Crash in WebCore::RenderTableSection::addChild due to assert failure
authorfsamuel@chromium.org <fsamuel@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2011 19:10:58 +0000 (19:10 +0000)
committerfsamuel@chromium.org <fsamuel@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2011 19:10:58 +0000 (19:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=70678

Reviewed by David Hyatt.

Source/WebCore:

Tests: fast/table/table-anonymous-cell-bug.html
       fast/table/table-anonymous-row-bug.html
       fast/table/table-anonymous-section-bug.html

If the child being added is not a Section/Row/Cell, and the previous sibling is not anonymous,
we need to create a new anonymous Section/Row/Cell respectively, instead of failing an
assert.

* rendering/RenderTable.cpp:
(WebCore::RenderTable::addChild):
* rendering/RenderTableRow.cpp:
(WebCore::RenderTableRow::addChild):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::addChild):

LayoutTests:

If the child being added is not a Section/Row/Cell, and the previous sibling is not anonymous,
we need to create a new anonymous Section/Row/Cell respectively, instead of failing an
assert.

* fast/table/table-anonymous-cell-bug-expected.txt: Added.
* fast/table/table-anonymous-cell-bug.html: Added.
* fast/table/table-anonymous-row-bug-expected.txt: Added.
* fast/table/table-anonymous-row-bug.html: Added.
* fast/table/table-anonymous-section-bug-expected.txt: Added.
* fast/table/table-anonymous-section-bug.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@98372 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/table/table-anonymous-cell-bug-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/table-anonymous-cell-bug.html [new file with mode: 0644]
LayoutTests/fast/table/table-anonymous-row-bug-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/table-anonymous-row-bug.html [new file with mode: 0644]
LayoutTests/fast/table/table-anonymous-section-bug-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/table-anonymous-section-bug.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderTable.cpp
Source/WebCore/rendering/RenderTableRow.cpp
Source/WebCore/rendering/RenderTableSection.cpp

index 76ad399289b458f84d217416a1bf60dcb7eb2620..63c013e530e6448108ef640fa5cf149d63971ca7 100644 (file)
@@ -1,3 +1,21 @@
+2011-10-25  Fady Samuel  <fsamuel@chromium.org>
+
+        Crash in WebCore::RenderTableSection::addChild due to assert failure
+        https://bugs.webkit.org/show_bug.cgi?id=70678
+
+        Reviewed by David Hyatt.
+
+        If the child being added is not a Section/Row/Cell, and the previous sibling is not anonymous, 
+        we need to create a new anonymous Section/Row/Cell respectively, instead of failing an
+        assert.
+
+        * fast/table/table-anonymous-cell-bug-expected.txt: Added.
+        * fast/table/table-anonymous-cell-bug.html: Added.
+        * fast/table/table-anonymous-row-bug-expected.txt: Added.
+        * fast/table/table-anonymous-row-bug.html: Added.
+        * fast/table/table-anonymous-section-bug-expected.txt: Added.
+        * fast/table/table-anonymous-section-bug.html: Added.
+
 2011-10-25  Zoltan Herczeg  <zherczeg@webkit.org>
 
