WebCore:
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2008 21:52:57 +0000 (21:52 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2008 21:52:57 +0000 (21:52 +0000)
        Reviewed by Dave Hyatt.

        - fix <rdar://problem/5615307> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren

        Test: fast/table/insert-row-before-form.html

        * rendering/RenderTableRow.cpp:
        (WebCore::RenderTableRow::addChild): Changed to ensure that the
        object a new cell is inserted before is a child of the row, and
        added an assertion that that object is either a cell or a form.
        * rendering/RenderTableSection.cpp:
        (WebCore::RenderTableSection::addChild): Changed to ensure that the
        object a new row is inserted before is a child of the table section, and
        added an assertion that that object is either a table row or a form.

LayoutTests:

        Reviewed by Dave Hyatt.

        - tests for <rdar://problem/5615307> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren

        * fast/table/insert-cell-before-form.html: Added.
        * fast/table/insert-row-before-form.html: Added.
        * platform/mac-leopard/fast/table: Added.
        * platform/mac-leopard/fast/table/insert-cell-before-form-expected.checksum: Added.
        * platform/mac-leopard/fast/table/insert-cell-before-form-expected.png: Added.
        * platform/mac-leopard/fast/table/insert-row-before-form-expected.checksum: Added.
        * platform/mac-leopard/fast/table/insert-row-before-form-expected.png: Added.
        * platform/mac/fast/table/insert-cell-before-form-expected.txt: Added.
        * platform/mac/fast/table/insert-row-before-form-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29646 268f45cc-cd09-0410-ab3c-d52691b4dbfc

12 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/table/insert-cell-before-form.html [new file with mode: 0644]
LayoutTests/fast/table/insert-row-before-form.html [new file with mode: 0644]
LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.checksum [new file with mode: 0644]
LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.png [new file with mode: 0644]
LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.checksum [new file with mode: 0644]
LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.png [new file with mode: 0644]
LayoutTests/platform/mac/fast/table/insert-cell-before-form-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac/fast/table/insert-row-before-form-expected.txt [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderTableRow.cpp
WebCore/rendering/RenderTableSection.cpp

index ed73579..d2f5523 100644 (file)
@@ -1,3 +1,19 @@
+2008-01-18  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        - tests for <rdar://problem/5615307> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren
+
+        * fast/table/insert-cell-before-form.html: Added.
+        * fast/table/insert-row-before-form.html: Added.
+        * platform/mac-leopard/fast/table: Added.
+        * platform/mac-leopard/fast/table/insert-cell-before-form-expected.checksum: Added.
+        * platform/mac-leopard/fast/table/insert-cell-before-form-expected.png: Added.
+        * platform/mac-leopard/fast/table/insert-row-before-form-expected.checksum: Added.
+        * platform/mac-leopard/fast/table/insert-row-before-form-expected.png: Added.
+        * platform/mac/fast/table/insert-cell-before-form-expected.txt: Added.
+        * platform/mac/fast/table/insert-row-before-form-expected.txt: Added.
+
 2008-01-18  Beth Dakin  <bdakin@apple.com>
 
         Checked in new results for another test affected by disabling SVG 
diff --git a/LayoutTests/fast/table/insert-cell-before-form.html b/LayoutTests/fast/table/insert-cell-before-form.html
new file mode 100644 (file)
index 0000000..eb1410b
--- /dev/null
@@ -0,0 +1,33 @@
+<p>
+    Test for <i><a href="rdar://problem/5615307">rdar://problem/5615307</a> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren</i>.
+</p>
+<p>
+    There should be a line of green text below.
+</p>
+<table style="color: red;">
+    <tbody>
+        <tr>
+            <td>
+                <table>
+                    <tbody>
+                        <tr style="color: green;">
+                            <td id="target" style="display: none;">
+                                This should be green.
+                            </td>
+                            <form>
+                            </form>
+                        </tr>
+                    </tbody>
+                </table>
+            </td>
+        </tr>
+    </tbody>
+</table>
+<script>
+    function test()
+    {
+        document.getElementById("target").style.display = "";
+    }
+
+    test();
+</script>
diff --git a/LayoutTests/fast/table/insert-row-before-form.html b/LayoutTests/fast/table/insert-row-before-form.html
new file mode 100644 (file)
index 0000000..5b010d2
--- /dev/null
@@ -0,0 +1,33 @@
+<p>
+    Test for <i><a href="rdar://problem/5615307">rdar://problem/5615307</a> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren</i>.
+</p>
+<p>
+    There should be a line of green text below.
+</p>
+<table style="color: red;">
+    <tbody>
+        <tr>
+            <td>
+                <table style="color: green;">
+                    <tbody>
+                        <tr id="target" style="display: none;">
+                            <td>
+                                This should be green.
+                            </td>
+                        </tr>
+                        <form>
+                        </form>
+                    </tbody>
+                </table>
+            </td>
+        </tr>
+    </tbody>
+</table>
+<script>
+    function test()
+    {
+        document.getElementById("target").style.display = "";
+    }
+
+    test();
+</script>
diff --git a/LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.checksum b/LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.checksum
new file mode 100644 (file)
index 0000000..8d9749e
--- /dev/null
@@ -0,0 +1 @@
+b5c1370884cd3581a64043bb703c7e0f
\ No newline at end of file
diff --git a/LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.png b/LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.png
new file mode 100644 (file)
index 0000000..5af68e5
Binary files /dev/null and b/LayoutTests/platform/mac-leopard/fast/table/insert-cell-before-form-expected.png differ
diff --git a/LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.checksum b/LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.checksum
new file mode 100644 (file)
index 0000000..8d9749e
--- /dev/null
@@ -0,0 +1 @@
+b5c1370884cd3581a64043bb703c7e0f
\ No newline at end of file
diff --git a/LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.png b/LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.png
new file mode 100644 (file)
index 0000000..5af68e5
Binary files /dev/null and b/LayoutTests/platform/mac-leopard/fast/table/insert-row-before-form-expected.png differ
diff --git a/LayoutTests/platform/mac/fast/table/insert-cell-before-form-expected.txt b/LayoutTests/platform/mac/fast/table/insert-cell-before-form-expected.txt
new file mode 100644 (file)
index 0000000..c45276e
--- /dev/null
@@ -0,0 +1,30 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderBlock {P} at (0,0) size 784x18
+        RenderText {#text} at (0,0) size 53x18
+          text run at (0,0) width 53: "Test for "
+        RenderInline {I} at (0,0) size 652x18
+          RenderInline {A} at (0,0) size 154x18 [color=#0000EE]
+            RenderText {#text} at (53,0) size 154x18
+              text run at (53,0) width 154: "rdar://problem/5615307"
+          RenderText {#text} at (207,0) size 498x18
+            text run at (207,0) width 498: " Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren"
+        RenderText {#text} at (705,0) size 4x18
+          text run at (705,0) width 4: "."
+      RenderBlock {P} at (0,34) size 784x18
+        RenderText {#text} at (0,0) size 270x18
+          text run at (0,0) width 270: "There should be a line of green text below."
+      RenderTable {TABLE} at (0,68) size 148x30 [color=#FF0000]
+        RenderTableSection {TBODY} at (0,0) size 148x30
+          RenderTableRow {TR} at (0,2) size 148x26
+            RenderTableCell {TD} at (2,2) size 144x26 [r=0 c=0 rs=1 cs=1]
+              RenderTable {TABLE} at (1,1) size 142x24 [color=#000000]
+                RenderTableSection {TBODY} at (0,0) size 142x24
+                  RenderTableRow {TR} at (0,2) size 142x20 [color=#008000]
+                    RenderTableCell {TD} at (2,2) size 138x20 [r=0 c=0 rs=1 cs=1]
+                      RenderText {#text} at (1,1) size 136x18
+                        text run at (1,1) width 136: "This should be green."
+                    RenderBlock {FORM} at (0,0) size 0x0
diff --git a/LayoutTests/platform/mac/fast/table/insert-row-before-form-expected.txt b/LayoutTests/platform/mac/fast/table/insert-row-before-form-expected.txt
new file mode 100644 (file)
index 0000000..5c52dae
--- /dev/null
@@ -0,0 +1,30 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderBlock {P} at (0,0) size 784x18
+        RenderText {#text} at (0,0) size 53x18
+          text run at (0,0) width 53: "Test for "
+        RenderInline {I} at (0,0) size 652x18
+          RenderInline {A} at (0,0) size 154x18 [color=#0000EE]
+            RenderText {#text} at (53,0) size 154x18
+              text run at (53,0) width 154: "rdar://problem/5615307"
+          RenderText {#text} at (207,0) size 498x18
+            text run at (207,0) width 498: " Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren"
+        RenderText {#text} at (705,0) size 4x18
+          text run at (705,0) width 4: "."
+      RenderBlock {P} at (0,34) size 784x18
+        RenderText {#text} at (0,0) size 270x18
+          text run at (0,0) width 270: "There should be a line of green text below."
+      RenderTable {TABLE} at (0,68) size 148x30 [color=#FF0000]
+        RenderTableSection {TBODY} at (0,0) size 148x30
+          RenderTableRow {TR} at (0,2) size 148x26
+            RenderTableCell {TD} at (2,2) size 144x26 [r=0 c=0 rs=1 cs=1]
+              RenderTable {TABLE} at (1,1) size 142x24 [color=#008000]
+                RenderTableSection {TBODY} at (0,0) size 142x24
+                  RenderTableRow {TR} at (0,2) size 142x20
+                    RenderTableCell {TD} at (2,2) size 138x20 [r=0 c=0 rs=1 cs=1]
+                      RenderText {#text} at (1,1) size 136x18
+                        text run at (1,1) width 136: "This should be green."
+                  RenderBlock {FORM} at (0,0) size 142x0
index 3031120..99acddc 100644 (file)
@@ -1,3 +1,20 @@
+2008-01-18  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        - fix <rdar://problem/5615307> Repro crash in WebKit!WebCore::RenderContainer::destroyLeftoverChildren
+
+        Test: fast/table/insert-row-before-form.html
+
+        * rendering/RenderTableRow.cpp:
+        (WebCore::RenderTableRow::addChild): Changed to ensure that the
+        object a new cell is inserted before is a child of the row, and
+        added an assertion that that object is either a cell or a form.
+        * rendering/RenderTableSection.cpp:
+        (WebCore::RenderTableSection::addChild): Changed to ensure that the
+        object a new row is inserted before is a child of the table section, and
+        added an assertion that that object is either a table row or a form.
+
 2008-01-18  Geoffrey Garen  <ggaren@apple.com>
 
         Reviewed by Brady Eidson.
index 9289dec..ab4c907 100644 (file)
@@ -103,7 +103,7 @@ void RenderTableRow::addChild(RenderObject* child, RenderObject* beforeChild)
     } 
     
     // If the next renderer is actually wrapped in an anonymous table cell, we need to go up and find that.
-    while (beforeChild && !beforeChild->isTableCell())
+    while (beforeChild && beforeChild->parent() != this)
         beforeChild = beforeChild->parent();
 
     RenderTableCell* cell = static_cast<RenderTableCell*>(child);
@@ -112,6 +112,7 @@ void RenderTableRow::addChild(RenderObject* child, RenderObject* beforeChild)
     if (parent())
         section()->addCell(cell, this);
 
+    ASSERT(!beforeChild || beforeChild->isTableCell() || isTableRow && beforeChild->element() && beforeChild->element()->hasTagName(formTag) && document()->isHTMLDocument());
     RenderContainer::addChild(cell, beforeChild);
 
     if (beforeChild || nextSibling())
index 36d13aa..1a51fc6 100644 (file)
@@ -152,9 +152,10 @@ void RenderTableSection::addChild(RenderObject* child, RenderObject* beforeChild
     }
 
     // If the next renderer is actually wrapped in an anonymous table row, we need to go up and find that.
-    while (beforeChild && !beforeChild->isTableRow())
+    while (beforeChild && beforeChild->parent() != this)
         beforeChild = beforeChild->parent();
 
+    ASSERT(!beforeChild || beforeChild->isTableRow() || isTableSection && beforeChild->element() && beforeChild->element()->hasTagName(formTag) && document()->isHTMLDocument());
     RenderContainer::addChild(child, beforeChild);
 }