Title: [283030] trunk
- Revision
- 283030
- Author
- [email protected]
- Date
- 2021-09-24 00:22:50 -0700 (Fri, 24 Sep 2021)
Log Message
[RenderTreeUpdater] NULL ptr deref in updateRenderTree
https://bugs.webkit.org/show_bug.cgi?id=230581
Patch by Brandon Stewart <[email protected]> on 2021-09-24
Reviewed by Antti Koivisto.
Source/WebCore:
Text element changes are buffered. This can lead to undesirable behavior
when switching a node to a document that is not rendered, and then proceeding
with a rendering update.
If we cannot find a renderer in a node or its ancestors then just give up
instead of returning a document.
Test: fast/dom/Document/clearPendingRenderTreeUpdater.html
* rendering/updating/RenderTreeUpdater.cpp:
(WebCore::findRenderingRoot):
(WebCore::RenderTreeUpdater::commit):
(WebCore::RenderTreeUpdater::createRenderer):
(WebCore::RenderTreeUpdater::textRendererIsNeeded):
LayoutTests:
New regression test to handle case where we trigger a text update,
and then switch the node to a new unrendered document.
* fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt: Added.
* fast/dom/Document/clearPendingRenderTreeUpdater.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (283029 => 283030)
--- trunk/LayoutTests/ChangeLog 2021-09-24 07:21:59 UTC (rev 283029)
+++ trunk/LayoutTests/ChangeLog 2021-09-24 07:22:50 UTC (rev 283030)
@@ -1,3 +1,16 @@
+2021-09-24 Brandon Stewart <[email protected]>
+
+ [RenderTreeUpdater] NULL ptr deref in updateRenderTree
+ https://bugs.webkit.org/show_bug.cgi?id=230581
+
+ Reviewed by Antti Koivisto.
+
+ New regression test to handle case where we trigger a text update,
+ and then switch the node to a new unrendered document.
+
+ * fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt: Added.
+ * fast/dom/Document/clearPendingRenderTreeUpdater.html: Added.
+
2021-09-24 Sihui Liu <[email protected]>
Add initial support for File System Access API
Added: trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt (0 => 283030)
--- trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt 2021-09-24 07:22:50 UTC (rev 283030)
@@ -0,0 +1 @@
+This test shall pass if it does not crash.
Added: trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html (0 => 283030)
--- trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html 2021-09-24 07:22:50 UTC (rev 283030)
@@ -0,0 +1,22 @@
+<html>
+<body>
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText()
+
+ let div0 = document.createElement('div');
+ div0.style.display = 'contents';
+ let div1 = document.createElement('div');
+ div1.append('ab');
+ div0.appendChild(div1);
+ document.body.appendChild(div0);
+ document.body.offsetTop;
+ div1.innerHTML = 'a';
+ new Document().appendChild(div0);
+ }
+</script>
+
+This test shall pass if it does not crash.
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (283029 => 283030)
--- trunk/Source/WebCore/ChangeLog 2021-09-24 07:21:59 UTC (rev 283029)
+++ trunk/Source/WebCore/ChangeLog 2021-09-24 07:22:50 UTC (rev 283030)
@@ -1,3 +1,25 @@
+2021-09-24 Brandon Stewart <[email protected]>
+
+ [RenderTreeUpdater] NULL ptr deref in updateRenderTree
+ https://bugs.webkit.org/show_bug.cgi?id=230581
+
+ Reviewed by Antti Koivisto.
+
+ Text element changes are buffered. This can lead to undesirable behavior
+ when switching a node to a document that is not rendered, and then proceeding
+ with a rendering update.
+
+ If we cannot find a renderer in a node or its ancestors then just give up
+ instead of returning a document.
+
+ Test: fast/dom/Document/clearPendingRenderTreeUpdater.html
+
+ * rendering/updating/RenderTreeUpdater.cpp:
+ (WebCore::findRenderingRoot):
+ (WebCore::RenderTreeUpdater::commit):
+ (WebCore::RenderTreeUpdater::createRenderer):
+ (WebCore::RenderTreeUpdater::textRendererIsNeeded):
+
2021-09-24 Sihui Liu <[email protected]>
Add initial support for File System Access API
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp (283029 => 283030)
--- trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2021-09-24 07:21:59 UTC (rev 283029)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2021-09-24 07:22:50 UTC (rev 283030)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -96,7 +96,7 @@
if (!ancestor.hasDisplayContents())
return nullptr;
}
- return &node.document();
+ return nullptr;
}
static ListHashSet<ContainerNode*> findRenderingRoots(const Style::Update& update)
@@ -117,7 +117,7 @@
if (!m_document.shouldCreateRenderers() || !m_document.renderView())
return;
-
+
TraceScope scope(RenderTreeBuildStart, RenderTreeBuildEnd);
m_styleUpdate = WTFMove(styleUpdate);
@@ -373,7 +373,7 @@
renderTreePosition().computeNextSibling(element);
return renderTreePosition();
};
-
+
if (!shouldCreateRenderer(element, renderTreePosition().parent()))
return;
@@ -443,7 +443,7 @@
} else {
if (parentRenderer.isRenderBlock() && !parentRenderer.childrenInline() && (!previousRenderer || !previousRenderer->isInline()))
return false;
-
+
RenderObject* first = parentRenderer.firstChild();
while (first && first->isFloatingOrOutOfFlowPositioned())
first = first->nextSibling();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
