Skip to site navigation (Press enter)

[webkit-changes] [258816] trunk

commit-queue Sat, 21 Mar 2020 22:00:47 -0700

Title: [258816] trunk

Revision: 258816
Author: commit-qu...@webkit.org
Date: 2020-03-21 21:59:05 -0700 (Sat, 21 Mar 2020)

Log Message

Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
https://bugs.webkit.org/show_bug.cgi?id=209251
<rdar://problem/60103614>


Patch by Jack Lee <shihchieh_...@apple.com> on 2020-03-21
Reviewed by Darin Adler.

Source/WebCore:

In this case, which is a valid scenario, we are looking for sibling of an AccessibilityRenderObject through the parent of its renderer, which happens to be of <RenderView>. Since <RenderView> has no parent, we need to skip calling isInlineWithContinuation with a null parent, by adding null check.

Test: fast/frames/iframe-empty-doc-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::nextSibling const):

LayoutTests:

In this case, which is a valid scenario, we are looking for sibling of an AccessibilityRenderObject through the parent of its renderer, which happens to be of <RenderView>. Since <RenderView> has no parent, we need to skip calling isInlineWithContinuation with a null parent, by adding null check.

* fast/frames/iframe-empty-doc-crash-expected.txt: Added.
* fast/frames/iframe-empty-doc-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (258815 => 258816)


--- trunk/LayoutTests/ChangeLog	2020-03-22 02:57:36 UTC (rev 258815)
+++ trunk/LayoutTests/ChangeLog	2020-03-22 04:59:05 UTC (rev 258816)
@@ -1,3 +1,16 @@
+2020-03-21  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
+        https://bugs.webkit.org/show_bug.cgi?id=209251
+        <rdar://problem/60103614>
+
+        Reviewed by Darin Adler.
+
+        In this case, which is a valid scenario, we are looking for sibling of an AccessibilityRenderObject through the parent of its renderer, which happens to be of <RenderView>. Since <RenderView> has no parent, we need to skip calling isInlineWithContinuation with a null parent, by adding null check. 
+
+        * fast/frames/iframe-empty-doc-crash-expected.txt: Added.
+        * fast/frames/iframe-empty-doc-crash.html: Added.
+
 2020-03-21  Simon Fraser  <simon.fra...@apple.com>
 
         LayoutTest fast/scrolling/scroll-container-horizontally.html frequently times out & fails

Modified: trunk/Source/WebCore/ChangeLog (258815 => 258816)


--- trunk/Source/WebCore/ChangeLog	2020-03-22 02:57:36 UTC (rev 258815)
+++ trunk/Source/WebCore/ChangeLog	2020-03-22 04:59:05 UTC (rev 258816)
@@ -1,3 +1,18 @@
+2020-03-21  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
+        https://bugs.webkit.org/show_bug.cgi?id=209251
+        <rdar://problem/60103614>
+
+        Reviewed by Darin Adler.
+
+        In this case, which is a valid scenario, we are looking for sibling of an AccessibilityRenderObject through the parent of its renderer, which happens to be of <RenderView>. Since <RenderView> has no parent, we need to skip calling isInlineWithContinuation with a null parent, by adding null check.
+
+        Test: fast/frames/iframe-empty-doc-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::nextSibling const):
+
 2020-03-21  Philippe Normand  <pnorm...@igalia.com>
 
         Make the MediaSample::toJSONString method generic

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (258815 => 258816)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2020-03-22 02:57:36 UTC (rev 258815)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2020-03-22 04:59:05 UTC (rev 258816)
@@ -384,7 +384,7 @@
 
     // Case 5: node has no next sibling, and its parent is an inline with a continuation.
     // Case 5.1: After case 4, (the element was inline w/ continuation but had no sibling), then check it's parent.
-    if (!nextSibling && isInlineWithContinuation(*m_renderer->parent())) {
+    if (!nextSibling && m_renderer->parent() && isInlineWithContinuation(*m_renderer->parent())) {
         auto& continuation = *downcast<RenderInline>(*m_renderer->parent()).continuation();
         
         // Case 5a: continuation is a block - in this case the block itself is the next sibling.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes