- Revision
- 111439
- Author
- [email protected]
- Date
- 2012-03-20 14:31:46 -0700 (Tue, 20 Mar 2012)
Log Message
Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
https://bugs.webkit.org/show_bug.cgi?id=81276
Reviewed by David Hyatt.
Source/WebCore:
Test: fast/css/relative-positioned-block-crash.html
https://trac.webkit.org/changeset/108185/ allowed anonymous blocks to get their own layer (when they're
relatively positioned). This broke the dependency in addContinuationWithOutline() on the owner of the continuation
table and the renderer getting added to it always being in the same layer. When they're not in the same layer
there's no guarantee that the owner of the continuation table will get painted again and so avoid any stale pointers
in its continuation table should any of the renderers in there get destroyed.
Fix this for now by only adding renderers to the containing block's continuation table if we don't have our own layer.
This fix causes fast/inline/continuation-outlines-with-layers.html to regress as it uses blocks inside relatively positioned
inlines, so skip it on all platforms pending a medium-term fix.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::paintObject):
LayoutTests:
* fast/css/relative-positioned-block-crash-expected.txt: Added.
* fast/css/relative-positioned-block-crash.html: Added.
* platform/chromium/test_expectations.txt: Skip fast/inline/continuation-outlines-with-layers.html for now.
* platform/gtk/Skipped: ditto
* platform/mac/Skipped: ditto
* platform/qt/Skipped: ditto
* platform/win/Skipped: ditto
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (111438 => 111439)
--- trunk/LayoutTests/ChangeLog 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/ChangeLog 2012-03-20 21:31:46 UTC (rev 111439)
@@ -1,3 +1,18 @@
+2012-03-20 Robert Hogan <[email protected]>
+
+ Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
+ https://bugs.webkit.org/show_bug.cgi?id=81276
+
+ Reviewed by David Hyatt.
+
+ * fast/css/relative-positioned-block-crash-expected.txt: Added.
+ * fast/css/relative-positioned-block-crash.html: Added.
+ * platform/chromium/test_expectations.txt: Skip fast/inline/continuation-outlines-with-layers.html for now.
+ * platform/gtk/Skipped: ditto
+ * platform/mac/Skipped: ditto
+ * platform/qt/Skipped: ditto
+ * platform/win/Skipped: ditto
+
2012-03-20 Dan Bernstein <[email protected]>
Work around the inconsistency in test results caused by <http://webkit.org/b/81696> in a few
Added: trunk/LayoutTests/fast/css/relative-positioned-block-crash-expected.txt (0 => 111439)
--- trunk/LayoutTests/fast/css/relative-positioned-block-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/relative-positioned-block-crash-expected.txt 2012-03-20 21:31:46 UTC (rev 111439)
@@ -0,0 +1,4 @@
+PASSED: Didn't crash!
+
+A
+
Property changes on: trunk/LayoutTests/fast/css/relative-positioned-block-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: trunk/LayoutTests/fast/css/relative-positioned-block-crash.html (0 => 111439)
--- trunk/LayoutTests/fast/css/relative-positioned-block-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/relative-positioned-block-crash.html 2012-03-20 21:31:46 UTC (rev 111439)
@@ -0,0 +1,57 @@
+<html>
+ <head>
+ <style>
+ #el0 { position: relative; }
+ #el2 { outline-style: dashed; }
+ </style>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.display();
+ layoutTestController.waitUntilDone();
+ }
+
+ function log(message) {
+ var console = document.getElementById("console");
+ console.appendChild(document.createTextNode(message + "\n"));
+ }
+
+ function test() {
+ document.execCommand('removeformat');
+ setTimeout("finish()", 100);
+ }
+ function finish() {
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ log("PASSED: Didn't crash!\n");
+ layoutTestController.notifyDone();
+ }
+ }
+
+// This tests a crash caused by stale pointers to continuations in a block's continuations table.
+// https://bugs.webkit.org/show_bug.cgi?id=81276
+
+ function runTest() {
+ el0=document.createElement('span')
+ el0.setAttribute('id','el0')
+ document.body.appendChild(el0)
+ el1=document.createElement('div')
+ el0.appendChild(el1)
+ el1.appendChild(document.createElement('input'))
+ el0.appendChild(document.createTextNode('A'))
+ el2=document.createElement('q')
+ el2.setAttribute('id','el2')
+ document.body.appendChild(el2)
+ el2.appendChild(document.createElement('div'))
+ el2.appendChild(document.createElement('input'))
+ document.designMode='on'
+ document.execCommand('selectall')
+ document.execCommand('FormatBlock', false, '<'+'pre>')
+ document.execCommand('Undo')
+ setTimeout("test();",10)
+ }
+ </script>
+ </head>
+ <body _onload_="runTest();">
+ <div id="console"></div>
+ </body>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/css/relative-positioned-block-crash.html
___________________________________________________________________
Added: svn:eol-style
Modified: trunk/LayoutTests/platform/chromium/test_expectations.txt (111438 => 111439)
--- trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-03-20 21:31:46 UTC (rev 111439)
@@ -3949,3 +3949,6 @@
BUGWK81544 : fast/text/international/font-fallback-to-common-script.html = IMAGE PASS
BUGWK81638 SNOWLEOPARD DEBUG : editing/selection/iframe.html = IMAGE PASS
+
+// Allowed to regress to fix a crash.
