[webkit-changes] [109125] trunk

Tue, 28 Feb 2012 11:15:24 -0800

Title: [109125] trunk
Revision
109125
Author
[email protected]
Date
2012-02-28 11:15:16 -0800 (Tue, 28 Feb 2012)

Log Message

Heap-use-after-free in WebCore::RenderLayer::addChild
https://bugs.webkit.org/show_bug.cgi?id=79698

Reviewed by Simon Fraser.

Source/WebCore:

This patch fixes a regression introduced in r108659.
The reflection layer was moved to the parent by mistake. It was then
deleted and the parent was left holding on to a deleted pointer. This
patch restores the location where reflection layer is removed - before
moving the child layers.

Test: fast/reflections/toggle-reflection-crash.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::removeOnlyThisLayer):

LayoutTests:

* fast/reflections/toggle-reflection-crash-expected.txt: Added.
* fast/reflections/toggle-reflection-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (109124 => 109125)


--- trunk/LayoutTests/ChangeLog	2012-02-28 19:12:52 UTC (rev 109124)
+++ trunk/LayoutTests/ChangeLog	2012-02-28 19:15:16 UTC (rev 109125)
@@ -1,3 +1,13 @@
+2012-02-28  Alok Priyadarshi  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderLayer::addChild
+        https://bugs.webkit.org/show_bug.cgi?id=79698
+
+        Reviewed by Simon Fraser.
+
+        * fast/reflections/toggle-reflection-crash-expected.txt: Added.
+        * fast/reflections/toggle-reflection-crash.html: Added.
+
 2012-02-28  Ken Buchanan  <[email protected]>
 
         Crash from list marker having inline and block children

Added: trunk/LayoutTests/fast/reflections/toggle-reflection-crash-expected.txt (0 => 109125)


--- trunk/LayoutTests/fast/reflections/toggle-reflection-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/reflections/toggle-reflection-crash-expected.txt	2012-02-28 19:15:16 UTC (rev 109125)
@@ -0,0 +1,3 @@
+This test should not crash when run with Address Sanitizer.
+
+

Added: trunk/LayoutTests/fast/reflections/toggle-reflection-crash.html (0 => 109125)


--- trunk/LayoutTests/fast/reflections/toggle-reflection-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/reflections/toggle-reflection-crash.html	2012-02-28 19:15:16 UTC (rev 109125)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+
+<html>
+<head>
+<script>
+  var reflectionOn = true;
+  function toggleReflection() {
+    reflectionOn = !reflectionOn;
+    var box = document.getElementById('box');
+    box.style.webkitBoxReflect = reflectionOn ? 'below' : 'none';
+  };
+
+  function finishTest() {
+    toggleReflection();
+    if (window.layoutTestController)
+      layoutTestController.notifyDone();
+  };
+
+  function startTest() {
+    if (window.layoutTestController) {
+      layoutTestController.waitUntilDone();
+      layoutTestController.dumpAsText();
+    }
+    toggleReflection();
+    window.setTimeout(function() { finishTest(); }, 0);
+  };
+
+  window.addEventListener('load', startTest, false);
+
+</script>
+</head>
+
+<body>
+  <p>This test should not crash when run with Address Sanitizer.</p>
+  <div id="box" style="-webkit-box-reflect: below;"</div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (109124 => 109125)


--- trunk/Source/WebCore/ChangeLog	2012-02-28 19:12:52 UTC (rev 109124)
+++ trunk/Source/WebCore/ChangeLog	2012-02-28 19:15:16 UTC (rev 109125)
@@ -1,3 +1,21 @@
+2012-02-28  Alok Priyadarshi  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderLayer::addChild
+        https://bugs.webkit.org/show_bug.cgi?id=79698
+
+        Reviewed by Simon Fraser.
+
+        This patch fixes a regression introduced in r108659.
+        The reflection layer was moved to the parent by mistake. It was then
+        deleted and the parent was left holding on to a deleted pointer. This
+        patch restores the location where reflection layer is removed - before
+        moving the child layers.
+
+        Test: fast/reflections/toggle-reflection-crash.html
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::removeOnlyThisLayer):
+
 2012-02-28  Ken Buchanan  <[email protected]>
 
         Crash from list marker having inline and block children

Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (109124 => 109125)


--- trunk/Source/WebCore/rendering/RenderLayer.cpp	2012-02-28 19:12:52 UTC (rev 109124)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp	2012-02-28 19:15:16 UTC (rev 109125)
@@ -1197,6 +1197,11 @@
     bool hasLayerOffset;
     const LayoutPoint offsetFromRootBeforeMove = computeOffsetFromRoot(hasLayerOffset);
 
+    // Remove the child reflection layer before moving other child layers.
+    // The reflection layer should not be moved to the parent.
+    if (reflection())
+        removeChild(reflectionLayer());
+
     // Now walk our kids and reattach them to our parent.
     RenderLayer* current = m_first;
     while (current) {
@@ -1212,10 +1217,7 @@
     }
 
     // Remove us from the parent.
-    if (reflection())
-        removeChild(reflectionLayer());
     m_parent->removeChild(this);
-
     m_renderer->destroyLayer();
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to