Title: [289190] releases/WebKitGTK/webkit-2.34
- Revision
- 289190
- Author
- [email protected]
- Date
- 2022-02-06 16:38:37 -0800 (Sun, 06 Feb 2022)
Log Message
Merge r289060 - null ptr deref in RenderTreeBuilder::Block::attachIgnoringContinuation
https://bugs.webkit.org/show_bug.cgi?id=234170
Patch by Frédéric Wang <[email protected]> on 2022-02-03
Reviewed by Antti Koivisto.
Source/WebCore:
When an element with "display: contents" is put into the top layer, its computed style for
the display property becomes "block" [1]. However, RenderTreeUpdater::updateElementRenderer
does not manage well this transition. In particular, a null ptr deref happens for some
special configuration involving a <dialog style="display: contents">. To work around that
issue, always force tearing down renderers when updating an element in the top layer.
[1] https://fullscreen.spec.whatwg.org/#new-stacking-layer
Test: fast/layers/top-layer-display-contents-crash.html
* rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::updateElementRenderer): Always force tearing down renderers
for top layer element.
LayoutTests:
Add regression test.
* fast/css/top-layer-display-contents-crash-expected.txt: Added.
* fast/css/top-layer-display-contents-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (289189 => 289190)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-02-07 00:33:13 UTC (rev 289189)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-02-07 00:38:37 UTC (rev 289190)
@@ -1,3 +1,15 @@
+2022-02-03 Frédéric Wang <[email protected]>
+
+ null ptr deref in RenderTreeBuilder::Block::attachIgnoringContinuation
+ https://bugs.webkit.org/show_bug.cgi?id=234170
+
+ Reviewed by Antti Koivisto.
+
+ Add regression test.
+
+ * fast/css/top-layer-display-contents-crash-expected.txt: Added.
+ * fast/css/top-layer-display-contents-crash.html: Added.
+
2022-01-27 Gabriel Nava Marino <[email protected]>
jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash-expected.txt (0 => 289190)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash-expected.txt 2022-02-07 00:38:37 UTC (rev 289190)
@@ -0,0 +1,3 @@
+This test PASS if it does not CRASH.
+
+TEXT_CHILD
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash.html (0 => 289190)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/css/top-layer-display-contents-crash.html 2022-02-07 00:38:37 UTC (rev 289190)
@@ -0,0 +1,18 @@
+<script>
+ if (testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+ _onload_ = () => {
+ var frame = document.createElement("frame");
+ document.body.appendChild(frame);
+ iframe.appendChild(frame);
+ requestAnimationFrame(() => {
+ dialog.showModal();
+ if (testRunner)
+ testRunner.notifyDone();
+ });
+ };
+</script>
+<p>This test PASS if it does not CRASH.</p>
+<dialog id="dialog" style="display: contents"><iframe id="iframe"><frame/></iframe>TEXT_CHILD</dialog>
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (289189 => 289190)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-07 00:33:13 UTC (rev 289189)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-07 00:38:37 UTC (rev 289190)
@@ -1,3 +1,24 @@
+2022-02-03 Frédéric Wang <[email protected]>
+
+ null ptr deref in RenderTreeBuilder::Block::attachIgnoringContinuation
+ https://bugs.webkit.org/show_bug.cgi?id=234170
+
+ Reviewed by Antti Koivisto.
+
+ When an element with "display: contents" is put into the top layer, its computed style for
+ the display property becomes "block" [1]. However, RenderTreeUpdater::updateElementRenderer
+ does not manage well this transition. In particular, a null ptr deref happens for some
+ special configuration involving a <dialog style="display: contents">. To work around that
+ issue, always force tearing down renderers when updating an element in the top layer.
+
+ [1] https://fullscreen.spec.whatwg.org/#new-stacking-layer
+
+ Test: fast/layers/top-layer-display-contents-crash.html
+
+ * rendering/updating/RenderTreeUpdater.cpp:
+ (WebCore::RenderTreeUpdater::updateElementRenderer): Always force tearing down renderers
+ for top layer element.
+
2022-02-01 Andres Gonzalez <[email protected]>
Check AccessibilityRenderObject::m_renderer for null before using it.
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp (289189 => 289190)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2022-02-07 00:33:13 UTC (rev 289189)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2022-02-07 00:38:37 UTC (rev 289190)
@@ -317,7 +317,7 @@
elementUpdateStyle->addCachedPseudoStyle(RenderStyle::clonePtr(*it.value.style));
}
- bool shouldTearDownRenderers = elementUpdate.change == Style::Change::Renderer && (element.renderer() || element.hasDisplayContents());
+ bool shouldTearDownRenderers = elementUpdate.change == Style::Change::Renderer && (element.renderer() || element.hasDisplayContents() || element.isInTopLayer());
if (shouldTearDownRenderers) {
if (!element.renderer()) {
// We may be tearing down a descendant renderer cached in renderTreePosition.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
