/ChangeLog	2014-04-22 18:36:52 UTC (rev 167672)
@@ -1,3 +1,13 @@
+2014-04-22  Brent Fulgham  <bfulg...@apple.com>
+
+        Check (rather than assume) element is a RenderTableSection before using it
+        https://bugs.webkit.org/show_bug.cgi?id=121858
+
+        Reviewed by David Kilzer.
+
+        * fast/table/table-insert-object-before-td-crash-expected.txt: Added.
+        * fast/table/table-insert-object-before-td-crash.html: Added.
+
 2014-04-22  David Hyatt  <hy...@apple.com>
 
         [New Multicolumn] fast/multicol/multicol-with-child-renderLayer-for-input.html puts the textfield in the wrong place

Added: trunk/LayoutTests/fast/table/table-insert-object-before-td-crash-expected.txt (0 => 167672)


--- trunk/LayoutTests/fast/table/table-insert-object-before-td-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/table/table-insert-object-before-td-crash-expected.txt	2014-04-22 18:36:52 UTC (rev 167672)
@@ -0,0 +1,3 @@
+Test that node insertion of an object before a <td> works properly. This test passes if it does not crash.
+X
+PASS: Did not crash.

Added: trunk/LayoutTests/fast/table/table-insert-object-before-td-crash.html (0 => 167672)


--- trunk/LayoutTests/fast/table/table-insert-object-before-td-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/table/table-insert-object-before-td-crash.html	2014-04-22 18:36:52 UTC (rev 167672)
@@ -0,0 +1,25 @@
+<doctype HTML>
+<html>
+<body>
+Test that node insertion of an object before a &lt;td&gt; works properly.
+This test passes if it does not crash.
+<table>
+    <td id="td">X</td>
+</table>
+<div id="result"><span style='color: red;'>FAIL:</span> Did not complete test</div>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+
+var new_elem = document.createElement("col");
+var td = document.getElementById("td");
+td.parentNode.insertBefore(new_elem, td.nextSibling);
+new_elem = document.createElement("object");
+new_elem.setAttribute('standby', 'X');
+td.parentNode.insertBefore(new_elem, td.nextSibling);
+
+document.getElementById("result").innerHTML = "<span style='color: green;'>PASS:</span> Did not crash.";
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (167671 => 167672)


--- trunk/Source/WebCore/ChangeLog	2014-04-22 18:36:23 UTC (rev 167671)
+++ trunk/Source/WebCore/ChangeLog	2014-04-22 18:36:52 UTC (rev 167672)
@@ -1,3 +1,16 @@
+2014-04-22  Brent Fulgham  <bfulg...@apple.com>
+
+        Check (rather than assume) element is a RenderTableSection before using it
+        https://bugs.webkit.org/show_bug.cgi?id=121858
+
+        Reviewed by David Kilzer.
+
+        Test: fast/table/table-insert-object-before-td-crash.html
+
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::addChild): Check that lastBox is a table section before
+        using the node as if it was one.
+
 2014-04-22  Alex Christensen  <achristen...@webkit.org>
 
         Begin implementation of video using Media Foundation.

Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (167671 => 167672)


--- trunk/Source/WebCore/rendering/RenderTable.cpp	2014-04-22 18:36:23 UTC (rev 167671)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp	2014-04-22 18:36:52 UTC (rev 167672)
@@ -205,7 +205,7 @@
     RenderObject* lastBox = beforeChild;
     while (lastBox && lastBox->parent()->isAnonymous() && !lastBox->isTableSection() && lastBox->style().display() != TABLE_CAPTION && lastBox->style().display() != TABLE_COLUMN_GROUP)
         lastBox = lastBox->parent();
-    if (lastBox && lastBox->isAnonymous() && !isAfterContent(lastBox)) {
+    if (lastBox && lastBox->isAnonymous() && !isAfterContent(lastBox) && lastBox->isTableSection()) {
         RenderTableSection* section = toRenderTableSection(lastBox);
         if (beforeChild == section)
             beforeChild = section->firstRow();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes