Skip to site navigation (Press enter)

[webkit-changes] [91781] trunk

hyatt Tue, 26 Jul 2011 13:39:30 -0700

Title: [91781] trunk

Revision: 91781
Author: [email protected]
Date: 2011-07-26 13:39:25 -0700 (Tue, 26 Jul 2011)

Log Message

https://bugs.webkit.org/show_bug.cgi?id=60778

Use after free because of line box culling optimization regression.


In the case of a child with no line box being removed (typically
a <br> in quirks mode), if there is no previous sibling with a line
box, then we have a potential problem with the culling optimization.

The culled inline may still have other leaf line box children, but
they may follow the removed <br>. In this case we can't rely on
them, since we need a line box that comes before the <br>.

The fix is to simply recur up to the parent if we are a culled inline
and could not find a previous line box.

Reviewed by Dan Bernstein.

Added editing/execCommand/crash-line-break-after-outdent.html

Source/WebCore: 

* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

LayoutTests: 

* editing/execCommand/crash-line-break-after-outdent-expected.txt: Added.
* editing/execCommand/crash-line-break-after-outdent.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderLineBoxList.cpp

Added Paths

trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt
trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html

Diff

Modified: trunk/LayoutTests/ChangeLog (91780 => 91781)


--- trunk/LayoutTests/ChangeLog	2011-07-26 20:36:25 UTC (rev 91780)
+++ trunk/LayoutTests/ChangeLog	2011-07-26 20:39:25 UTC (rev 91781)
@@ -1,3 +1,27 @@
+2011-07-26  David Hyatt  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=60778
+
+        Use after free because of line box culling optimization regression.
+
+        In the case of a child with no line box being removed (typically
+        a <br> in quirks mode), if there is no previous sibling with a line
+        box, then we have a potential problem with the culling optimization.
+
+        The culled inline may still have other leaf line box children, but
+        they may follow the removed <br>. In this case we can't rely on
+        them, since we need a line box that comes before the <br>.
+
+        The fix is to simply recur up to the parent if we are a culled inline
+        and could not find a previous line box.
+
+        Reviewed by Dan Bernstein.
+
+        Added editing/execCommand/crash-line-break-after-outdent.html
+
+        * editing/execCommand/crash-line-break-after-outdent-expected.txt: Added.
+        * editing/execCommand/crash-line-break-after-outdent.html: Added.
+
 2011-07-26  Chris Rogers  <[email protected]>
 
         Add first basic layout test for the web audio API

Added: trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt (0 => 91781)


--- trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt	2011-07-26 20:39:25 UTC (rev 91781)
@@ -0,0 +1,3 @@
+Test for bug REGRESSION (83075): Crash in line break after outdent
+
+This test PASSED!

Added: trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html (0 => 91781)


--- trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-line-break-after-outdent.html	2011-07-26 20:39:25 UTC (rev 91781)
@@ -0,0 +1,29 @@
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function f() {
+    document.designMode="on";
+    document.execCommand("SelectAll");
+    document.execCommand("InsertImage",false);
+    document.execCommand("InsertImage",false);
+    document.execCommand("Indent");
+    document.execCommand("insertunorderedlist",false);
+    document.execCommand("InsertUnorderedList",false);
+    document.execCommand("Bold");
+    document.execCommand("InsertLineBreak");
+    document.execCommand("insertunorderedlist");
+    document.execCommand("insertimage",false);
+    document.execCommand("insertparagraph",false);
+    document.execCommand("insertunorderedlist");
+    document.execCommand("InsertUnorderedList");
+    document.execCommand("Outdent");
+    document.write("<p>Test for bug <a href="" (83075): Crash in line break after outdent</p>");
+    document.write("<p>This test PASSED!</p>");
+}
+ </script>
+</head>
+<body _onload_='f();'>
+    <pre id="x">x</pre>
+</body>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (91780 => 91781)


--- trunk/Source/WebCore/ChangeLog	2011-07-26 20:36:25 UTC (rev 91780)
+++ trunk/Source/WebCore/ChangeLog	2011-07-26 20:39:25 UTC (rev 91781)
@@ -1,3 +1,27 @@
+2011-07-26  David Hyatt  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=60778
+
+        Use after free because of line box culling optimization regression.
+
+        In the case of a child with no line box being removed (typically
+        a <br> in quirks mode), if there is no previous sibling with a line
+        box, then we have a potential problem with the culling optimization.
+
+        The culled inline may still have other leaf line box children, but
+        they may follow the removed <br>. In this case we can't rely on
+        them, since we need a line box that comes before the <br>.
+
+        The fix is to simply recur up to the parent if we are a culled inline
+        and could not find a previous line box.
+
+        Reviewed by Dan Bernstein.
+
+        Added editing/execCommand/crash-line-break-after-outdent.html
+
+        * rendering/RenderLineBoxList.cpp:
+        (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
+
 2011-07-26  Dan Bernstein  <[email protected]>
 
         <rdar://problem/9842889> Add a generic pictograph font family

Modified: trunk/Source/WebCore/rendering/RenderLineBoxList.cpp (91780 => 91781)


--- trunk/Source/WebCore/rendering/RenderLineBoxList.cpp	2011-07-26 20:36:25 UTC (rev 91780)
+++ trunk/Source/WebCore/rendering/RenderLineBoxList.cpp	2011-07-26 20:39:25 UTC (rev 91781)
@@ -354,8 +354,21 @@
         if (box)
             break;
     }
-    if (!box)
+    if (!box) {
+        if (inlineContainer && !inlineContainer->alwaysCreateLineBoxes()) {
+            // https://bugs.webkit.org/show_bug.cgi?id=60778
+            // We may have just removed a <br> with no line box that was our first child. In this case
+            // we won't find a previous sibling, but firstBox can be pointing to a following sibling.
+            // This isn't good enough, since we won't locate the root line box that encloses the removed
+            // <br>. We have to just over-invalidate a bit and go up to our parent.
+            if (!inlineContainer->parent()->selfNeedsLayout()) {
+                inlineContainer->parent()->dirtyLinesFromChangedChild(inlineContainer);
+                inlineContainer->setNeedsLayout(true); // Mark the container as needing layout to avoid dirtying the same lines again across multiple destroy() calls of the same subtree.
+            }
+            return;
+        }
         box = firstBox->root();
+    }
 
     // If we found a line box, then dirty it.
     if (box) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes