LayoutTests:
authorantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Jul 2007 18:29:30 +0000 (18:29 +0000)
committerantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Jul 2007 18:29:30 +0000 (18:29 +0000)
        Reviewed by Darin.

        Test for x <rdar://problem/5333387>
        Combination of selection and click() on checkbox crashes

        * fast/dynamic/checkbox-selection-crash-expected.txt: Added.
        * fast/dynamic/checkbox-selection-crash.html: Added.

WebCore:

        Reviewed by Darin.

        Fix <rdar://problem/5333387>
        Combination of selection and click() on checkbox crashes

        Ensure there is no pending style update before doing synchronous paint. Under certain
        circumstances this ends up doing style recalc in middle of paint() which may
        for example tear down the rendering tree being painted, with bad results.

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::setActive):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@24266 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dynamic/checkbox-selection-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dynamic/checkbox-selection-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/ContainerNode.cpp

index c651956820fa5d026ab1ed0c5e6966a30f51e791..2d2a04c08c74685240d17920c29700919fed1e01 100644 (file)
@@ -1,3 +1,13 @@
+2007-07-13  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Test for x <rdar://problem/5333387>
+        Combination of selection and click() on checkbox crashes
+
+        * fast/dynamic/checkbox-selection-crash-expected.txt: Added.
+        * fast/dynamic/checkbox-selection-crash.html: Added.
+
 2007-07-13  Antti Koivisto  <antti@apple.com>
 
         Reviewed by Adele.
diff --git a/LayoutTests/fast/dynamic/checkbox-selection-crash-expected.txt b/LayoutTests/fast/dynamic/checkbox-selection-crash-expected.txt
new file mode 100644 (file)
index 0000000..e9abebd
--- /dev/null
@@ -0,0 +1,2 @@
+Loading this page should not crash.
+..
diff --git a/LayoutTests/fast/dynamic/checkbox-selection-crash.html b/LayoutTests/fast/dynamic/checkbox-selection-crash.html
new file mode 100644 (file)
index 0000000..1da71aa
--- /dev/null
@@ -0,0 +1,28 @@
+<head>
+<style>
+.gone { display:none }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<body>
+Loading this page should not crash.
+<table>
+<td id=td1>
+.<input id=cb type="checkbox">.
+</table>
+<script>
+    var sel = window.getSelection();
+    var td1 = document.getElementById('td1')
+    // having selection triggers Document::updateRendering() from paint()
+    sel.setBaseAndExtent(td1, 0, td1, 1000);
+    // this causes style recalc and rendering tree tear down (from updateRendering) in middle of painting, which crashes
+    document.body.setAttribute('class','gone');
+    var cb = document.getElementById('cb')
+    // this triggers synchronous paint() 
+    cb.click();  
+    document.body.setAttribute('class','');  
+</script>
+</body>
+
index 7fd05c61537926199ee4e11f477da9b77fb21d74..af732e06d1db3353675d8d72bd5d07cb3619ecc4 100644 (file)
@@ -1,3 +1,17 @@
+2007-07-13  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Fix <rdar://problem/5333387>
+        Combination of selection and click() on checkbox crashes
+        
+        Ensure there is no pending style update before doing synchronous paint. Under certain
+        circumstances this ends up doing style recalc in middle of paint() which may
+        for example tear down the rendering tree being painted, with bad results.
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::setActive):
+
 2007-07-13  Antti Koivisto  <antti@apple.com>
 
         Reviewed by Adele.
index b002598217fac9ce0e47a531c8c2ddca1efef876..8c9c6c98074c09479380190b53e83f8cb1ec08af 100644 (file)
@@ -826,8 +826,11 @@ void ContainerNode::setActive(bool down, bool pause)
             double startTime = currentTime();
 #endif
 
+            // Ensure there are no pending changes
+            Document::updateDocumentsRendering();
             // Do an immediate repaint.
-            renderer()->repaint(true);
+            if (renderer())
+                renderer()->repaint(true);
             
             // FIXME: Find a substitute for usleep for Win32.
             // Better yet, come up with a way of doing this that doesn't use this sort of thing at all.