Bug 70392

Summary:

Multiple crashes in RenderTable during layout

Product:

WebKit

Reporter:

Julien Chaffraix <jchaffraix>

Component:

Tables

Assignee:

Julien Chaffraix <jchaffraix>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

jamesr, robert, simon.fraser, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Proposed fix: Check node() in 2 call sites.	none

Description Julien Chaffraix 2011-10-18 18:08:31 PDT

Following r97555, there is several crashes reported either in RenderTable::layout or RenderTable::computeLogicalWidth.

It looks like this is due to the following lines:

RenderTable::computeLogicalWidth
> if (!node()->hasTagName(tableTag)) {

RenderTable::layout
> LayoutUnit borders = node()->hasTagName(tableTag) ? (borderAndPaddingBefore + borderAndPaddingAfter) : 0;

If we have an anonymous table, Node::hasTagName will happily do a NULL-dereferencing.

Patch coming soon in a bugzilla near you.

Comment 1 Julien Chaffraix 2011-10-18 18:39:28 PDT

Created attachment 111550 [details]
Proposed fix: Check node() in 2 call sites.

Comment 2 WebKit Review Bot 2011-10-19 18:35:37 PDT

Comment on attachment 111550 [details]
Proposed fix: Check node() in 2 call sites.

Clearing flags on attachment: 111550

Committed r97907: <http://trac.webkit.org/changeset/97907>

Comment 3 WebKit Review Bot 2011-10-19 18:35:41 PDT

All reviewed patches have been landed.  Closing bug.