[webkit-changes] [133219] branches/safari-536.28-branch

Thu, 01 Nov 2012 13:28:50 -0700

Title: [133219] branches/safari-536.28-branch

Diff

Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133218 => 133219)


--- branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 20:30:04 UTC (rev 133218)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 20:30:15 UTC (rev 133219)
@@ -1,5 +1,24 @@
 2012-10-31  Lucas Forschler  <[email protected]>
 
+        Merge r123062
+
+    2012-07-18  Julien Chaffraix  <[email protected]>
+
+            Crash in RenderTableSection::addCell.
+            http://webkit.org/b/89496
+
+            Reviewed by Abhishek Arya.
+
+            The test is still pretty complex as it involves lots of generated content. It should
+            be possible to get a smaller test case based on the conditions for the crash. However
+            this test is a pretty good stress test so I decided against creating a more simple test
+            case.
+
+            * fast/table/split-table-no-section-update-crash-expected.txt: Added.
+            * fast/table/split-table-no-section-update-crash.html: Added.
+
+2012-10-31  Lucas Forschler  <[email protected]>
+
         Merge r122755
 
     2012-07-16  Florin Malita  <[email protected]>
@@ -10583,3 +10602,4 @@
 .
 .
 .
+.

Copied: branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash-expected.txt (from rev 123062, trunk/LayoutTests/fast/table/split-table-no-section-update-crash-expected.txt) (0 => 133219)


--- branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash-expected.txt	2012-11-01 20:30:15 UTC (rev 133219)
@@ -0,0 +1,6 @@
+Test for bug 89496: Crash in RenderTableSection::addCell.
+
+This test passes if it doesn't CRASH or ASSERT.
+
+Lorem Ipsum
+

Copied: branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash.html (from rev 123062, trunk/LayoutTests/fast/table/split-table-no-section-update-crash.html) (0 => 133219)


--- branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash.html	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/table/split-table-no-section-update-crash.html	2012-11-01 20:30:15 UTC (rev 133219)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+    :after { display: table-cell; content: "Foo"; }
+    :first-child { display: table-cell; }
+    :before { display: table-column; content: "Bar"; }
+</style>
+<script type="text/_javascript_"> 
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function crash(event) {
+    newContent = document.createTextNode("Lorem Ipsum");
+    var divElement = document.createElement("div");
+    divElement.appendChild(newContent);
+    divElement.appendChild(document.createElement("div"));
+    document.getElementById("target").appendChild(divElement);
+
+    // For some reason, DRT dumps the <style> so remove it here to clean the dump.
+    var style = document.getElementsByTagName("style")[0];
+    style.parentNode.removeChild(style);
+}
+
+window.addEventListener("load", crash, false)
+</script>
+</head>
+<body id="target">
+<p>Test for bug <a href="" Crash in RenderTableSection::addCell.</p>
+<p>This test passes if it doesn't CRASH or ASSERT.</p>
+</body>
+</html>

Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133218 => 133219)


--- branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 20:30:04 UTC (rev 133218)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 20:30:15 UTC (rev 133219)
@@ -1,5 +1,38 @@
 2012-10-31  Lucas Forschler  <[email protected]>
 
+        Merge r123062
+
+    2012-07-18  Julien Chaffraix  <[email protected]>
+
+            Crash in RenderTableSection::addCell.
+            http://webkit.org/b/89496
+
+            Reviewed by Abhishek Arya.
+
+            The issue comes from RenderBox::splitAnonymousBoxesAroundChild that would move sections
+            across tables but didn't force the table to do a synchronous section recalc. This opened
+            the way for race conditions where we would query the table column structure while it's dirty
+            (this is not uncommon but as usually the table's column representation is always bigger or
+            more split than a section's, it's usually harmless).
+
+            The fix is to force a synchronous section recalc.
+
+            Test: fast/table/split-table-no-section-update-crash.html
+
+            * rendering/RenderBox.cpp:
+            (WebCore::markBoxForRelayoutAfterSplit):
+            Changed to call forceSectionsRecalc ie force a section recalc.
+
+            * rendering/RenderTable.cpp:
+            (WebCore::RenderTable::recalcSections):
+            Added missing ASSERT for unneeded calls.
+
+            * rendering/RenderTable.h:
+            (WebCore::RenderTable::forceSectionsRecalc):
+            Added this helper function.
+
+2012-10-31  Lucas Forschler  <[email protected]>
+
         Merge r122755
 
     2012-07-16  Florin Malita  <[email protected]>
@@ -205773,3 +205806,4 @@
 .
 .
 .
+.

Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp (133218 => 133219)


--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp	2012-11-01 20:30:04 UTC (rev 133218)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp	2012-11-01 20:30:15 UTC (rev 133219)
@@ -4014,9 +4014,11 @@
 {
     // FIXME: The table code should handle that automatically. If not,
     // we should fix it and remove the table part checks.
-    if (box->isTable())
-        toRenderTable(box)->setNeedsSectionRecalc();
-    else if (box->isTableSection())
+    if (box->isTable()) {
+        // Because we may have added some sections with already computed column structures, we need to
+        // sync the table structure with them now. This avoids crashes when adding new cells to the table.
+        toRenderTable(box)->forceSectionsRecalc();
+    } else if (box->isTableSection())
         toRenderTableSection(box)->setNeedsCellRecalc();
 
     box->setNeedsLayoutAndPrefWidthsRecalc();

Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.cpp (133218 => 133219)


--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.cpp	2012-11-01 20:30:04 UTC (rev 133218)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.cpp	2012-11-01 20:30:15 UTC (rev 133219)
@@ -786,6 +786,8 @@
 
 void RenderTable::recalcSections() const
 {
+    ASSERT(m_needsSectionRecalc);
+
     m_head = 0;
     m_foot = 0;
     m_firstBody = 0;

Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.h (133218 => 133219)


--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.h	2012-11-01 20:30:04 UTC (rev 133218)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderTable.h	2012-11-01 20:30:15 UTC (rev 133219)
@@ -135,6 +135,12 @@
         unsigned span;
     };
 
+    void forceSectionsRecalc()
+    {
+        setNeedsSectionRecalc();
+        recalcSections();
+    }
+
     Vector<ColumnStruct>& columns() { return m_columns; }
     Vector<int>& columnPositions() { return m_columnPos; }
     RenderTableSection* header() const { return m_head; }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to