From 8cdedf3b7fb11c116e5701ffefe31be3fcedc90e Mon Sep 17 00:00:00 2001
From: "inferno@chromium.org"
 <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun, 19 Feb 2012 20:06:56 +0000
Subject: [PATCH] Crash in RenderBlock::splitAnonymousBlocksAroundChild.
 https://bugs.webkit.org/show_bug.cgi?id=78994

Reviewed by Eric Seidel.

Source/WebCore:

Generalize splitTablePartsAroundChild to handle splitting
in nested tables.
Table->Table Section->Table Row->Table Cell->Table->Table Section->Table Row

Test: fast/table/table-split-inside-table.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::splitTablePartsAroundChild):

LayoutTests:

* fast/table/table-split-inside-table-expected.txt: Added.
* fast/table/table-split-inside-table.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108194 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 10 ++++++
 .../table/table-split-inside-table-expected.txt    |  2 ++
 .../fast/table/table-split-inside-table.html       | 38 ++++++++++++++++++++++
 Source/WebCore/ChangeLog                           | 16 +++++++++
 Source/WebCore/rendering/RenderBlock.cpp           |  6 ++--
 5 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 LayoutTests/fast/table/table-split-inside-table-expected.txt
 create mode 100755 LayoutTests/fast/table/table-split-inside-table.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index fbf2fea..5acb932 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2012-02-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderBlock::splitAnonymousBlocksAroundChild.
+        https://bugs.webkit.org/show_bug.cgi?id=78994
+
+        Reviewed by Eric Seidel.
+
+        * fast/table/table-split-inside-table-expected.txt: Added.
+        * fast/table/table-split-inside-table.html: Added.
+
 2012-02-19  Robert Hogan  <robert@webkit.org>
 
         Chromium results for r108185
diff --git a/LayoutTests/fast/table/table-split-inside-table-expected.txt b/LayoutTests/fast/table/table-split-inside-table-expected.txt
new file mode 100644
index 0000000..1042c76
--- /dev/null
+++ b/LayoutTests/fast/table/table-split-inside-table-expected.txt
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
diff --git a/LayoutTests/fast/table/table-split-inside-table.html b/LayoutTests/fast/table/table-split-inside-table.html
new file mode 100755
index 0000000..0c22d7d
--- /dev/null
+++ b/LayoutTests/fast/table/table-split-inside-table.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test1 { -webkit-column-count: 2; }
+#test4 { -webkit-column-span: all; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window.onload = function() {
+	test1 = document.createElement('div');
+	test1.setAttribute('id', 'test1');
+	document.body.appendChild(test1); 
+	test2 = document.createElement('div');
+	test3 = document.createElement('div');
+	test1.appendChild(test2);
+	test1.appendChild(test3);
+	test4 = document.createElement('div'); 
+	test4.setAttribute('id', 'test4');
+	test1.appendChild(test4);
+	test4.style.display = 'table-footer-group';
+	document.body.offsetTop
+	test3.style.display = 'table-row';
+	document.body.offsetTop;
+	test3.style.display = 'table-column-group';
+	document.body.offsetTop;
+	test3.style.display = 'table-row';
+	document.body.offsetTop;
+	test2.style.display = 'inline';
+}
+</script>
+</head>
+<body>
+Test passes if it does not crash.
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 7729cc4..502176c 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-02-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderBlock::splitAnonymousBlocksAroundChild.
+        https://bugs.webkit.org/show_bug.cgi?id=78994
+
+        Reviewed by Eric Seidel.
+
+        Generalize splitTablePartsAroundChild to handle splitting
+        in nested tables.
+        Table->Table Section->Table Row->Table Cell->Table->Table Section->Table Row
+
+        Test: fast/table/table-split-inside-table.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::splitTablePartsAroundChild):
+
 2012-02-19  Kalev Lember  <kalevlember@gmail.com>
 
         [GTK] Fix build on platforms where UChar is wchar_t
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
index 612bfc5..459bce1 100755
--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp
@@ -659,8 +659,10 @@ RenderObject* RenderBlock::splitTablePartsAroundChild(RenderObject* beforeChild)
 {
     ASSERT(beforeChild->isTablePart());
 
-    while (beforeChild->parent() != this && !beforeChild->isTable()) {
+    while (beforeChild->parent() != this) {
         RenderObject* tablePartToSplit = beforeChild->parent();
+        if (!tablePartToSplit->isTablePart() && !tablePartToSplit->isTable())
+            break;
         if (tablePartToSplit->firstChild() != beforeChild) {
             // Get our table container.
             RenderObject* curr = tablePartToSplit;
@@ -668,7 +670,7 @@ RenderObject* RenderBlock::splitTablePartsAroundChild(RenderObject* beforeChild)
                 curr = curr->parent();
             RenderTable* table = toRenderTable(curr);
 
-            // Create an anonymous table container next to our table container. 
+            // Create an anonymous table container next to our table container.
             RenderBlock* parentBlock = toRenderBlock(table->parent());
             RenderTable* postTable = parentBlock->createAnonymousTable();
             parentBlock->children()->insertChildNode(parentBlock, postTable, table->nextSibling());
-- 
2.7.4