         Add new uri tokenizer tests
diff --git a/LayoutTests/fast/table/table-anonymous-cell-bug-expected.txt b/LayoutTests/fast/table/table-anonymous-cell-bug-expected.txt
new file mode 100644 (file)
index 0000000..d4fd53b
--- /dev/null
@@ -0,0 +1,14 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x66
+  RenderBlock {HTML} at (0,0) size 800x66
+    RenderBody {BODY} at (8,8) size 784x50
+      RenderTable {DIV} at (0,0) size 260x50
+        RenderTableSection {DIV} at (0,0) size 260x50
+          RenderTableRow {DIV} at (0,0) size 260x50
+            RenderTableCell {DIV} at (0,0) size 50x0 [bgcolor=#0000FF] [r=0 c=0 rs=1 cs=1]
+            RenderTableCell (anonymous) at (50,0) size 160x16 [r=0 c=1 rs=1 cs=1]
+              RenderInline {SPAN} at (0,0) size 160x16
+                RenderText {#text} at (0,0) size 160x16
+                  text run at (0,0) width 160: "Some text."
+            RenderTableCell {DIV} at (210,0) size 50x0 [bgcolor=#0000FF] [r=0 c=2 rs=1 cs=1]
diff --git a/LayoutTests/fast/table/table-anonymous-cell-bug.html b/LayoutTests/fast/table/table-anonymous-cell-bug.html
new file mode 100644 (file)
index 0000000..bf5d4c0
--- /dev/null
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+<body style="font-family: ahem; -webkit-font-smoothing: none;">
+<style>
+    div.table { display: table; }
+    div.section { display: table-row-group; }
+    div.cell { display: table-cell; width: 50px; height: 50px; background-color: blue; }
+    div.row { display: table-row; }
+</style>
+
+<div class="table" id="table-1">
+  <div class="section" id="tbody-1">
+    <div class="row" id="row-1">
+      <div class="cell" id="cell-1"></div>
+      <div class="cell" id="cell-2"></div>
+    </div>
+  </div>
+</div>
+
+<script>
+    function createSpan()
+    {
+      var spanElement = document.createElement("span");
+      spanElement.appendChild(document.createTextNode("Some text."));
+      return spanElement;
+    }
+
+    function insertSpan(tableID, beforeID)
+    {
+        var tableRow = document.getElementById(tableID);
+        var before = document.getElementById(beforeID);
+        tableRow.insertBefore(createSpan(), before);
+    }
+
+    document.body.offsetTop;
+
+    insertSpan("row-1", "cell-2");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/fast/table/table-anonymous-row-bug-expected.txt b/LayoutTests/fast/table/table-anonymous-row-bug-expected.txt
new file mode 100644 (file)
index 0000000..70c0d4d
--- /dev/null
@@ -0,0 +1,20 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x132
+  RenderBlock {HTML} at (0,0) size 800x132
+    RenderBody {BODY} at (8,8) size 784x116
+      RenderTable {DIV} at (0,0) size 160x116
+        RenderTableSection (anonymous) at (0,0) size 160x116
+          RenderTableRow {DIV} at (0,0) size 160x50
+            RenderTableCell {DIV} at (0,0) size 160x16 [bgcolor=#0000FF] [r=0 c=0 rs=1 cs=1]
+              RenderText {#text} at (0,0) size 96x16
+                text run at (0,0) width 96: "Cell 1"
+          RenderTableRow (anonymous) at (0,50) size 160x16
+            RenderTableCell (anonymous) at (0,50) size 160x16 [r=1 c=0 rs=1 cs=1]
+              RenderInline {SPAN} at (0,0) size 160x16
+                RenderText {#text} at (0,0) size 160x16
+                  text run at (0,0) width 160: "Some text."
+          RenderTableRow {DIV} at (0,66) size 160x50
+            RenderTableCell {DIV} at (0,66) size 160x16 [bgcolor=#0000FF] [r=2 c=0 rs=1 cs=1]
+              RenderText {#text} at (0,0) size 96x16
+                text run at (0,0) width 96: "Cell 2"
diff --git a/LayoutTests/fast/table/table-anonymous-row-bug.html b/LayoutTests/fast/table/table-anonymous-row-bug.html
new file mode 100644 (file)
index 0000000..e80cf78
--- /dev/null
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<body style="font-family: ahem; -webkit-font-smoothing: none;">
+<style>
+    div.table { display: table; }
+    div.cell { display: table-cell; width: 50px; height: 50px; background-color: blue; }
+    div.row { display: table-row; }
+</style>
+
+<div class="table" id="table-1">
+    <div class="row" id="row-1">
+      <div class="cell">Cell 1</div>
+    </div>
+    <div class="row" id="row-2">
+      <div class="cell">Cell 2</div>
+    </div>
+</div>
+
+<script>
+    function createSpan()
+    {
+      var spanElement = document.createElement("span");
+      spanElement.appendChild(document.createTextNode("Some text."));
+      return spanElement;
+    }
+
+    function insertSpan(tableID, beforeID)
+    {
+        var table = document.getElementById(tableID);
+        var before = document.getElementById(beforeID);
+        table.insertBefore(createSpan(), before);
+    }
+
+    document.body.offsetTop;
+
+    insertSpan("table-1", "row-2");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/fast/table/table-anonymous-section-bug-expected.txt b/LayoutTests/fast/table/table-anonymous-section-bug-expected.txt
new file mode 100644 (file)
index 0000000..06594b8
--- /dev/null
@@ -0,0 +1,14 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x32
+  RenderBlock {HTML} at (0,0) size 800x32
+    RenderBody {BODY} at (8,8) size 784x16
+      RenderTable {DIV} at (0,0) size 160x16
+        RenderTableSection {DIV} at (0,0) size 160x0
+        RenderTableSection (anonymous) at (0,0) size 160x16
+          RenderTableRow (anonymous) at (0,0) size 160x16
+            RenderTableCell (anonymous) at (0,0) size 160x16 [r=0 c=0 rs=1 cs=1]
+              RenderInline {SPAN} at (0,0) size 160x16
+                RenderText {#text} at (0,0) size 160x16
+                  text run at (0,0) width 160: "Some text."
+        RenderTableSection {DIV} at (0,16) size 160x0
diff --git a/LayoutTests/fast/table/table-anonymous-section-bug.html b/LayoutTests/fast/table/table-anonymous-section-bug.html
new file mode 100644 (file)
index 0000000..fb0f73a
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<body style="font-family: ahem; -webkit-font-smoothing: none;">
+<style>
+    div.table { display: table; }
+    div.section { display: table-row-group; }
+</style>
+
+<div class="table" id="table-1">
+    <div class="section" id="tbody-1">
+    </div>
+    <div class="section" id="tbody-2">
+    </div>
+</div>
+
+<script>
+    function createSpan()
+    {
+      var spanElement = document.createElement("span");
+      spanElement.appendChild(document.createTextNode("Some text."));
+      return spanElement;
+    }
+
+    function insertSpan(tableID, beforeID)
+    {
+        var table = document.getElementById(tableID);
+        var before = document.getElementById(beforeID);
+        table.insertBefore(createSpan(), before);
+    }
+
+    document.body.offsetTop;
+
+    insertSpan("table-1", "tbody-2");
+</script>
+</body>
+</html>
index fa463c3c199eee7ad71f176269351172d37406ac..71be84a91f00d438c977319be7801a4307fc72dc 100644 (file)
@@ -1,3 +1,25 @@
+2011-10-25  Fady Samuel  <fsamuel@chromium.org>
+
+        Crash in WebCore::RenderTableSection::addChild due to assert failure
+        https://bugs.webkit.org/show_bug.cgi?id=70678
+
+        Reviewed by David Hyatt.
+
+        Tests: fast/table/table-anonymous-cell-bug.html
+               fast/table/table-anonymous-row-bug.html
+               fast/table/table-anonymous-section-bug.html
+
+        If the child being added is not a Section/Row/Cell, and the previous sibling is not anonymous, 
+        we need to create a new anonymous Section/Row/Cell respectively, instead of failing an
+        assert.
+
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::addChild):
+        * rendering/RenderTableRow.cpp:
+        (WebCore::RenderTableRow::addChild):
+        * rendering/RenderTableSection.cpp:
+        (WebCore::RenderTableSection::addChild):
+
 2011-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
 
