[webkit-changes] [287867] trunk

Mon, 10 Jan 2022 19:21:55 -0800

Title: [287867] trunk
Revision
287867
Author
[email protected]
Date
2022-01-10 19:21:20 -0800 (Mon, 10 Jan 2022)

Log Message

null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
https://bugs.webkit.org/show_bug.cgi?id=234654
<rdar://problem/86571571>

Reviewed by Antti Koivisto.

Source/WebCore:

needsLayout() check in invalidateLineLayoutPath is insufficient for modern line layout.

m_lineLayout = std::monostate() does not only destroy the line layout object but it also nukes all the IFC geometries.
It is equivalent to having all the child boxes dirty, since in order to re-generate the geometry information,
we have to layout _all_ the boxes (note that nuking the legacy line layout object does not destroy the inline tree).
The bug here is that needsLayout() returns true for cases (e.g. posChildNeedsLayout) when
while the geometry is all gone, we are going to take a special layout codepath which expects pre-computed geometries.

Test: fast/block/line-layout/line-layout-collect-overflow-crash.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):

LayoutTests:

* fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt: Added.
* fast/block/line-layout/line-layout-collect-overflow-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (287866 => 287867)


--- trunk/LayoutTests/ChangeLog	2022-01-11 02:17:09 UTC (rev 287866)
+++ trunk/LayoutTests/ChangeLog	2022-01-11 03:21:20 UTC (rev 287867)
@@ -1,3 +1,14 @@
+2022-01-10  Alan Bujtas  <[email protected]>
+
+        null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
+        https://bugs.webkit.org/show_bug.cgi?id=234654
+        <rdar://problem/86571571>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt: Added.
+        * fast/block/line-layout/line-layout-collect-overflow-crash.html: Added.
+
 2022-01-10  Wenson Hsieh  <[email protected]>
 
         Followup to r287863 - adjust line wrapping behavior in image overlays

Added: trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt (0 => 287867)


--- trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt	2022-01-11 03:21:20 UTC (rev 287867)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
+a
+

Added: trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html (0 => 287867)


--- trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/line-layout/line-layout-collect-overflow-crash.html	2022-01-11 03:21:20 UTC (rev 287867)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+  :nth-last-child(odd) {
+    position: absolute;
+  }
+  div {
+    rotate: 0 0 0 0deg;
+  }
+</style>
+<script>
+  _onload_ = () => {
+    let div0 = document.createElement('div');
+    document.body.append(document.createElement('table'));
+    document.body.append(div0);
+    div0.append(document.createElement('img'));
+    document.execCommand('SelectAll');
+    div0.append('a');
+    document.body.append(document.createElement('div'));
+    document.designMode = 'on';
+    document.execCommand('FormatBlock', false, 'div');
+    if (window.testRunner)
+      testRunner.dumpAsText();
+    console.log("This test passes if it does not crash.");
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (287866 => 287867)


--- trunk/Source/WebCore/ChangeLog	2022-01-11 02:17:09 UTC (rev 287866)
+++ trunk/Source/WebCore/ChangeLog	2022-01-11 03:21:20 UTC (rev 287867)
@@ -1,3 +1,24 @@
+2022-01-10  Alan Bujtas  <[email protected]>
+
+        null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
+        https://bugs.webkit.org/show_bug.cgi?id=234654
+        <rdar://problem/86571571>
+
+        Reviewed by Antti Koivisto.
+
+        needsLayout() check in invalidateLineLayoutPath is insufficient for modern line layout.
+
+        m_lineLayout = std::monostate() does not only destroy the line layout object but it also nukes all the IFC geometries.
+        It is equivalent to having all the child boxes dirty, since in order to re-generate the geometry information,
+        we have to layout _all_ the boxes (note that nuking the legacy line layout object does not destroy the inline tree).
+        The bug here is that needsLayout() returns true for cases (e.g. posChildNeedsLayout) when
+        while the geometry is all gone, we are going to take a special layout codepath which expects pre-computed geometries.
+
+        Test: fast/block/line-layout/line-layout-collect-overflow-crash.html
+
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::invalidateLineLayoutPath):
+
 2022-01-10  Wenson Hsieh  <[email protected]>
 
         Followup to r287863 - adjust line wrapping behavior in image overlays

Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (287866 => 287867)


--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2022-01-11 02:17:09 UTC (rev 287866)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2022-01-11 03:21:20 UTC (rev 287867)
@@ -3562,7 +3562,7 @@
 #endif
         m_lineLayout = std::monostate();
         setLineLayoutPath(path);
-        if (needsLayout())
+        if (selfNeedsLayout() || normalChildNeedsLayout())
             return;
         // FIXME: We should just kick off a subtree layout here (if needed at all) see webkit.org/b/172947.
         setNeedsLayout();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to