[webkit-changes] [100630] trunk

Thu, 17 Nov 2011 08:43:11 -0800

Title: [100630] trunk
Revision
100630
Author
infe...@chromium.org
Date
2011-11-17 08:43:06 -0800 (Thu, 17 Nov 2011)

Log Message

Crash from nested tables with generated content
https://bugs.webkit.org/show_bug.cgi?id=68811

Patch by Ken Buchanan <ke...@chromium.org> on 2011-11-17
Reviewed by David Hyatt.

Source/WebCore: 

When adding a child to a table that has generated content, this change
ensures that we leave alone any generated content renderers that belong
to descendants in the tree. They don't need to be touched, and doing so
can create confusion about who the content belongs to.

This patch also simplifies some existing code for finding pseudoelement
renderers. 

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::addChild):
(WebCore::RenderObject::isBeforeAfterContentGeneratedByAncestor): Added
* rendering/RenderObject.h:
(WebCore::RenderObject::findAfterContentRenderer): Deleted
(WebCore::RenderObject::findBeforeContentRenderer): Deleted
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::beforePseudoElementRenderer):
(WebCore::RenderObjectChildList::afterPseudoElementRenderer):
* rendering/RenderTable.cpp:
(WebCore::RenderTable::addChild):
* rendering/RenderTableRow.cpp:
(WebCore::RenderTableRow::addChild):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::addChild):

LayoutTests: 

Layout test for nesting tables with generated content and forcing a
style recalculation.

* fast/css-generated-content/nested-tables-with-before-after-content-crash.html: Added
* platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png: Added
* platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt: Added
* platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png: Added
* platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt: Added

Modified Paths

Added Paths

Property Changed

Diff

Modified: trunk/LayoutTests/ChangeLog (100629 => 100630)


--- trunk/LayoutTests/ChangeLog	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/LayoutTests/ChangeLog	2011-11-17 16:43:06 UTC (rev 100630)
@@ -1,3 +1,19 @@
+2011-11-17  Ken Buchanan  <ke...@chromium.org>
+
+        Crash from nested tables with generated content
+        https://bugs.webkit.org/show_bug.cgi?id=68811
+
+        Reviewed by David Hyatt.
+
+        Layout test for nesting tables with generated content and forcing a
+        style recalculation.
+
+        * fast/css-generated-content/nested-tables-with-before-after-content-crash.html: Added
+        * platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png: Added
+        * platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt: Added
+        * platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png: Added
+        * platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt: Added
+
 2011-11-17  Csaba Osztrogonác  <o...@webkit.org>
 
         [Qt] Unreviewed gardening.
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/fast/css-generated-content/nested-tables-with-before-after-content-crash.html (0 => 100630)


--- trunk/LayoutTests/fast/css-generated-content/nested-tables-with-before-after-content-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/nested-tables-with-before-after-content-crash.html	2011-11-17 16:43:06 UTC (rev 100630)
@@ -0,0 +1,18 @@
+<!DOCTYPE>
+<html style="font: 1em/1 Ahem, sans-serif;">
+<style type="text/css">
+.c1 { display: inline-table; color: blue}
+.c1:before { overflow: hidden; content: counter(section); color: red}
+.c1:nth-child(2n) { text-decoration: overline; }
+</style>
+<body>
+<div class="c1" id="div1"><q style="display:inline-table"></q></div>
+</body>
+<script>
+    function runTest() {
+        document.getElementById('div1').setAttribute('class', 'c1');
+        document.body.offsetTop;
+    }
+    window._onload_ = runTest;
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/css-generated-content/nested-tables-with-before-after-content-crash.html
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png


(Binary files differ)
Property changes on: trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png ___________________________________________________________________

Added: svn:executable

Added: svn:mime-type

Added: trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt (0 => 100630)


--- trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt	2011-11-17 16:43:06 UTC (rev 100630)
@@ -0,0 +1,24 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderTable {DIV} at (0,0) size 48x19 [color=#0000FF]
+        RenderTableSection (anonymous) at (0,0) size 48x19
+          RenderTableRow (anonymous) at (0,0) size 48x19
+            RenderTableCell (anonymous) at (0,0) size 48x19 [r=0 c=0 rs=1 cs=1]
+              RenderInline (generated) at (0,0) size 16x16 [color=#FF0000]
+                RenderCounter at (0,3) size 16x16
+                  text run at (0,3) width 16: "0"
+              RenderTable {Q} at (16,0) size 32x16
+                RenderTableSection (anonymous) at (0,0) size 32x16
+                  RenderTableRow (anonymous) at (0,0) size 32x16
+                    RenderTableCell (anonymous) at (0,0) size 32x16 [r=0 c=0 rs=1 cs=1]
+                      RenderInline (generated) at (0,0) size 16x16
+                        RenderQuote at (0,0) size 16x16
+                          text run at (0,0) width 16: "\""
+                      RenderInline (generated) at (0,0) size 16x16
+                        RenderQuote at (16,0) size 16x16
+                          text run at (16,0) width 16: "\""
+      RenderText {#text} at (0,0) size 0x0
+      RenderText {#text} at (0,0) size 0x0
Property changes on: trunk/LayoutTests/platform/chromium-win/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png


