Title: [225960] trunk
- Revision
- 225960
- Author
- [email protected]
- Date
- 2017-12-14 20:22:47 -0800 (Thu, 14 Dec 2017)
Log Message
Inconsistent section grid could lead to CrashOnOverflow
https://bugs.webkit.org/show_bug.cgi?id=180850
<rdar://problem/34064811>
Reviewed by Simon Fraser.
Source/WebCore:
Each RenderTableSection maintains a grid of rows and columns. The number of columns in this grid equals the
maximum number of columns in the entire table (taking spans and multiple sections into account).
Since the maximum number of columns might change while re-computing the sections, we need to
adjust them accordingly at the end (otherwise it could lead to inconsistent grids where rows have different number of columns).
Test: fast/table/table-row-oveflow-crash.html
* rendering/RenderTable.cpp:
(WebCore::RenderTable::recalcSections const):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::removeRedundantColumns):
* rendering/RenderTableSection.h:
LayoutTests:
* fast/table/table-row-oveflow-crash-expected.txt: Added.
* fast/table/table-row-oveflow-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (225959 => 225960)
--- trunk/LayoutTests/ChangeLog 2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/LayoutTests/ChangeLog 2017-12-15 04:22:47 UTC (rev 225960)
@@ -1,3 +1,14 @@
+2017-12-14 Zalan Bujtas <[email protected]>
+
+ Inconsistent section grid could lead to CrashOnOverflow
+ https://bugs.webkit.org/show_bug.cgi?id=180850
+ <rdar://problem/34064811>
+
+ Reviewed by Simon Fraser.
+
+ * fast/table/table-row-oveflow-crash-expected.txt: Added.
+ * fast/table/table-row-oveflow-crash.html: Added.
+
2017-12-14 Chris Dumez <[email protected]>
[iOS] Many serviceworker tests are flaky timeouts on iOS bots
Added: trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt (0 => 225960)
--- trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt 2017-12-15 04:22:47 UTC (rev 225960)
@@ -0,0 +1,4 @@
+PASS if no crash.
+5
+2
+43
Added: trunk/LayoutTests/fast/table/table-row-oveflow-crash.html (0 => 225960)
--- trunk/LayoutTests/fast/table/table-row-oveflow-crash.html (rev 0)
+++ trunk/LayoutTests/fast/table/table-row-oveflow-crash.html 2017-12-15 04:22:47 UTC (rev 225960)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<table>
+ <tbody>
+ <tr id="tr_first_table"></tr>
+ </tbody>
+ <tbody>
+ <tr>
+ <th>2</th>
+ <th id="th_first_table">3</th>
+ </tr>
+ </tbody>
+</table>
+<br>
+<table>
+ <th id="th_second_table">4</th>
+ <th rowspan="6" id="th_withh_rowspan">5</th>
+</table>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.body.offsetHeight;
+th_second_table.appendChild(th_first_table);
+document.body.offsetHeight;
+tr_first_table.appendChild(th_withh_rowspan);
+document.body.offsetHeight;
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (225959 => 225960)
--- trunk/Source/WebCore/ChangeLog 2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/ChangeLog 2017-12-15 04:22:47 UTC (rev 225960)
@@ -1,3 +1,24 @@
+2017-12-14 Zalan Bujtas <[email protected]>
+
+ Inconsistent section grid could lead to CrashOnOverflow
+ https://bugs.webkit.org/show_bug.cgi?id=180850
+ <rdar://problem/34064811>
+
+ Reviewed by Simon Fraser.
+
+ Each RenderTableSection maintains a grid of rows and columns. The number of columns in this grid equals the
+ maximum number of columns in the entire table (taking spans and multiple sections into account).
+ Since the maximum number of columns might change while re-computing the sections, we need to
+ adjust them accordingly at the end (otherwise it could lead to inconsistent grids where rows have different number of columns).
+
+ Test: fast/table/table-row-oveflow-crash.html
+
+ * rendering/RenderTable.cpp:
+ (WebCore::RenderTable::recalcSections const):
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::removeRedundantColumns):
+ * rendering/RenderTableSection.h:
+
2017-12-14 David Kilzer <[email protected]>
Enable -Wstrict-prototypes for WebKit
Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (225959 => 225960)
--- trunk/Source/WebCore/rendering/RenderTable.cpp 2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp 2017-12-15 04:22:47 UTC (rev 225960)
@@ -1111,6 +1111,10 @@
m_columns.resize(maxCols);
m_columnPos.resize(maxCols + 1);
+ // Now that we know the number of maximum number of columns, let's shrink the sections grids if needed.
+ for (auto& section : childrenOfType<RenderTableSection>(const_cast<RenderTable&>(*this)))
+ section.removeRedundantColumns();
+
ASSERT(selfNeedsLayout());
m_needsSectionRecalc = false;
Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (225959 => 225960)
--- trunk/Source/WebCore/rendering/RenderTableSection.cpp 2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp 2017-12-15 04:22:47 UTC (rev 225960)
@@ -1385,6 +1385,16 @@
setNeedsLayout();
}
+void RenderTableSection::removeRedundantColumns()
+{
+ auto maximumNumberOfColumns = table()->numEffCols();
+ for (auto& rowItem : m_grid) {
+ if (rowItem.row.size() <= maximumNumberOfColumns)
+ continue;
+ rowItem.row.resize(maximumNumberOfColumns);
+ }
+}
+
// FIXME: This function could be made O(1) in certain cases (like for the non-most-constrainive cells' case).
void RenderTableSection::rowLogicalHeightChanged(unsigned rowIndex)
{
Modified: trunk/Source/WebCore/rendering/RenderTableSection.h (225959 => 225960)
--- trunk/Source/WebCore/rendering/RenderTableSection.h 2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTableSection.h 2017-12-15 04:22:47 UTC (rev 225960)
@@ -127,6 +127,7 @@
unsigned numColumns() const;
void recalcCells();
void recalcCellsIfNeeded();
+ void removeRedundantColumns();
bool needsCellRecalc() const { return m_needsCellRecalc; }
void setNeedsCellRecalc();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
