Skip to site navigation (Press enter)

[webkit-changes] [255976] trunk

rniwa Thu, 06 Feb 2020 13:42:19 -0800

Title: [255976] trunk

Revision: 255976
Author: [email protected]
Date: 2020-02-06 13:40:58 -0800 (Thu, 06 Feb 2020)

Log Message

Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
https://bugs.webkit.org/show_bug.cgi?id=207241


When the pseudo element's host element does not initiate a renderer
(e.g. display: contents) we need to look further in the DOM tree 
for a previous-sibling-or-parent-element candidate.

Patch by Jack Lee <[email protected]> on 2020-02-06
Reviewed by Zalan Bujtas.

Source/WebCore:

Test: fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html

* rendering/RenderCounter.cpp:
(WebCore::previousSiblingOrParentElement):

LayoutTests:

* fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt: Added.
* fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderCounter.cpp

Added Paths

trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt
trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (255975 => 255976)


--- trunk/LayoutTests/ChangeLog	2020-02-06 21:36:48 UTC (rev 255975)
+++ trunk/LayoutTests/ChangeLog	2020-02-06 21:40:58 UTC (rev 255976)
@@ -1,3 +1,17 @@
+2020-02-06  Jack Lee  <[email protected]>
+
+        Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
+        https://bugs.webkit.org/show_bug.cgi?id=207241
+
+        When the pseudo element's host element does not initiate a renderer
+        (e.g. display: contents) we need to look further in the DOM tree 
+        for a previous-sibling-or-parent-element candidate.
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt: Added.
+        * fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html: Added.
+
 2020-02-06  Sukolsak Sakshuwong  <[email protected]> and Alexey Shvayka  <[email protected]>
 
         _javascript_ string corruption using RegExp with unicode character

Added: trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt (0 => 255976)


--- trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt	2020-02-06 21:40:58 UTC (rev 255976)
@@ -0,0 +1 @@
+Tests CSS counter of a pseudo element that has display: contents host. The test passes if WebKit doesn't crash or hit an assertion.

Added: trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html (0 => 255976)


--- trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html	2020-02-06 21:40:58 UTC (rev 255976)
@@ -0,0 +1,18 @@
+<style>
+html, body {
+  counter-reset: counter;
+}
+
+#outer {
+  display: contents;
+}
+
+#outer::before {
+  content: "text";
+}
+</style><span id=outer><span id=inner>Tests CSS counter of a pseudo element that has display: contents host. The test passes if WebKit doesn't crash or hit an assertion.</span></span><script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.body.offsetHeight;
+    inner.style.counterIncrement = "counter";
+</script>

Modified: trunk/Source/WebCore/ChangeLog (255975 => 255976)


--- trunk/Source/WebCore/ChangeLog	2020-02-06 21:36:48 UTC (rev 255975)
+++ trunk/Source/WebCore/ChangeLog	2020-02-06 21:40:58 UTC (rev 255976)
@@ -1,3 +1,19 @@
+2020-02-06  Jack Lee  <[email protected]>
+
+        Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
+        https://bugs.webkit.org/show_bug.cgi?id=207241
+
+        When the pseudo element's host element does not initiate a renderer
+        (e.g. display: contents) we need to look further in the DOM tree 
+        for a previous-sibling-or-parent-element candidate.
+
+        Reviewed by Zalan Bujtas.
+
+        Test: fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html
+
+        * rendering/RenderCounter.cpp:
+        (WebCore::previousSiblingOrParentElement):
+
 2020-02-06  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r255910, r255970, and r255972.

Modified: trunk/Source/WebCore/rendering/RenderCounter.cpp (255975 => 255976)


--- trunk/Source/WebCore/rendering/RenderCounter.cpp	2020-02-06 21:36:48 UTC (rev 255975)
+++ trunk/Source/WebCore/rendering/RenderCounter.cpp	2020-02-06 21:40:58 UTC (rev 255976)
@@ -75,23 +75,28 @@
     return renderer.element() ? renderer.element()->parentElement() : nullptr;
 }
 
-static Element* previousSiblingOrParentElement(const Element* element)
+static Element* previousSiblingOrParentElement(const Element& element)
 {
-    auto* previous = ElementTraversal::pseudoAwarePreviousSibling(*element);
-    while (previous && !previous->renderer())
-        previous = ElementTraversal::pseudoAwarePreviousSibling(*previous);
+    if (auto* previous = ElementTraversal::pseudoAwarePreviousSibling(element)) {
+        while (previous && !previous->renderer())
+            previous = ElementTraversal::pseudoAwarePreviousSibling(*previous);
 
-    if (previous)
-        return previous;
+        if (previous)
+            return previous;
+    }
 
-    auto* renderer = element->renderer();
-    if (renderer && renderer->isPseudoElement())
-        return renderer->generatingElement();
-
-    previous = element->parentElement();
-    if (previous && !previous->renderer())
-        previous = previousSiblingOrParentElement(previous);
-    return previous;
+    if (is<PseudoElement>(element)) {
+        auto* hostElement = downcast<PseudoElement>(element).hostElement();
+        ASSERT(hostElement);
+        if (hostElement->renderer())
+            return hostElement;
+        return previousSiblingOrParentElement(*hostElement);
+    }
+    
+    auto* parent = element.parentElement();
+    if (parent && !parent->renderer())
+        parent = previousSiblingOrParentElement(*parent);
+    return parent;
 }
 
 // This function processes the renderer tree in the order of the DOM tree
@@ -100,7 +105,7 @@
 {
     ASSERT(renderer.element());
 
-    auto* previous = previousSiblingOrParentElement(renderer.element());
+    auto* previous = previousSiblingOrParentElement(*renderer.element());
     return previous ? previous->renderer() : nullptr;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes