[webkit-changes] [226797] trunk

[zalan]

Title: [226797] trunk

Revision

226797

Author

za...@apple.com

Date

2018-01-11 12:51:44 -0800 (Thu, 11 Jan 2018)

Log Message

RenderTreeUpdater::current() returns null_ptr when mutation is done through Document::resolveStyle.
https://bugs.webkit.org/show_bug.cgi?id=181513
<rdar://problem/36367085>

Reviewed by Antti Koivisto.

Source/WebCore:

This patch ensures that we use a valid RenderTreeBuilder even when
Document::resolveStyle (incorrectly) triggers tree mutation.
It can be reverted soon after the incorrect mutations are taken care of.

Test: fast/forms/button-set-text-crash.html

* rendering/RenderButton.cpp:
(WebCore::RenderButton::setText):
* rendering/RenderMenuList.cpp:
(RenderMenuList::setText):

LayoutTests:

* fast/forms/button-set-text-crash-expected.txt: Added.
* fast/forms/button-set-text-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderButton.cpp
• trunk/Source/WebCore/rendering/RenderMenuList.cpp

Added Paths

• trunk/LayoutTests/fast/forms/button-set-text-crash-expected.txt
• trunk/LayoutTests/fast/forms/button-set-text-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (226796 => 226797)

--- trunk/LayoutTests/ChangeLog	2018-01-11 20:29:25 UTC (rev 226796)
+++ trunk/LayoutTests/ChangeLog	2018-01-11 20:51:44 UTC (rev 226797)
@@ -1,3 +1,14 @@
+2018-01-11  Zalan Bujtas  <za...@apple.com>
+
+        RenderTreeUpdater::current() returns null_ptr when mutation is done through Document::resolveStyle.
+        https://bugs.webkit.org/show_bug.cgi?id=181513
+        <rdar://problem/36367085>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/button-set-text-crash-expected.txt: Added.
+        * fast/forms/button-set-text-crash.html: Added.
+
 2018-01-11  Antoine Quint  <grao...@apple.com>
 
         Only listen to webkitplaybacktargetavailabilitychanged when media controls are visible to the user

Added: trunk/LayoutTests/fast/forms/button-set-text-crash-expected.txt (0 => 226797)

--- trunk/LayoutTests/fast/forms/button-set-text-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/button-set-text-crash-expected.txt	2018-01-11 20:51:44 UTC (rev 226797)
@@ -0,0 +1 @@
+PASS if no crash. 

Added: trunk/LayoutTests/fast/forms/button-set-text-crash.html (0 => 226797)

--- trunk/LayoutTests/fast/forms/button-set-text-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/button-set-text-crash.html	2018-01-11 20:51:44 UTC (rev 226797)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<body>
+PASS if no crash.
+<input id=foobar type="button"></input>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+foobar.value = "foobar";
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (226796 => 226797)

--- trunk/Source/WebCore/ChangeLog	2018-01-11 20:29:25 UTC (rev 226796)
+++ trunk/Source/WebCore/ChangeLog	2018-01-11 20:51:44 UTC (rev 226797)
@@ -1,3 +1,22 @@
+2018-01-11  Zalan Bujtas  <za...@apple.com>
+
+        RenderTreeUpdater::current() returns null_ptr when mutation is done through Document::resolveStyle.
+        https://bugs.webkit.org/show_bug.cgi?id=181513
+        <rdar://problem/36367085>
+
+        Reviewed by Antti Koivisto.
+
+        This patch ensures that we use a valid RenderTreeBuilder even when
+        Document::resolveStyle (incorrectly) triggers tree mutation.
+        It can be reverted soon after the incorrect mutations are taken care of.
+
+        Test: fast/forms/button-set-text-crash.html
+
+        * rendering/RenderButton.cpp:
+        (WebCore::RenderButton::setText):
+        * rendering/RenderMenuList.cpp:
+        (RenderMenuList::setText):
+
 2018-01-11  Antoine Quint  <grao...@apple.com>
 
         Only listen to webkitplaybacktargetavailabilitychanged when media controls are visible to the user

Modified: trunk/Source/WebCore/rendering/RenderButton.cpp (226796 => 226797)

--- trunk/Source/WebCore/rendering/RenderButton.cpp	2018-01-11 20:29:25 UTC (rev 226796)
+++ trunk/Source/WebCore/rendering/RenderButton.cpp	2018-01-11 20:51:44 UTC (rev 226797)
@@ -116,7 +116,11 @@
     if (!m_buttonText) {
         auto newButtonText = createRenderer<RenderTextFragment>(document(), str);
         m_buttonText = makeWeakPtr(*newButtonText);
-        RenderTreeBuilder::current()->insertChild(*this, WTFMove(newButtonText));
+        // FIXME: This mutation should go through the normal RenderTreeBuilder path.
+        if (RenderTreeBuilder::current())
+            RenderTreeBuilder::current()->insertChild(*this, WTFMove(newButtonText));
+        else
+            RenderTreeBuilder(*document().renderView()).insertChild(*this, WTFMove(newButtonText));
         return;
     }
 

Modified: trunk/Source/WebCore/rendering/RenderMenuList.cpp (226796 => 226797)

--- trunk/Source/WebCore/rendering/RenderMenuList.cpp	2018-01-11 20:29:25 UTC (rev 226796)
+++ trunk/Source/WebCore/rendering/RenderMenuList.cpp	2018-01-11 20:51:44 UTC (rev 226797)
@@ -285,7 +285,11 @@
     else {
         auto newButtonText = createRenderer<RenderText>(document(), textToUse);
         m_buttonText = makeWeakPtr(*newButtonText);
-        RenderTreeBuilder::current()->insertChild(*this, WTFMove(newButtonText));
+        // FIXME: This mutation should go through the normal RenderTreeBuilder path.
+        if (RenderTreeBuilder::current())
+            RenderTreeBuilder::current()->insertChild(*this, WTFMove(newButtonText));
+        else
+            RenderTreeBuilder(*document().renderView()).insertChild(*this, WTFMove(newButtonText));
     }
 
     adjustInnerStyle();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes