<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[225960] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/225960">225960</a></dd>
<dt>Author</dt> <dd>zalan@apple.com</dd>
<dt>Date</dt> <dd>2017-12-14 20:22:47 -0800 (Thu, 14 Dec 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>Inconsistent section grid could lead to CrashOnOverflow
https://bugs.webkit.org/show_bug.cgi?id=180850
<rdar://problem/34064811>

Reviewed by Simon Fraser.

Source/WebCore:

Each RenderTableSection maintains a grid of rows and columns. The number of columns in this grid equals the
maximum number of columns in the entire table (taking spans and multiple sections into account).
Since the maximum number of columns might change while re-computing the sections, we need to
adjust them accordingly at the end (otherwise it could lead to inconsistent grids where rows have different number of columns).

Test: fast/table/table-row-oveflow-crash.html

* rendering/RenderTable.cpp:
(WebCore::RenderTable::recalcSections const):
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::removeRedundantColumns):
* rendering/RenderTableSection.h:

LayoutTests:

* fast/table/table-row-oveflow-crash-expected.txt: Added.
* fast/table/table-row-oveflow-crash.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderTablecpp">trunk/Source/WebCore/rendering/RenderTable.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderTableSectioncpp">trunk/Source/WebCore/rendering/RenderTableSection.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderTableSectionh">trunk/Source/WebCore/rendering/RenderTableSection.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasttabletablerowoveflowcrashexpectedtxt">trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasttabletablerowoveflowcrashhtml">trunk/LayoutTests/fast/table/table-row-oveflow-crash.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (225959 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/LayoutTests/ChangeLog 2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2017-12-14  Zalan Bujtas  <zalan@apple.com>
+
+        Inconsistent section grid could lead to CrashOnOverflow
+        https://bugs.webkit.org/show_bug.cgi?id=180850
+        <rdar://problem/34064811>
+
+        Reviewed by Simon Fraser.
+
+        * fast/table/table-row-oveflow-crash-expected.txt: Added.
+        * fast/table/table-row-oveflow-crash.html: Added.
+
</ins><span class="cx"> 2017-12-14  Chris Dumez  <cdumez@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [iOS] Many serviceworker tests are flaky timeouts on iOS bots
</span></span></pre></div>
<a id="trunkLayoutTestsfasttabletablerowoveflowcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt (0 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/table/table-row-oveflow-crash-expected.txt   2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+PASS if no crash.
+5
+2
+43
</ins></span></pre></div>
<a id="trunkLayoutTestsfasttabletablerowoveflowcrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/table/table-row-oveflow-crash.html (0 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/table/table-row-oveflow-crash.html                                (rev 0)
+++ trunk/LayoutTests/fast/table/table-row-oveflow-crash.html   2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<table>
+  <tbody>
+    <tr id="tr_first_table"></tr>
+  </tbody>
+  <tbody>
+   <tr>
+     <th>2</th>
+     <th id="th_first_table">3</th>
+  </tr>
+  </tbody>
+</table>
+<br>
+<table>
+  <th id="th_second_table">4</th>
+  <th rowspan="6" id="th_withh_rowspan">5</th>
+</table>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+  
+document.body.offsetHeight;
+th_second_table.appendChild(th_first_table);
+document.body.offsetHeight;
+tr_first_table.appendChild(th_withh_rowspan);
+document.body.offsetHeight;
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (225959 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/ChangeLog      2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2017-12-14  Zalan Bujtas  <zalan@apple.com>
+
+        Inconsistent section grid could lead to CrashOnOverflow
+        https://bugs.webkit.org/show_bug.cgi?id=180850
+        <rdar://problem/34064811>
+
+        Reviewed by Simon Fraser.
+
+        Each RenderTableSection maintains a grid of rows and columns. The number of columns in this grid equals the
+        maximum number of columns in the entire table (taking spans and multiple sections into account).
+        Since the maximum number of columns might change while re-computing the sections, we need to
+        adjust them accordingly at the end (otherwise it could lead to inconsistent grids where rows have different number of columns).
+
+        Test: fast/table/table-row-oveflow-crash.html
+
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::recalcSections const):
+        * rendering/RenderTableSection.cpp:
+        (WebCore::RenderTableSection::removeRedundantColumns):
+        * rendering/RenderTableSection.h:
+
</ins><span class="cx"> 2017-12-14  David Kilzer  <ddkilzer@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Enable -Wstrict-prototypes for WebKit
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderTablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderTable.cpp (225959 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderTable.cpp   2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTable.cpp      2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -1111,6 +1111,10 @@
</span><span class="cx">     m_columns.resize(maxCols);
</span><span class="cx">     m_columnPos.resize(maxCols + 1);
</span><span class="cx"> 
</span><ins>+    // Now that we know the number of maximum number of columns, let's shrink the sections grids if needed.
+    for (auto& section : childrenOfType<RenderTableSection>(const_cast<RenderTable&>(*this)))
+        section.removeRedundantColumns();
+
</ins><span class="cx">     ASSERT(selfNeedsLayout());
</span><span class="cx"> 
</span><span class="cx">     m_needsSectionRecalc = false;
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderTableSectioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderTableSection.cpp (225959 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderTableSection.cpp    2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTableSection.cpp       2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -1385,6 +1385,16 @@
</span><span class="cx">     setNeedsLayout();
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void RenderTableSection::removeRedundantColumns()
+{
+    auto maximumNumberOfColumns = table()->numEffCols();
+    for (auto& rowItem : m_grid) {
+        if (rowItem.row.size() <= maximumNumberOfColumns)
+            continue;
+        rowItem.row.resize(maximumNumberOfColumns);
+    }
+}
+
</ins><span class="cx"> // FIXME: This function could be made O(1) in certain cases (like for the non-most-constrainive cells' case).
</span><span class="cx"> void RenderTableSection::rowLogicalHeightChanged(unsigned rowIndex)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderTableSectionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderTableSection.h (225959 => 225960)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderTableSection.h      2017-12-15 04:22:22 UTC (rev 225959)
+++ trunk/Source/WebCore/rendering/RenderTableSection.h 2017-12-15 04:22:47 UTC (rev 225960)
</span><span class="lines">@@ -127,6 +127,7 @@
</span><span class="cx">     unsigned numColumns() const;
</span><span class="cx">     void recalcCells();
</span><span class="cx">     void recalcCellsIfNeeded();
</span><ins>+    void removeRedundantColumns();
</ins><span class="cx"> 
</span><span class="cx">     bool needsCellRecalc() const { return m_needsCellRecalc; }
</span><span class="cx">     void setNeedsCellRecalc();
</span></span></pre>
</div>
</div>

</body>
</html>