Skip to site navigation (Press enter)

[webkit-changes] [286827] trunk

cathiechen Thu, 09 Dec 2021 19:37:48 -0800

Title: [286827] trunk

Revision: 286827
Author: [email protected]
Date: 2021-12-09 19:37:04 -0800 (Thu, 09 Dec 2021)

Log Message

Stack-overflow crash in WebCore::RenderBox::computeLogicalHeight()
https://bugs.webkit.org/show_bug.cgi?id=233460


Reviewed by Sergio Villar Senin and Darin Adler.

Source/WebCore:

Like flexibleBox item, deprecatedFlexibleBox item should call clearOverridingContentSize if
it is positioned. Otherwise, RenderReplaced::computeAspectRatioInformationForRenderBox might call
itself recursively.

Test: fast/css/deprecated-flex-box-with-min-content-crashes.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::styleDidChange):
* rendering/style/RenderStyle.h:
(WebCore::RenderStyle::isDisplayFlexibleOrGridBoxIncludingDeprecated const):
(WebCore::RenderStyle::isDisplayDeprecatedFlexibleBox):

LayoutTests:

* fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt: Added.
* fast/css/deprecated-flex-box-with-min-content-crashes.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBox.cpp
trunk/Source/WebCore/rendering/style/RenderStyle.h

Added Paths

trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt
trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes.html

Diff

Modified: trunk/LayoutTests/ChangeLog (286826 => 286827)


--- trunk/LayoutTests/ChangeLog	2021-12-10 03:16:01 UTC (rev 286826)
+++ trunk/LayoutTests/ChangeLog	2021-12-10 03:37:04 UTC (rev 286827)
@@ -1,3 +1,13 @@
+2021-12-09  Cathie Chen  <[email protected]>
+
+        Stack-overflow crash in WebCore::RenderBox::computeLogicalHeight()
+        https://bugs.webkit.org/show_bug.cgi?id=233460
+
+        Reviewed by Sergio Villar Senin and Darin Adler.
+
+        * fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt: Added.
+        * fast/css/deprecated-flex-box-with-min-content-crashes.html: Added.
+
 2021-12-09  Chris Dumez  <[email protected]>
 
         Add basic support for launching a SharedWorker

Added: trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt (0 => 286827)


--- trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes-expected.txt	2021-12-10 03:37:04 UTC (rev 286827)
@@ -0,0 +1 @@
+This test PASS if it doesn't CRASH.

Added: trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes.html (0 => 286827)


--- trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/deprecated-flex-box-with-min-content-crashes.html	2021-12-10 03:37:04 UTC (rev 286827)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<style>
+body,
+iframe {
+    aspect-ratio: 1;
+}
+
+body {
+    display: -webkit-box;
+    -webkit-box-orient: block-axis;
+}
+
+iframe {
+    display: block;
+    -webkit-box-flex: 1;
+    max-inline-size: min-content;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+_onload_ = () => {
+    let iframe0 = document.createElement('iframe');
+    document.body.append(iframe0);
+    document.body.getBoundingClientRect();
+    iframe0.style.position = 'fixed';
+    document.body.getBoundingClientRect();
+    document.body.innerHTML = "This test PASS if it doesn't CRASH.";
+};
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (286826 => 286827)


--- trunk/Source/WebCore/ChangeLog	2021-12-10 03:16:01 UTC (rev 286826)
+++ trunk/Source/WebCore/ChangeLog	2021-12-10 03:37:04 UTC (rev 286827)
@@ -1,3 +1,22 @@
+2021-12-09  Cathie Chen  <[email protected]>
+
+        Stack-overflow crash in WebCore::RenderBox::computeLogicalHeight()
+        https://bugs.webkit.org/show_bug.cgi?id=233460
+
+        Reviewed by Sergio Villar Senin and Darin Adler.
+
+        Like flexibleBox item, deprecatedFlexibleBox item should call clearOverridingContentSize if
+        it is positioned. Otherwise, RenderReplaced::computeAspectRatioInformationForRenderBox might call
+        itself recursively.
+
+        Test: fast/css/deprecated-flex-box-with-min-content-crashes.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::styleDidChange):
+        * rendering/style/RenderStyle.h:
+        (WebCore::RenderStyle::isDisplayFlexibleOrGridBoxIncludingDeprecated const):
+        (WebCore::RenderStyle::isDisplayDeprecatedFlexibleBox):
+
 2021-12-09  Devin Rousso  <[email protected]>
 
         Add a `DOMPasteAccessCategory` to control which pasteboard the WebProcess is granted access to when pasting

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (286826 => 286827)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2021-12-10 03:16:01 UTC (rev 286826)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2021-12-10 03:37:04 UTC (rev 286827)
@@ -417,7 +417,7 @@
     // Changing the position from/to absolute can potentially create/remove flex/grid items, as absolutely positioned
     // children of a flex/grid box are out-of-flow, and thus, not flex/grid items. This means that we need to clear
     // any override content size set by our container, because it would likely be incorrect after the style change.
-    if (isOutOfFlowPositioned() && parent() && parent()->style().isDisplayFlexibleOrGridBox())
+    if (isOutOfFlowPositioned() && parent() && parent()->style().isDisplayFlexibleBoxIncludingDeprecatedOrGridBox())
         clearOverridingContentSize();
 
 #if ENABLE(LAYOUT_FORMATTING_CONTEXT)

Modified: trunk/Source/WebCore/rendering/style/RenderStyle.h (286826 => 286827)


--- trunk/Source/WebCore/rendering/style/RenderStyle.h	2021-12-10 03:16:01 UTC (rev 286826)
+++ trunk/Source/WebCore/rendering/style/RenderStyle.h	2021-12-10 03:37:04 UTC (rev 286827)
@@ -1517,6 +1517,7 @@
     bool isDisplayInlineType() const { return isDisplayInlineType(display()); }
     bool isOriginalDisplayInlineType() const { return isDisplayInlineType(originalDisplay()); }
     bool isDisplayFlexibleOrGridBox() const { return isDisplayFlexibleOrGridBox(display()); }
+    bool isDisplayFlexibleBoxIncludingDeprecatedOrGridBox() const { return isDisplayFlexibleOrGridBox() || isDisplayDeprecatedFlexibleBox(display()); }
     bool isDisplayRegionType() const;
     bool isDisplayTableOrTablePart() const { return isDisplayTableOrTablePart(display()); }
     bool isOriginalDisplayListItemType() const { return isDisplayListItemType(originalDisplay()); }
@@ -2006,6 +2007,7 @@
     static bool isDisplayFlexibleBox(DisplayType);
     static bool isDisplayGridBox(DisplayType);
     static bool isDisplayFlexibleOrGridBox(DisplayType);
+    static bool isDisplayDeprecatedFlexibleBox(DisplayType);
     static bool isDisplayListItemType(DisplayType);
     static bool isDisplayTableOrTablePart(DisplayType);
 
@@ -2424,6 +2426,11 @@
     return isDisplayFlexibleBox(display) || isDisplayGridBox(display);
 }
 
+inline bool RenderStyle::isDisplayDeprecatedFlexibleBox(DisplayType display)
+{
+    return display == DisplayType::Box || display == DisplayType::InlineBox;
+}
+
 inline bool RenderStyle::isDisplayListItemType(DisplayType display)
 {
     return display == DisplayType::ListItem;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes