Title: [288292] releases/WebKitGTK/webkit-2.34
- Revision
- 288292
- Author
- ape...@igalia.com
- Date
- 2022-01-20 08:01:59 -0800 (Thu, 20 Jan 2022)
Log Message
Merge r287867 - null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
https://bugs.webkit.org/show_bug.cgi?id=234654
<rdar://problem/86571571>
Reviewed by Antti Koivisto.
Source/WebCore:
needsLayout() check in invalidateLineLayoutPath is insufficient for modern line layout.
m_lineLayout = std::monostate() does not only destroy the line layout object but it also nukes all the IFC geometries.
It is equivalent to having all the child boxes dirty, since in order to re-generate the geometry information,
we have to layout _all_ the boxes (note that nuking the legacy line layout object does not destroy the inline tree).
The bug here is that needsLayout() returns true for cases (e.g. posChildNeedsLayout) when
while the geometry is all gone, we are going to take a special layout codepath which expects pre-computed geometries.
Test: fast/block/line-layout/line-layout-collect-overflow-crash.html
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):
LayoutTests:
* fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt: Added.
* fast/block/line-layout/line-layout-collect-overflow-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (288291 => 288292)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-20 15:58:50 UTC (rev 288291)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-20 16:01:59 UTC (rev 288292)
@@ -1,3 +1,14 @@
+2022-01-10 Alan Bujtas <za...@apple.com>
+
+ null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
+ https://bugs.webkit.org/show_bug.cgi?id=234654
+ <rdar://problem/86571571>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt: Added.
+ * fast/block/line-layout/line-layout-collect-overflow-crash.html: Added.
+
2022-01-08 Gabriel Nava Marino <gnavamar...@apple.com>
null ptr deref in WebCore::ModifySelectionListLevelCommand::appendSiblingNodeRange
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt (0 => 288292)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt 2022-01-20 16:01:59 UTC (rev 288292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
+a
+
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html (0 => 288292)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html 2022-01-20 16:01:59 UTC (rev 288292)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+ :nth-last-child(odd) {
+ position: absolute;
+ }
+ div {
+ rotate: 0 0 0 0deg;
+ }
+</style>
+<script>
+ _onload_ = () => {
+ let div0 = document.createElement('div');
+ document.body.append(document.createElement('table'));
+ document.body.append(div0);
+ div0.append(document.createElement('img'));
+ document.execCommand('SelectAll');
+ div0.append('a');
+ document.body.append(document.createElement('div'));
+ document.designMode = 'on';
+ document.execCommand('FormatBlock', false, 'div');
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.");
+ };
+</script>
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (288291 => 288292)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-20 15:58:50 UTC (rev 288291)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-20 16:01:59 UTC (rev 288292)
@@ -1,3 +1,24 @@
+2022-01-10 Alan Bujtas <za...@apple.com>
+
+ null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
+ https://bugs.webkit.org/show_bug.cgi?id=234654
+ <rdar://problem/86571571>
+
+ Reviewed by Antti Koivisto.
+
+ needsLayout() check in invalidateLineLayoutPath is insufficient for modern line layout.
+
+ m_lineLayout = std::monostate() does not only destroy the line layout object but it also nukes all the IFC geometries.
+ It is equivalent to having all the child boxes dirty, since in order to re-generate the geometry information,
+ we have to layout _all_ the boxes (note that nuking the legacy line layout object does not destroy the inline tree).
+ The bug here is that needsLayout() returns true for cases (e.g. posChildNeedsLayout) when
+ while the geometry is all gone, we are going to take a special layout codepath which expects pre-computed geometries.
+
+ Test: fast/block/line-layout/line-layout-collect-overflow-crash.html
+
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::invalidateLineLayoutPath):
+
2022-01-08 Gabriel Nava Marino <gnavamar...@apple.com>
null ptr deref in WebCore::ModifySelectionListLevelCommand::appendSiblingNodeRange
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderBlockFlow.cpp (288291 => 288292)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderBlockFlow.cpp 2022-01-20 15:58:50 UTC (rev 288291)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/RenderBlockFlow.cpp 2022-01-20 16:01:59 UTC (rev 288292)
@@ -3698,7 +3698,7 @@
#endif
m_lineLayout = WTF::Monostate();
setLineLayoutPath(path);
- if (needsLayout())
+ if (selfNeedsLayout() || normalChildNeedsLayout())
return;
// FIXME: We should just kick off a subtree layout here (if needed at all) see webkit.org/b/172947.
setNeedsLayout();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes