commit 078e87ff969689ba86541a46f00f3bd17d39b09a
author antti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Aug 16 16:13:28 2007 +0000
committer antti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Aug 16 16:13:28 2007 +0000
tree 50b6dbd3f48397a421d3f03484795ee8c5255efb
parent 4e11ebe77817c0328fac9f7af7b45c5063a07ecd

LayoutTests:

        Reviewed by Maciej.
        
        Test for <rdar://problem/5388936>
        Crash while setting display:none for a table cell with selection

        * fast/table/destroy-cell-with-selection-crash-expected.txt: Added.
        * fast/table/destroy-cell-with-selection-crash.html: Added.

WebCore:

        Reviewed by Maciej.
        
        Fix <rdar://problem/5388936>
        Crash while setting display:none for a table cell with selection
        
        Super class destroy() could (through some selection code in removeChild()) trigger section recalc 
        in middle of RenderTableCell::destroy(), cleaning section dirty bit. This would later crash in 
        layout since cell grid would still have refence to the dead cell.
        
        Ensure table sections are dirty when leaving destroy method.
        
        I can't figure out tests for row and section changes but they look like
        they could crash in similar way as cell.

        * rendering/RenderTableCell.cpp:
        (WebCore::RenderTableCell::destroy):
        * rendering/RenderTableRow.cpp:
        (WebCore::RenderTableRow::destroy):
        * rendering/RenderTableSection.cpp:
        (WebCore::RenderTableSection::destroy):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@25106 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/rendering/RenderTableCell.cpp

diff --git a/WebCore/rendering/RenderTableCell.cpp b/WebCore/rendering/RenderTableCell.cpp
index 9b50032..5d2cb3d 100644
--- a/WebCore/rendering/RenderTableCell.cpp
+++ b/WebCore/rendering/RenderTableCell.cpp
@@ -54,10 +54,12 @@
 
 void RenderTableCell::destroy()
 {
-    if (parent() && section())
-        section()->setNeedsCellRecalc();
+    RenderTableSection* recalcSection = parent() ? section() : 0;
 
     RenderBlock::destroy();
+
+    if (recalcSection)
+        recalcSection->setNeedsCellRecalc();
 }
 
 void RenderTableCell::updateFromElement()

WebCore/rendering/RenderTableRow.cpp

diff --git a/WebCore/rendering/RenderTableRow.cpp b/WebCore/rendering/RenderTableRow.cpp
index 921ad61..c5c529a 100644
--- a/WebCore/rendering/RenderTableRow.cpp
+++ b/WebCore/rendering/RenderTableRow.cpp
@@ -46,10 +46,12 @@
 
 void RenderTableRow::destroy()
 {
-    if (RenderTableSection* s = section())
-        s->setNeedsCellRecalc();
+    RenderTableSection* recalcSection = section();
     
     RenderContainer::destroy();
+    
+    if (recalcSection)
+        recalcSection->setNeedsCellRecalc();
 }
 
 void RenderTableRow::setStyle(RenderStyle* newStyle)

WebCore/rendering/RenderTableSection.cpp

diff --git a/WebCore/rendering/RenderTableSection.cpp b/WebCore/rendering/RenderTableSection.cpp
index 6ed94c5..b00b184 100644
--- a/WebCore/rendering/RenderTableSection.cpp
+++ b/WebCore/rendering/RenderTableSection.cpp
@@ -72,12 +72,14 @@
 
 void RenderTableSection::destroy()
 {
+    RenderTable* recalcTable = table();
+    
+    RenderContainer::destroy();
+    
     // recalc cell info because RenderTable has unguarded pointers
     // stored that point to this RenderTableSection.
-    if (table())
-        table()->setNeedsSectionRecalc();
-
-    RenderContainer::destroy();
+    if (recalcTable)
+        recalcTable->setNeedsSectionRecalc();
 }
 
 void RenderTableSection::setStyle(RenderStyle* newStyle)