Crash in RenderTableSection::paintCell.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2012 00:28:23 +0000 (00:28 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2012 00:28:23 +0000 (00:28 +0000)
commit8b92f672f11da8c58e451740be84390bf6384893
tree493e4cc7634ce1cf6f445a208d34d136e1f0d0cf
parentb46421119e3b3444ce9ce97b469a808d809f24d9
Crash in RenderTableSection::paintCell.
https://bugs.webkit.org/show_bug.cgi?id=87445

Reviewed by Eric Seidel and Julien Chaffraix.

Source/WebCore:

Fix the crash by preventing table parts from being set
as layout root. This prevents us from accessing removed
table cells which can happen if RenderTableSection::layout
is called directly without calling RenderTable::layout first
(in case of cell recalc).

Add ASSERTs to RenderTableSection::layout to prevent
layout to happen when we are already pending cell recalc
or our table is pending section recalc. In those cases,
RenderTable::layout should be called first to relayout
the entire table.

Test: tables/table-section-overflow-clip-crash.html

* rendering/RenderObject.cpp:
(WebCore::objectIsRelayoutBoundary):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::layout):

LayoutTests:

* tables/table-section-overflow-clip-crash-expected.txt: Added.
* tables/table-section-overflow-clip-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@118592 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/tables/table-section-overflow-clip-crash-expected.txt [new file with mode: 0644]
LayoutTests/tables/table-section-overflow-clip-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderTableSection.cpp