[webkit-changes] [287417] trunk

Thu, 23 Dec 2021 17:23:02 -0800

Title: [287417] trunk
Revision
287417
Author
[email protected]
Date
2021-12-23 17:22:12 -0800 (Thu, 23 Dec 2021)

Log Message

REGRESSION(Containment) nullptr deref in RenderBox::styleDidChange
https://bugs.webkit.org/show_bug.cgi?id=234647
<rdar://86841302>

Reviewed by Simon Fraser.

Source/WebCore:

Do not try to propagate the writing mode to the RenderView unless we are attached to one.

Test: fast/dynamic/document-elment-renderer-null-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::styleDidChange):

LayoutTests:

* fast/dynamic/document-elment-renderer-null-crash-expected.txt: Added.
* fast/dynamic/document-elment-renderer-null-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (287416 => 287417)


--- trunk/LayoutTests/ChangeLog	2021-12-23 23:46:51 UTC (rev 287416)
+++ trunk/LayoutTests/ChangeLog	2021-12-24 01:22:12 UTC (rev 287417)
@@ -1,3 +1,14 @@
+2021-12-23  Alan Bujtas  <[email protected]>
+
+        REGRESSION(Containment) nullptr deref in RenderBox::styleDidChange
+        https://bugs.webkit.org/show_bug.cgi?id=234647
+        <rdar://86841302>
+
+        Reviewed by Simon Fraser.
+
+        * fast/dynamic/document-elment-renderer-null-crash-expected.txt: Added.
+        * fast/dynamic/document-elment-renderer-null-crash.html: Added.
+
 2021-12-23  Tim Nguyen  <[email protected]>
 
         Rebaseline getComputedStyle tests for iOS after r287356

Added: trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash-expected.txt (0 => 287417)


--- trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash-expected.txt	2021-12-24 01:22:12 UTC (rev 287417)
@@ -0,0 +1 @@
+PASS if no crash

Added: trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash.html (0 => 287417)


--- trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dynamic/document-elment-renderer-null-crash.html	2021-12-24 01:22:12 UTC (rev 287417)
@@ -0,0 +1,12 @@
+<div id=insertionPoint>PASS if no crash</div>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+var iframe = document.createElement("iframe");
+insertionPoint.appendChild(iframe);
+
+var iframeDocument = iframe.contentWindow.document; 
+iframeDocument.open();
+iframeDocument.appendChild(document.createElement("script"));
+iframeDocument.close();
+</script>

Modified: trunk/Source/WebCore/ChangeLog (287416 => 287417)


--- trunk/Source/WebCore/ChangeLog	2021-12-23 23:46:51 UTC (rev 287416)
+++ trunk/Source/WebCore/ChangeLog	2021-12-24 01:22:12 UTC (rev 287417)
@@ -1,3 +1,18 @@
+2021-12-23  Alan Bujtas  <[email protected]>
+
+        REGRESSION(Containment) nullptr deref in RenderBox::styleDidChange
+        https://bugs.webkit.org/show_bug.cgi?id=234647
+        <rdar://86841302>
+
+        Reviewed by Simon Fraser.
+
+        Do not try to propagate the writing mode to the RenderView unless we are attached to one.
+
+        Test: fast/dynamic/document-elment-renderer-null-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::styleDidChange):
+
 2021-12-23  Tim Nguyen  <[email protected]>
 
         Update features.json for STP 134-137

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (287416 => 287417)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2021-12-23 23:46:51 UTC (rev 287416)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2021-12-24 01:22:12 UTC (rev 287417)
@@ -350,33 +350,39 @@
         bool rootStyleChanged = false;
         bool viewDirectionOrWritingModeChanged = false;
         auto* rootRenderer = isBodyRenderer ? documentElementRenderer : nullptr;
-        if (!isBodyRenderer || !(shouldApplyAnyContainment(*this) || shouldApplyAnyContainment(*documentElementRenderer))) {
+
+        auto propagateWritingModeToRenderViewIfApplicable = [&] {
             // Propagate the new writing mode and direction up to the RenderView.
-            if (viewStyle.direction() != newStyle.direction() && (isDocElementRenderer || !documentElementRenderer->style().hasExplicitlySetDirection())) {
-                viewStyle.setDirection(newStyle.direction());
-                viewDirectionOrWritingModeChanged = true;
-                if (isBodyRenderer) {
-                    rootRenderer->mutableStyle().setDirection(newStyle.direction());
-                    rootStyleChanged = true;
+            if (!documentElementRenderer)
+                return;
+            if (!isBodyRenderer || !(shouldApplyAnyContainment(*this) || shouldApplyAnyContainment(*documentElementRenderer))) {
+                if (viewStyle.direction() != newStyle.direction() && (isDocElementRenderer || !documentElementRenderer->style().hasExplicitlySetDirection())) {
+                    viewStyle.setDirection(newStyle.direction());
+                    viewDirectionOrWritingModeChanged = true;
+                    if (isBodyRenderer) {
+                        rootRenderer->mutableStyle().setDirection(newStyle.direction());
+                        rootStyleChanged = true;
+                    }
+                    setNeedsLayoutAndPrefWidthsRecalc();
+
+                    view().frameView().topContentDirectionDidChange();
                 }
-                setNeedsLayoutAndPrefWidthsRecalc();
 
-                view().frameView().topContentDirectionDidChange();
-            }
-
-            if (viewStyle.writingMode() != newStyle.writingMode() && (isDocElementRenderer || !documentElementRenderer->style().hasExplicitlySetWritingMode())) {
-                viewStyle.setWritingMode(newStyle.writingMode());
-                viewDirectionOrWritingModeChanged = true;
-                view().setHorizontalWritingMode(newStyle.isHorizontalWritingMode());
-                view().markAllDescendantsWithFloatsForLayout();
-                if (isBodyRenderer) {
-                    rootStyleChanged = true;
-                    rootRenderer->mutableStyle().setWritingMode(newStyle.writingMode());
-                    rootRenderer->setHorizontalWritingMode(newStyle.isHorizontalWritingMode());
+                if (viewStyle.writingMode() != newStyle.writingMode() && (isDocElementRenderer || !documentElementRenderer->style().hasExplicitlySetWritingMode())) {
+                    viewStyle.setWritingMode(newStyle.writingMode());
+                    viewDirectionOrWritingModeChanged = true;
+                    view().setHorizontalWritingMode(newStyle.isHorizontalWritingMode());
+                    view().markAllDescendantsWithFloatsForLayout();
+                    if (isBodyRenderer) {
+                        rootStyleChanged = true;
+                        rootRenderer->mutableStyle().setWritingMode(newStyle.writingMode());
+                        rootRenderer->setHorizontalWritingMode(newStyle.isHorizontalWritingMode());
+                    }
+                    setNeedsLayoutAndPrefWidthsRecalc();
                 }
-                setNeedsLayoutAndPrefWidthsRecalc();
             }
-        }
+        };
+        propagateWritingModeToRenderViewIfApplicable();
 
 #if ENABLE(DARK_MODE_CSS)
         view().frameView().recalculateBaseBackgroundColor();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to