Skip to content
Permalink
Browse files
2010-08-25 Cris Neckar <cdn@chromium.org>
        Reviewed by Darin Adler.

        Added abort condition for RenderCounters when traversing a detached render tree.
        https://bugs.webkit.org/show_bug.cgi?id=43812

        Test: fast/css/counters/counter-traverse-object-crash.html

        * rendering/RenderCounter.cpp:
        (WebCore::findPlaceForCounter):
2010-08-25  Cris Neckar  <cdn@chromium.org>

        Reviewed by Darin Adler.

        Assertion failure in RenderCounter when traversing a detached render trees.
        https://bugs.webkit.org/show_bug.cgi?id=43812

        * fast/css/counters/counter-traverse-object-crash-expected.txt: Added.
        * fast/css/counters/counter-traverse-object-crash.html: Added.


Canonical link: https://commits.webkit.org/56828@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@66052 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
inferno-chromium committed Aug 25, 2010
1 parent c593231 commit e9da406438821a3add6f08334d1eac88455f4319
Showing 5 changed files with 46 additions and 0 deletions.
@@ -1,3 +1,13 @@
2010-08-25 Cris Neckar <cdn@chromium.org>

Reviewed by Darin Adler.

Assertion failure in RenderCounter when traversing a detached render trees.
https://bugs.webkit.org/show_bug.cgi?id=43812

* fast/css/counters/counter-traverse-object-crash-expected.txt: Added.
* fast/css/counters/counter-traverse-object-crash.html: Added.

2010-08-25 Chris Marrin <cmarrin@apple.com>

Reviewed by Simon Fraser.
@@ -0,0 +1,2 @@
This tests that we do not crash when RenderCounter traverses detached render trees. PASS

@@ -0,0 +1,17 @@
<html>
<script>
function test()
{
if (window.layoutTestController)
layoutTestController.dumpAsText();
document.getElementsByTagName("div")[0].outerHTML = "PASS";
}
</script>
This tests that we do not crash when RenderCounter traverses detached render trees.
<body onload="test()" style="counter-increment: ctr">
<object>
<b style="counter-increment: ctr"><div></div></b>
<menu style="counter-increment: ctr"></menu>
</object>
</body>
</html>
@@ -1,3 +1,15 @@
2010-08-25 Cris Neckar <cdn@chromium.org>

Reviewed by Darin Adler.

Added abort condition for RenderCounters when traversing a detached render tree.
https://bugs.webkit.org/show_bug.cgi?id=43812

Test: fast/css/counters/counter-traverse-object-crash.html

* rendering/RenderCounter.cpp:
(WebCore::findPlaceForCounter):

2010-08-25 Chris Marrin <cmarrin@apple.com>

Reviewed by Simon Fraser.
@@ -136,6 +136,11 @@ static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString&
RenderObject* currentRenderer = counterOwner->previousInPreOrder();
previousSibling = 0;
while (currentRenderer) {
// A sibling without a parent means that the counter node tree was not constructed correctly so we stop
// traversing. In the future RenderCounter should handle RenderObjects that are not connected to the
// render tree at counter node creation. See bug 43812.
if (previousSibling && !previousSibling->parent())
return false;
CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
if (searchEndRenderer == currentRenderer) {
// We may be at the end of our search.

0 comments on commit e9da406

Please sign in to comment.