         Add getOwnPropertySlot to MethodTable
index 7c5887f136cbec292e4f988dba0cef98f27e8a61..5c4dfb1a61e357f4f166d051e06f6ec5dcbd22ab 100644 (file)
@@ -186,8 +186,7 @@ void RenderTable::addChild(RenderObject* child, RenderObject* beforeChild)
 
     if (beforeChild && !beforeChild->isAnonymous() && beforeChild->parent() == this) {
         RenderObject* section = beforeChild->previousSibling();
-        if (section && section->isTableSection()) {
-            ASSERT(section->isAnonymous());
+        if (section && section->isTableSection() && section->isAnonymous()) {
             section->addChild(child);
             return;
         }
index 14eb2b21df9cade4536a22f33dd079c54c664e68..ea1dcf4cd7b711eaf8312fb3089626aa0b4edda8 100644 (file)
@@ -106,8 +106,7 @@ void RenderTableRow::addChild(RenderObject* child, RenderObject* beforeChild)
 
         if (beforeChild && !beforeChild->isAnonymous() && beforeChild->parent() == this) {
             RenderObject* cell = beforeChild->previousSibling();
-            if (cell && cell->isTableCell()) {
-                ASSERT(cell->isAnonymous());
+            if (cell && cell->isTableCell() && cell->isAnonymous()) {
                 cell->addChild(child);
                 return;
             }
index 690e103e8d0bafd0c330e43316d528cdd721d32a..cc5393c9d5231189e6bb2fa01e8ae4ee147fffaa 100644 (file)
@@ -119,8 +119,7 @@ void RenderTableSection::addChild(RenderObject* child, RenderObject* beforeChild
 
         if (beforeChild && !beforeChild->isAnonymous() && beforeChild->parent() == this) {
             RenderObject* row = beforeChild->previousSibling();
-            if (row && row->isTableRow()) {
-                ASSERT(row->isAnonymous());
+            if (row && row->isTableRow() && row->isAnonymous()) {
                 row->addChild(child);
                 return;
             }