(Binary files differ)
Property changes on: trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.png ___________________________________________________________________

Added: svn:executable

Added: svn:mime-type

Added: trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt (0 => 100630)


--- trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt	2011-11-17 16:43:06 UTC (rev 100630)
@@ -0,0 +1,24 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderTable {DIV} at (0,0) size 48x19 [color=#0000FF]
+        RenderTableSection (anonymous) at (0,0) size 48x19
+          RenderTableRow (anonymous) at (0,0) size 48x19
+            RenderTableCell (anonymous) at (0,0) size 48x19 [r=0 c=0 rs=1 cs=1]
+              RenderInline (generated) at (0,0) size 16x16 [color=#FF0000]
+                RenderCounter at (0,3) size 16x16
+                  text run at (0,3) width 16: "0"
+              RenderTable {Q} at (16,0) size 32x16
+                RenderTableSection (anonymous) at (0,0) size 32x16
+                  RenderTableRow (anonymous) at (0,0) size 32x16
+                    RenderTableCell (anonymous) at (0,0) size 32x16 [r=0 c=0 rs=1 cs=1]
+                      RenderInline (generated) at (0,0) size 16x16
+                        RenderQuote at (0,0) size 16x16
+                          text run at (0,0) width 16: "\""
+                      RenderInline (generated) at (0,0) size 16x16
+                        RenderQuote at (16,0) size 16x16
+                          text run at (16,0) width 16: "\""
+      RenderText {#text} at (0,0) size 0x0
+      RenderText {#text} at (0,0) size 0x0
Property changes on: trunk/LayoutTests/platform/mac/fast/css-generated-content/nested-tables-with-before-after-content-crash-expected.txt
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (100629 => 100630)


--- trunk/Source/WebCore/ChangeLog	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/ChangeLog	2011-11-17 16:43:06 UTC (rev 100630)
@@ -1,3 +1,36 @@
+2011-11-17  Ken Buchanan  <ke...@chromium.org>
+
+        Crash from nested tables with generated content
+        https://bugs.webkit.org/show_bug.cgi?id=68811
+
+        Reviewed by David Hyatt.
+
+        When adding a child to a table that has generated content, this change
+        ensures that we leave alone any generated content renderers that belong
+        to descendants in the tree. They don't need to be touched, and doing so
+        can create confusion about who the content belongs to.
+
+        This patch also simplifies some existing code for finding pseudoelement
+        renderers. 
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::addChild):
+        (WebCore::RenderObject::isBeforeAfterContentGeneratedByAncestor): Added
+        * rendering/RenderObject.h:
+        (WebCore::RenderObject::findAfterContentRenderer): Deleted
+        (WebCore::RenderObject::findBeforeContentRenderer): Deleted
+        * rendering/RenderObjectChildList.cpp:
+        (WebCore::RenderObjectChildList::beforePseudoElementRenderer):
+        (WebCore::RenderObjectChildList::afterPseudoElementRenderer):
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::addChild):
+        * rendering/RenderTableRow.cpp:
+        (WebCore::RenderTableRow::addChild):
+        * rendering/RenderTableSection.cpp:
+        (WebCore::RenderTableSection::addChild):
+
 2011-11-17  Patrick Gansterer  <par...@webkit.org>
 
         Unreviewed WinCE build fix for r94119.
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -674,7 +674,7 @@
 {
     // Make sure we don't append things after :after-generated content if we have it.
     if (!beforeChild)
-        beforeChild = findAfterContentRenderer();
+        beforeChild = afterPseudoElementRenderer();
 
     // If the requested beforeChild is not one of our children, then this is because
     // there is an anonymous container within this object that contains the beforeChild.

Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderObject.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -271,6 +271,16 @@
     return node() && node()->renderer() == this && node()->hasTagName(marqueeTag);
 }
 
+static bool isBeforeAfterContentGeneratedByAncestor(RenderObject* renderer, RenderObject* beforeAfterContent)
+{
+    while (renderer) {
+        if (renderer->generatingNode() == beforeAfterContent->generatingNode())
+            return true;
+        renderer = renderer->parent();
+    }
+    return false;
+}
+
 void RenderObject::addChild(RenderObject* newChild, RenderObject* beforeChild)
 {
     RenderObjectChildList* children = virtualChildren();
@@ -281,9 +291,9 @@
     RenderObject* beforeContent = 0;
     bool beforeChildHasBeforeAndAfterContent = false;
     if (beforeChild && (beforeChild->isTable() || beforeChild->isTableSection() || beforeChild->isTableRow() || beforeChild->isTableCell())) {
-        beforeContent = beforeChild->findBeforeContentRenderer();
-        RenderObject* afterContent = beforeChild->findAfterContentRenderer();
-        if (beforeContent && afterContent) {
+        beforeContent = beforeChild->beforePseudoElementRenderer();
+        RenderObject* afterContent = beforeChild->afterPseudoElementRenderer();
+        if (beforeContent && afterContent && isBeforeAfterContentGeneratedByAncestor(this, beforeContent)) {
             beforeChildHasBeforeAndAfterContent = true;
             beforeContent->destroy();
         }

Modified: trunk/Source/WebCore/rendering/RenderObject.h (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderObject.h	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderObject.h	2011-11-17 16:43:06 UTC (rev 100630)
@@ -356,18 +356,6 @@
     static inline bool isAfterContent(const RenderObject* obj) { return obj && obj->isAfterContent(); }
     static inline bool isBeforeOrAfterContent(const RenderObject* obj) { return obj && obj->isBeforeOrAfterContent(); }
 
-    inline RenderObject* findBeforeContentRenderer() const
-    {
-        RenderObject* renderer = beforePseudoElementRenderer();
-        return isBeforeContent(renderer) ? renderer : 0;
-    }
-
-    inline RenderObject* findAfterContentRenderer() const
-    {
-        RenderObject* renderer = afterPseudoElementRenderer();
-        return isAfterContent(renderer) ? renderer : 0;
-    }
-
     inline RenderObject* anonymousContainer(RenderObject* child)
     {
          RenderObject* container = child;

Modified: trunk/Source/WebCore/rendering/RenderObjectChildList.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderObjectChildList.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderObjectChildList.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -313,7 +313,7 @@
     if (!first)
         return 0;
 
-    if (first->style()->styleType() == BEFORE)
+    if (first->isBeforeContent())
         return first;
 
     // Check for a possible generated run-in, using run-in positioning rules.
@@ -325,7 +325,7 @@
     // We still need to skip any list markers that could exist before the run-in.
     while (first && first->isListMarker())
         first = first->nextSibling();
-    if (first && first->style()->styleType() == BEFORE && first->isRenderInline() && first->isRunIn())
+    if (first && first->isBeforeContent() && first->isRenderInline() && first->isRunIn())
         return first;
     
     return 0;
@@ -337,7 +337,7 @@
     do {
         last = last->lastChild();
     } while (last && last->isAnonymous() && last->style()->styleType() == NOPSEUDO && !last->isListMarker());
-    if (last && last->style()->styleType() != AFTER)
+    if (last && !last->isAfterContent())
         return 0;
     return last;
 }

Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderTable.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -111,7 +111,7 @@
 {
     // Make sure we don't append things after :after-generated content if we have it.
     if (!beforeChild)
-        beforeChild = findAfterContentRenderer();
+        beforeChild = afterPseudoElementRenderer();
 
     bool wrapInAnonymousSection = !child->isPositioned();

Modified: trunk/Source/WebCore/rendering/RenderTableRow.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderTableRow.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderTableRow.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -86,7 +86,7 @@
 {
     // Make sure we don't append things after :after-generated content if we have it.
     if (!beforeChild)
-        beforeChild = findAfterContentRenderer();
+        beforeChild = afterPseudoElementRenderer();
 
     if (!child->isTableCell()) {
         RenderObject* last = beforeChild;

Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (100629 => 100630)


--- trunk/Source/WebCore/rendering/RenderTableSection.cpp	2011-11-17 16:40:31 UTC (rev 100629)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp	2011-11-17 16:43:06 UTC (rev 100630)
@@ -102,7 +102,7 @@
 {
     // Make sure we don't append things after :after-generated content if we have it.
     if (!beforeChild)
-        beforeChild = findAfterContentRenderer();
+        beforeChild = afterPseudoElementRenderer();
 
     if (!child->isTableRow()) {
         RenderObject* last = beforeChild;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to