Title: [255083] trunk
- Revision
- 255083
- Author
- [email protected]
- Date
- 2020-01-24 11:12:46 -0800 (Fri, 24 Jan 2020)
Log Message
Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=206109
Patch by Jack Lee <[email protected]> on 2020-01-24
Reviewed by Antti Koivisto.
Source/WebCore:
Test: fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html
* rendering/updating/RenderTreeBuilderBlockFlow.cpp:
(WebCore::RenderTreeBuilder::BlockFlow::attach):
LayoutTests:
* fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt: Added.
* fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (255082 => 255083)
--- trunk/LayoutTests/ChangeLog 2020-01-24 18:57:05 UTC (rev 255082)
+++ trunk/LayoutTests/ChangeLog 2020-01-24 19:12:46 UTC (rev 255083)
@@ -1,3 +1,13 @@
+2020-01-24 Jack Lee <[email protected]>
+
+ Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
+ https://bugs.webkit.org/show_bug.cgi?id=206109
+
+ Reviewed by Antti Koivisto.
+
+ * fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt: Added.
+ * fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html: Added.
+
2020-01-24 Lauro Moura <[email protected]>
[GTK][WPE] Websockets close-on-x tests are failing
Added: trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt (0 => 255083)
--- trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt 2020-01-24 19:12:46 UTC (rev 255083)
@@ -0,0 +1,4 @@
+
+Tests inserting an element before legend under multi-column layout.
+
+The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html (0 => 255083)
--- trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html (rev 0)
+++ trunk/LayoutTests/fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html 2020-01-24 19:12:46 UTC (rev 255083)
@@ -0,0 +1,16 @@
+<style>
+* { -webkit-column-width: 1px; }
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ _onload_ = function f() {
+ LEGEND.before(CANVAS);
+ }
+</script>
+<body>
+<canvas id="CANVAS"></canvas><fieldset><legend id="LEGEND"></legend>
+<p> Tests inserting an element before legend under multi-column layout.</p>
+<p> The test passes if WebKit doesn't crash or hit an assertion.</p>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (255082 => 255083)
--- trunk/Source/WebCore/ChangeLog 2020-01-24 18:57:05 UTC (rev 255082)
+++ trunk/Source/WebCore/ChangeLog 2020-01-24 19:12:46 UTC (rev 255083)
@@ -1,3 +1,15 @@
+2020-01-24 Jack Lee <[email protected]>
+
+ Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
+ https://bugs.webkit.org/show_bug.cgi?id=206109
+
+ Reviewed by Antti Koivisto.
+
+ Test: fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html
+
+ * rendering/updating/RenderTreeBuilderBlockFlow.cpp:
+ (WebCore::RenderTreeBuilder::BlockFlow::attach):
+
2020-01-24 Per Arne Vollan <[email protected]>
Unreviewed, rolling out r255050.
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp (255082 => 255083)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp 2020-01-24 18:57:05 UTC (rev 255082)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp 2020-01-24 19:12:46 UTC (rev 255083)
@@ -39,8 +39,13 @@
void RenderTreeBuilder::BlockFlow::attach(RenderBlockFlow& parent, RenderPtr<RenderObject> child, RenderObject* beforeChild)
{
- if (parent.multiColumnFlow() && (!parent.isFieldset() || !child->isLegend()))
+ if (parent.multiColumnFlow() && (!parent.isFieldset() || !child->isLegend())) {
+ if (parent.isFieldset() && beforeChild && beforeChild->isLegend())
+ return m_builder.blockBuilder().attach(*parent.multiColumnFlow(), WTFMove(child), nullptr);
+
return m_builder.attach(*parent.multiColumnFlow(), WTFMove(child), beforeChild);
+ }
+
auto* beforeChildOrPlaceholder = beforeChild;
if (auto* containingFragmentedFlow = parent.enclosingFragmentedFlow())
beforeChildOrPlaceholder = m_builder.multiColumnBuilder().resolveMovedChild(*containingFragmentedFlow, beforeChild);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
