[webkit-changes] [103456] branches/safari-534.54-branch

Wed, 21 Dec 2011 14:45:07 -0800

Title: [103456] branches/safari-534.54-branch

Diff

Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103455 => 103456)


--- branches/safari-534.54-branch/LayoutTests/ChangeLog	2011-12-21 22:43:58 UTC (rev 103455)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog	2011-12-21 22:45:01 UTC (rev 103456)
@@ -1,5 +1,19 @@
 2011-12-21  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 95054
+
+    2011-08-11  Cris Neckar  <c...@chromium.org>
+
+            Test for crash when reparenting table elements with associated counters outside the table.
+            https://bugs.webkit.org/show_bug.cgi?id=65996
+
+            Reviewed by Eric Seidel.
+
+            * fast/css/counters/counter-reparent-table-children-crash-expected.txt: Added.
+            * fast/css/counters/counter-reparent-table-children-crash.html: Added.
+
+2011-12-21  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 95028
 
     2011-09-12  Sam Weinig  <s...@webkit.org>

Copied: branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash-expected.txt (from rev 95054, trunk/LayoutTests/fast/css/counters/counter-reparent-table-children-crash-expected.txt) (0 => 103456)


--- branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash-expected.txt	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash-expected.txt	2011-12-21 22:45:01 UTC (rev 103456)
@@ -0,0 +1 @@
+PASS: Malformed table counters do not cause crash

Copied: branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash.html (from rev 95054, trunk/LayoutTests/fast/css/counters/counter-reparent-table-children-crash.html) (0 => 103456)


--- branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash.html	                        (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/css/counters/counter-reparent-table-children-crash.html	2011-12-21 22:45:01 UTC (rev 103456)
@@ -0,0 +1,31 @@
+<html>
+<style>
+td {
+    counter-increment: list-item;
+}
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+}
+
+function crash() {
+    document.body.innerHTML = "PASS: Malformed table counters do not cause crash";
+    if (window.layoutTestController) {
+        layoutTestController.notifyDone();
+        layoutTestController.dumpAsText();
+    }
+}
+</script>
+<body _onload_="crash()">
+    <table>
+        <tbody>
+            <td>
+        </tbody>
+        <ol>re-parent me</ol>
+        <ol>re-parent me</ol>
+            </td>
+        <td></td>
+    </table>
+</body>
+</html>

Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103455 => 103456)


--- branches/safari-534.54-branch/Source/WebCore/ChangeLog	2011-12-21 22:43:58 UTC (rev 103455)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog	2011-12-21 22:45:01 UTC (rev 103456)
@@ -1,5 +1,24 @@
 2011-12-21  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 95054
+
+    2011-08-11  Cris Neckar  <c...@chromium.org>
+
+            Fixes several bugs when adding CounterNodes to a tree which can cause asymetrical relationships.
+            https://bugs.webkit.org/show_bug.cgi?id=65996
+
+            Reviewed by Eric Seidel.
+
+            Test: fast/css/counters/counter-reparent-table-children-crash.html
+
+            * rendering/CounterNode.cpp:
+            (WebCore::CounterNode::insertAfter):
+            * rendering/RenderCounter.cpp:
+            (WebCore::findPlaceForCounter):
+            (WebCore::makeCounterNode):
+
+2011-12-21  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 95010
 
     2011-09-12  Adam Klein  <ad...@chromium.org>

Modified: branches/safari-534.54-branch/Source/WebCore/rendering/CounterNode.cpp (103455 => 103456)


--- branches/safari-534.54-branch/Source/WebCore/rendering/CounterNode.cpp	2011-12-21 22:43:58 UTC (rev 103455)
+++ branches/safari-534.54-branch/Source/WebCore/rendering/CounterNode.cpp	2011-12-21 22:45:01 UTC (rev 103456)
@@ -238,7 +238,10 @@
     ASSERT(!newChild->m_parent);
     ASSERT(!newChild->m_previousSibling);
     ASSERT(!newChild->m_nextSibling);
-    ASSERT(!refChild || refChild->m_parent == this);
+    // If the refChild is not our child we can not complete the request. This hardens against bugs in RenderCounter.
+    // When renderers are reparented it may request that we insert counter nodes improperly.
+    if (refChild && refChild->m_parent != this)
+        return;
 
     if (newChild->m_hasResetType) {
         while (m_lastChild != refChild)
@@ -274,32 +277,43 @@
             next->recount();
         return;
     }
+    // If the new child is the last in the sibling list we must set the parent's lastChild.
+    if (!newChild->m_nextSibling)
+        m_lastChild = newChild;
 
     // The code below handles the case when a formerly root increment counter is loosing its root position
     // and therefore its children become next siblings.
     CounterNode* last = newChild->m_lastChild;
     CounterNode* first = newChild->m_firstChild;
 
-    newChild->m_nextSibling = first;
-    first->m_previousSibling = newChild;
-    // The case when the original next sibling of the inserted node becomes a child of
-    // one of the former children of the inserted node is not handled as it is believed
-    // to be impossible since:
-    // 1. if the increment counter node lost it's root position as a result of another
-    //    counter node being created, it will be inserted as the last child so next is null.
-    // 2. if the increment counter node lost it's root position as a result of a renderer being
-    //    inserted into the document's render tree, all its former children counters are attached
-    //    to children of the inserted renderer and hence cannot be in scope for counter nodes
-    //    attached to renderers that were already in the document's render tree.
-    last->m_nextSibling = next;
-    if (next)
-        next->m_previousSibling = last;
-    else
-        m_lastChild = last;
-    for (next = first; ; next = next->m_nextSibling) {
-        next->m_parent = this;
-        if (last == next)
-            break;
+    if (first) {
+        ASSERT(last);
+        newChild->m_nextSibling = first;
+        if (m_lastChild == newChild)
+            m_lastChild = last;
+
+        first->m_previousSibling = newChild;
+    
+        // The case when the original next sibling of the inserted node becomes a child of
+        // one of the former children of the inserted node is not handled as it is believed
+        // to be impossible since:
+        // 1. if the increment counter node lost it's root position as a result of another
+        //    counter node being created, it will be inserted as the last child so next is null.
+        // 2. if the increment counter node lost it's root position as a result of a renderer being
+        //    inserted into the document's render tree, all its former children counters are attached
+        //    to children of the inserted renderer and hence cannot be in scope for counter nodes
+        //    attached to renderers that were already in the document's render tree.
+        last->m_nextSibling = next;
+        if (next) {
+            ASSERT(next->m_previousSibling == newChild);
+            next->m_previousSibling = last;
+        } else
+            m_lastChild = last;
+        for (next = first; ; next = next->m_nextSibling) {
+            next->m_parent = this;
+            if (last == next)
+                break;
+        }
     }
     newChild->m_firstChild = 0;
     newChild->m_lastChild = 0;

Modified: branches/safari-534.54-branch/Source/WebCore/rendering/RenderCounter.cpp (103455 => 103456)


--- branches/safari-534.54-branch/Source/WebCore/rendering/RenderCounter.cpp	2011-12-21 22:43:58 UTC (rev 103455)
+++ branches/safari-534.54-branch/Source/WebCore/rendering/RenderCounter.cpp	2011-12-21 22:45:01 UTC (rev 103456)
@@ -319,7 +319,11 @@
                         // We are not a reset node or the previous reset must be on an ancestor of our owner renderer
                         // hence we must be a child of that reset counter.
                         parent = currentCounter;
-                        ASSERT(previousSibling->parent() == currentCounter);
+                        // In some cases renders can be reparented (ex. nodes inside a table but not in a column or row).
+                        // In these cases the identified previousSibling will be invalid as its parent is different from
+                        // our identified parent.
+                        if (previousSibling->parent() != currentCounter)
+                            previousSibling = 0;
                         return true;
                     }
                     // CurrentCounter, the counter at the EndSearchRenderer, is not reset.
@@ -435,10 +439,8 @@
         if (!currentCounter)
             continue;
         skipDescendants = true;
-        if (currentCounter->parent()) {
-            ASSERT(newNode->firstChild());
+        if (currentCounter->parent())
             continue;
-        }
         if (stayWithin == parentElement(currentRenderer) && currentCounter->hasResetType())
             break;
         newNode->insertAfter(currentCounter, newNode->lastChild(), identifier);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to