Title: [133484] branches/safari-536.28-branch
- Revision
- 133484
- Author
- [email protected]
- Date
- 2012-11-05 08:48:14 -0800 (Mon, 05 Nov 2012)
Log Message
Merged r125234. <rdar://problem/12536433>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133483 => 133484)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-05 16:32:07 UTC (rev 133483)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-05 16:48:14 UTC (rev 133484)
@@ -1,5 +1,19 @@
2012-11-05 Lucas Forschler <[email protected]>
+ Merge r125234
+
+ 2012-08-09 Julien Chaffraix <[email protected]>
+
+ Crash in WebCore::RenderTable::cellBefore
+ https://bugs.webkit.org/show_bug.cgi?id=91160
+
+ Reviewed by Abhishek Arya.
+
+ * fast/table/split-anonymous-boxes-around-table-repaint-crash-expected.txt: Added.
+ * fast/table/split-anonymous-boxes-around-table-repaint-crash.html: Added.
+
+2012-11-05 Lucas Forschler <[email protected]>
+
Merge r125162
2012-08-09 MORITA Hajime <[email protected]>
@@ -10981,3 +10995,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash-expected.txt (from rev 125234, trunk/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash-expected.txt) (0 => 133484)
--- branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash-expected.txt 2012-11-05 16:48:14 UTC (rev 133484)
@@ -0,0 +1,2 @@
+Bug 91160: Crash in WebCore::RenderTable::cellBefore
+PASS. WebKit didn't crash
Copied: branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash.html (from rev 125234, trunk/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash.html) (0 => 133484)
--- branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/table/split-anonymous-boxes-around-table-repaint-crash.html 2012-11-05 16:48:14 UTC (rev 133484)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<style>
+.table {
+ display: table;
+ border-collapse: collapse;
+}
+.tableCell {
+ display: table-cell;
+}
+.tableRowGroup {
+ border-style: solid solid solid none;
+ display: table-row-group;
+}
+</style>
+<body style="-webkit-writing-mode: vertical-rl;">
+<div class="table">
+ A
+ <span id="span1"></span>
+ <span class="tableCell"></span>
+<div>
+</div>
+<div class="tableRowGroup">B</div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.body.offsetTop;
+span1.style.display = "table-footer-group";
+
+document.body.offsetTop;
+document.body.innerHTML = "Bug <a href=''>91160</a>: Crash in WebCore::RenderTable::cellBefore<br>PASS. WebKit didn't crash";
+</script>
+</body>
+</html>
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133483 => 133484)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-05 16:32:07 UTC (rev 133483)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-05 16:48:14 UTC (rev 133484)
@@ -1,5 +1,29 @@
2012-11-05 Lucas Forschler <[email protected]>
+ Merge r125234
+
+ 2012-08-09 Julien Chaffraix <[email protected]>
+
+ Crash in WebCore::RenderTable::cellBefore
+ https://bugs.webkit.org/show_bug.cgi?id=91160
+
+ Reviewed by Abhishek Arya.
+
+ The issue was that we wouldn't properly set the row index on row in a newly split table. When inserting
+ the cell into the new row, we would try to repaint the cell which would access the row index and crash.
+ This came from splitAnonymousBoxesAroundChild calling RenderObjectChildList::insertChildNode directly
+ which doesn't invoke the row setting logic (RenderTableSection::addChild for example but we cannot call
+ addChild due to concern over splitting flows in the general case).
+
+ Test: fast/table/split-anonymous-boxes-around-table-repaint-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::splitAnonymousBoxesAroundChild):
+ Dirty our parent box, which forces a cell recomputation which will set the row index. This needs to
+ be done *before* we insert the child to avoid crashing when repainting the new child.
+
+2012-11-05 Lucas Forschler <[email protected]>
+
Merge r125162
2012-08-09 MORITA Hajime <[email protected]>
@@ -206503,3 +206527,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp (133483 => 133484)
--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp 2012-11-05 16:32:07 UTC (rev 133483)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderBox.cpp 2012-11-05 16:48:14 UTC (rev 133484)
@@ -4038,6 +4038,10 @@
RenderBox* postBox = boxToSplit->createAnonymousBoxWithSameTypeAs(this);
postBox->setChildrenInline(boxToSplit->childrenInline());
RenderBox* parentBox = toRenderBox(boxToSplit->parent());
+ // We need to invalidate the |parentBox| before inserting the new node
+ // so that the table repainting logic knows the structure is dirty.
+ // See for example RenderTableCell:clippedOverflowRectForRepaint.
+ markBoxForRelayoutAfterSplit(parentBox);
parentBox->virtualChildren()->insertChildNode(parentBox, postBox, boxToSplit->nextSibling());
boxToSplit->moveChildrenTo(postBox, beforeChild, 0, true);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
