Skip to content
  • inferno@chromium.org's avatar
    Crash in RenderTableSection::paintCell. · 7081f500
    inferno@chromium.org authored
    https://bugs.webkit.org/show_bug.cgi?id=87445
    
    Reviewed by Eric Seidel and Julien Chaffraix.
    
    Source/WebCore:
    
    Fix the crash by preventing table parts from being set
    as layout root. This prevents us from accessing removed
    table cells which can happen if RenderTableSection::layout
    is called directly without calling RenderTable::layout first
    (in case of cell recalc).
    
    Add ASSERTs to RenderTableSection::layout to prevent
    layout to happen when we are already pending cell recalc
    or our table is pending section recalc. In those cases,
    RenderTable::layout should be called first to relayout
    the entire table.
    
    Test: tables/table-section-overflow-clip-crash.html
    
    * rendering/RenderObject.cpp:
    (WebCore::objectIsRelayoutBoundary):
    * rendering/RenderTableSection.cpp:
    (WebCore::RenderTableSection::layout):
    
    LayoutTests:
    
    * tables/table-section-overflow-clip-crash-expected.txt: Added.
    * tables/table-section-overflow-clip-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118592 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    7081f500