Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124100 => 124101)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 22:21:45 UTC (rev 124100)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 22:26:01 UTC (rev 124101)
@@ -1,5 +1,21 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118316
+
+ 2012-05-23 Julien Chaffraix <jchaffr...@webkit.org>
+
+ Crash in RenderTableCol::nextColumn
+ https://bugs.webkit.org/show_bug.cgi?id=87314
+
+ Reviewed by Abhishek Arya.
+
+ * fast/table/canvas-column-in-column-group-expected.txt: Added.
+ * fast/table/canvas-column-in-column-group.html: Added.
+ * fast/table/columngroup-inside-columngroup-expected.txt: Added.
+ * fast/table/columngroup-inside-columngroup.html: Added.
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 118248
2012-05-23 Abhishek Arya <infe...@chromium.org>
Copied: branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt (from rev 118316, trunk/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt) (0 => 124101)
--- branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group-expected.txt 2012-07-30 22:26:01 UTC (rev 124101)
@@ -0,0 +1,3 @@
+Test for bug 87314: Crash in RenderTableCol::nextColumn
+
+PASSED, this test didn't crash or ASSERT.
Copied: branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group.html (from rev 118316, trunk/LayoutTests/fast/table/canvas-column-in-column-group.html) (0 => 124101)
--- branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/table/canvas-column-in-column-group.html 2012-07-30 22:26:01 UTC (rev 124101)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<p>Test for bug <a href="" Crash in RenderTableCol::nextColumn</p>
+<table>
+ <colgroup>
+ </colgroup>
+ <tbody>
+ <td></td>
+ </tbody>
+</table>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var canvas = document.createElement("canvas");
+ canvas.style.display = "table-column";
+ document.getElementsByTagName("colgroup")[0].appendChild(canvas);
+ document.body.offsetTop;
+ document.body.appendChild(document.createTextNode("PASSED, this test didn't crash or ASSERT."));
+</script>
Copied: branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt (from rev 118316, trunk/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt) (0 => 124101)
--- branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup-expected.txt 2012-07-30 22:26:01 UTC (rev 124101)
@@ -0,0 +1,3 @@
+Test for bug 87314: Crash in RenderTableCol::nextColumn
+
+PASSED, this test didn't crash or ASSERT.
Copied: branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup.html (from rev 118316, trunk/LayoutTests/fast/table/columngroup-inside-columngroup.html) (0 => 124101)
--- branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/table/columngroup-inside-columngroup.html 2012-07-30 22:26:01 UTC (rev 124101)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<p>Test for bug <a href="" Crash in RenderTableCol::nextColumn</p>
+<table>
+ <colgroup>
+ </colgroup>
+ <tbody>
+ <td></td>
+ </tbody>
+</table>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var colgroup = document.createElement("colgroup");
+ document.getElementsByTagName("colgroup")[0].appendChild(colgroup);
+ document.body.offsetTop;
+ document.body.appendChild(document.createTextNode("PASSED, this test didn't crash or ASSERT."));
+</script>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124100 => 124101)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 22:21:45 UTC (rev 124100)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 22:26:01 UTC (rev 124101)
@@ -1,5 +1,31 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118316
+
+ 2012-05-23 Julien Chaffraix <jchaffr...@webkit.org>
+
+ Crash in RenderTableCol::nextColumn
+ https://bugs.webkit.org/show_bug.cgi?id=87314
+
+ Reviewed by Abhishek Arya.
+
+ Tests: fast/table/canvas-column-in-column-group.html
+ fast/table/columngroup-inside-columngroup.html
+
+ The issue comes from elements not abiding by the display property (e.g. canvas). This means
+ that any renderer with display: table-column would pass the current isChildAllowed check and
+ would confuse our algorithm to iterate.
+
+ We were getting away with allowing those children as table columns or column groups don't
+ paint themselves but it's better to just not allow such children in the first place.
+
+ * rendering/RenderTableCol.cpp:
+ (WebCore::RenderTableCol::isChildAllowed):
+ Fixed the logic to only accept proper column renderer (RenderTableCol with display: column
+ to ignore column-groups). Also removed an unneeded NULL-check.
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 118248
2012-05-23 Abhishek Arya <infe...@chromium.org>
Modified: branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableCol.cpp (124100 => 124101)
--- branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableCol.cpp 2012-07-30 22:21:45 UTC (rev 124100)
+++ branches/safari-536.26-branch/Source/WebCore/rendering/RenderTableCol.cpp 2012-07-30 22:26:01 UTC (rev 124101)
@@ -71,7 +71,7 @@
bool RenderTableCol::isChildAllowed(RenderObject* child, RenderStyle* style) const
{
- return !child->isText() && style && (style->display() == TABLE_COLUMN);
+ return child->isTableCol() && style->display() == TABLE_COLUMN;
}
bool RenderTableCol::canHaveChildren() const