+BUGWK81276 WIN LINUX: fast/inline/continuation-outlines-with-layers.html = IMAGE
Modified: trunk/LayoutTests/platform/gtk/Skipped (111438 => 111439)
--- trunk/LayoutTests/platform/gtk/Skipped 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/platform/gtk/Skipped 2012-03-20 21:31:46 UTC (rev 111439)
@@ -1601,3 +1601,7 @@
# https://bugs.webkit.org/show_bug.cgi?id=43022
tables/mozilla_expected_failures/bugs/bug85016.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash.
+fast/inline/continuation-outlines-with-layers.html
Modified: trunk/LayoutTests/platform/mac/Skipped (111438 => 111439)
--- trunk/LayoutTests/platform/mac/Skipped 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/platform/mac/Skipped 2012-03-20 21:31:46 UTC (rev 111439)
@@ -603,3 +603,6 @@
# http://bugs.webkit.org/show_bug.cgi?id=81618
fast/workers/storage/use-same-database-in-page-and-workers.html
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash.
+fast/inline/continuation-outlines-with-layers.html
Modified: trunk/LayoutTests/platform/qt/Skipped (111438 => 111439)
--- trunk/LayoutTests/platform/qt/Skipped 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/platform/qt/Skipped 2012-03-20 21:31:46 UTC (rev 111439)
@@ -2764,3 +2764,7 @@
editing/selection/move-by-word-visually-single-space-one-element.html
editing/selection/move-by-word-visually-textarea.html
editing/selection/move-by-word-visually-wrong-left-right.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash.
+fast/inline/continuation-outlines-with-layers.html
Modified: trunk/LayoutTests/platform/win/Skipped (111438 => 111439)
--- trunk/LayoutTests/platform/win/Skipped 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/LayoutTests/platform/win/Skipped 2012-03-20 21:31:46 UTC (rev 111439)
@@ -1856,3 +1856,7 @@
# https://bugs.webkit.org/show_bug.cgi?id=43022
tables/mozilla_expected_failures/bugs/bug85016.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash.
+fast/inline/continuation-outlines-with-layers.html
Modified: trunk/Source/WebCore/ChangeLog (111438 => 111439)
--- trunk/Source/WebCore/ChangeLog 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/Source/WebCore/ChangeLog 2012-03-20 21:31:46 UTC (rev 111439)
@@ -1,3 +1,25 @@
+2012-03-20 Robert Hogan <[email protected]>
+
+ Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
+ https://bugs.webkit.org/show_bug.cgi?id=81276
+
+ Reviewed by David Hyatt.
+
+ Test: fast/css/relative-positioned-block-crash.html
+
+ https://trac.webkit.org/changeset/108185/ allowed anonymous blocks to get their own layer (when they're
+ relatively positioned). This broke the dependency in addContinuationWithOutline() on the owner of the continuation
+ table and the renderer getting added to it always being in the same layer. When they're not in the same layer
+ there's no guarantee that the owner of the continuation table will get painted again and so avoid any stale pointers
+ in its continuation table should any of the renderers in there get destroyed.
+
+ Fix this for now by only adding renderers to the containing block's continuation table if we don't have our own layer.
+ This fix causes fast/inline/continuation-outlines-with-layers.html to regress as it uses blocks inside relatively positioned
+ inlines, so skip it on all platforms pending a medium-term fix.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::paintObject):
+
2012-03-20 Adele Peterson <[email protected]>
"Attempt to insert nil value " exception when calling attributed string APIs on content with a custom font
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (111438 => 111439)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-03-20 21:25:32 UTC (rev 111438)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-03-20 21:31:46 UTC (rev 111439)
@@ -2925,7 +2925,10 @@
// 6. paint continuation outlines.
if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
RenderInline* inlineCont = inlineElementContinuation();
- if (inlineCont && inlineCont->hasOutline() && inlineCont->style()->visibility() == VISIBLE) {
+ // FIXME: For now, do not add continuations for outline painting by our containing block if we are a relative positioned
+ // anonymous block (i.e. have our own layer). This is because a block depends on renderers in its continuation table being
+ // in the same layer.
+ if (inlineCont && inlineCont->hasOutline() && inlineCont->style()->visibility() == VISIBLE && !hasLayer()) {
RenderInline* inlineRenderer = toRenderInline(inlineCont->node()->renderer());
RenderBlock* cb = containingBlock();
