From 18b74f607c498f25cd708a95f394a510a9ffaffd Mon Sep 17 00:00:00 2001 From: Xianzhu Wang Date: Thu, 14 Sep 2017 23:23:06 +0000 Subject: [PATCH] Fix null pointer in LayoutTable::UpdateCollapsedOuterBorders(). Check for null BottomNonEmptySection even if TopNonEmptySection is not null because of crbug.com/764525. TBR=wangxianzhu@chromium.org (cherry picked from commit 3343091dc68bb4903d5277cf5e6aa6c74fdc5069) Bug: 764284 Change-Id: I4d45cbd3432722a8958ba647767d97b782c10512 Reviewed-on: https://chromium-review.googlesource.com/664303 Reviewed-by: David Grogan Commit-Queue: Xianzhu Wang Cr-Original-Commit-Position: refs/heads/master@{#501471} Reviewed-on: https://chromium-review.googlesource.com/668157 Reviewed-by: Xianzhu Wang Cr-Commit-Position: refs/branch-heads/3202@{#241} Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098} --- .../WebKit/Source/core/layout/LayoutTable.cpp | 18 ++++++++++-------- .../Source/core/layout/LayoutTableTest.cpp | 12 ++++++++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/third_party/WebKit/Source/core/layout/LayoutTable.cpp b/third_party/WebKit/Source/core/layout/LayoutTable.cpp index 2c8d2ab4627a6..4299eb8aec4e7 100644 --- a/third_party/WebKit/Source/core/layout/LayoutTable.cpp +++ b/third_party/WebKit/Source/core/layout/LayoutTable.cpp @@ -1664,16 +1664,18 @@ void LayoutTable::UpdateCollapsedOuterBorders() const { } } - const auto* bottom_section = BottomNonEmptySection(); - DCHECK(bottom_section); // The table's after outer border width is the maximum after outer border // widths of all cells in the last row. See the CSS 2.1 spec, section 17.6.2. - unsigned row = bottom_section->NumRows() - 1; - unsigned bottom_cols = bottom_section->NumCols(row); - for (unsigned col = 0; col < bottom_cols; ++col) { - if (const auto* cell = bottom_section->PrimaryCellAt(row, col)) { - collapsed_outer_border_after_ = std::max( - collapsed_outer_border_after_, cell->CollapsedOuterBorderAfter()); + // TODO(crbug.com/764525): Because of the bug, bottom_section can be null when + // top_section is not null. See LayoutTableTest.OutOfOrderHeadAndBody. + if (const auto* bottom_section = BottomNonEmptySection()) { + unsigned row = bottom_section->NumRows() - 1; + unsigned bottom_cols = bottom_section->NumCols(row); + for (unsigned col = 0; col < bottom_cols; ++col) { + if (const auto* cell = bottom_section->PrimaryCellAt(row, col)) { + collapsed_outer_border_after_ = std::max( + collapsed_outer_border_after_, cell->CollapsedOuterBorderAfter()); + } } } diff --git a/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp b/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp index 82fd163303f1e..cc4a25fda5bf5 100644 --- a/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp +++ b/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp @@ -233,6 +233,18 @@ TEST_F(LayoutTableTest, PaddingWithCollapsedBorder) { EXPECT_EQ(0, table->PaddingUnder()); } +TEST_F(LayoutTableTest, OutOfOrderHeadAndBody) { + // This should not crash. + SetBodyInnerHTML( + "" + " " + " " + "
Body
"); + // TODO(crbug.com/764525): Add tests for TopSection(), BottomSection(), + // TopNonEmptySection(), BottomNonEmptySection(), SectionAbove(), + // SectionBelow() for similar cases. +} + } // anonymous namespace } // namespace blink