Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 51d7c7775f9625ce5679c11768b50eea2520b905
https://github.com/WebKit/WebKit/commit/51d7c7775f9625ce5679c11768b50eea2520b905
Author: Arunsundar Kannan <[email protected]>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox
on repaint.
https://bugs.webkit.org/show_bug.cgi?id=255552.
rdar://107952390.
Reviewed by Alan Baradlay.
Line layout codepath invalidation is triggered by JS which issues a repaint on
the newly inserted renderer. The newly inserted renderer is used for geometry
computations and which calls offsetForInFlowPositionedInline in case of inline
boxes. This tries to access the lineBoxes assocaited with the renderers but
they invalidated by previous repaints. This leads to null deref of the
lineboxes.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt:
Added.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::isLineLayoutPresent const):
* Source/WebCore/rendering/RenderBlockFlow.h:
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::offsetForInFlowPositionedInline const):
Originally-landed-as: 259548.678@safari-7615-branch (7c662f5b36e3).
rdar://107952390
Canonical link: https://commits.webkit.org/266452@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
