Title: [98019] branches/chromium/912
- Revision
- 98019
- Author
- jchaffr...@webkit.org
- Date
- 2011-10-20 13:27:03 -0700 (Thu, 20 Oct 2011)
Log Message
Merge 97907 - Multiple crashes in RenderTable during layout
https://bugs.webkit.org/show_bug.cgi?id=70392
Reviewed by Simon Fraser.
Source/WebCore:
Tests: fast/table/crash-anonymous-table-computeLogicalWidth.html
fast/table/crash-anonymous-table-layout.html
r97555 forgot to take into account anonymous tables during layout
where RenderObject::node() is NULL.
* rendering/RenderTable.cpp:
(WebCore::RenderTable::computeLogicalWidth):
(WebCore::RenderTable::layout):
Added a check for node() before calling Node::hasTagName.
LayoutTests:
* fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt: Added.
* fast/table/crash-anonymous-table-computeLogicalWidth.html: Added.
* fast/table/crash-anonymous-table-layout-expected.txt: Added.
* fast/table/crash-anonymous-table-layout.html: Added.
TBR=jchaffr...@webkit.org
Review URL: http://codereview.chromium.org/8366015
Modified Paths
Added Paths
Diff
Copied: branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt (from rev 97907, trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt) (0 => 98019)
--- branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth-expected.txt 2011-10-20 20:27:03 UTC (rev 98019)
@@ -0,0 +1,2 @@
+Bug 70392: Multiple crashes in RenderTable during layout
+This test passes if it does not CRASH.
Copied: branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html (from rev 97907, trunk/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html) (0 => 98019)
--- branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-computeLogicalWidth.html 2011-10-20 20:27:03 UTC (rev 98019)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.tableBefore:before { display: inline-table; content: url(data:text/plain,foo); width: 10px; }
+</style>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<div class="tableBefore"></div>
+<div>Bug <a href="" Multiple crashes in RenderTable during layout</div>
+<div>This test passes if it does not CRASH.</div>
+</body>
+</html>
Copied: branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt (from rev 97907, trunk/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt) (0 => 98019)
--- branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout-expected.txt 2011-10-20 20:27:03 UTC (rev 98019)
@@ -0,0 +1,2 @@
+Bug 70392: Multiple crashes in RenderTable during layout
+This test passes if it does not CRASH.
Copied: branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout.html (from rev 97907, trunk/LayoutTests/fast/table/crash-anonymous-table-layout.html) (0 => 98019)
--- branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout.html (rev 0)
+++ branches/chromium/912/LayoutTests/fast/table/crash-anonymous-table-layout.html 2011-10-20 20:27:03 UTC (rev 98019)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.tableAfter::after { display: table; content: attr(class); height: 1px; }
+</style>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<div class="tableAfter"></div>
+<div>Bug <a href="" Multiple crashes in RenderTable during layout</div>
+<div>This test passes if it does not CRASH.</div>
+</body>
+</html>
Modified: branches/chromium/912/Source/WebCore/rendering/RenderTable.cpp (98018 => 98019)
--- branches/chromium/912/Source/WebCore/rendering/RenderTable.cpp 2011-10-20 20:05:44 UTC (rev 98018)
+++ branches/chromium/912/Source/WebCore/rendering/RenderTable.cpp 2011-10-20 20:27:03 UTC (rev 98019)
@@ -239,7 +239,7 @@
// Percent or fixed table
// HTML tables size as though CSS width includes border/padding, CSS tables do not.
LayoutUnit borders = 0;
- if (!node()->hasTagName(tableTag)) {
+ if (!node() || !node()->hasTagName(tableTag)) {
bool collapsing = collapseBorders();
LayoutUnit borderAndPaddingBefore = borderBefore() + (collapsing ? 0 : paddingBefore());
LayoutUnit borderAndPaddingAfter = borderAfter() + (collapsing ? 0 : paddingAfter());
@@ -369,7 +369,7 @@
LayoutUnit computedLogicalHeight = 0;
if (logicalHeightLength.isFixed()) {
// HTML tables size as though CSS height includes border/padding, CSS tables do not.
- LayoutUnit borders = node()->hasTagName(tableTag) ? (borderAndPaddingBefore + borderAndPaddingAfter) : 0;
+ LayoutUnit borders = node() && node()->hasTagName(tableTag) ? (borderAndPaddingBefore + borderAndPaddingAfter) : 0;
computedLogicalHeight = logicalHeightLength.value() - borders;
} else if (logicalHeightLength.isPercent())
computedLogicalHeight = computePercentageLogicalHeight(logicalHeightLength);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes