Skip to site navigation (Press enter)

[webkit-changes] [122293] trunk

shinyak Tue, 10 Jul 2012 21:35:01 -0700

Title: [122293] trunk

Revision: 122293
Author: [email protected]
Date: 2012-07-10 21:34:54 -0700 (Tue, 10 Jul 2012)

Log Message

Crash in nextLinePosition() due to accessing a removed root line box.
https://bugs.webkit.org/show_bug.cgi?id=90484


Reviewed by Abhishek Arya.

Source/WebCore:

When <object> element is reattached, the 'content' style is compared to the old style.
If it is not the same, a flag to recalc style is enabled. Because of this, the recalc style flag
is not cleared in updateLayoutIgnorePendingStyleSheets() in nextLinePosition(), and it causes
the second layout in isEditablePosition(p). Then 'RootInlineBox root' is invalidated, but
it's used after that.

When the content of the same <object> elements are compared, they should be the same.
However, operator== for ContentData is not implemented correctly (it compares a pointer instead of
content). So operator== does not hold for the content of the same <object> elements.

Test: editing/execCommand/crash-extend-selection-forward.html

* rendering/style/ContentData.cpp:
(WebCore::operator==): Compares the instance of data instead of pointer.

LayoutTests:

This testcase should not be triggered in ASAN.

* editing/execCommand/crash-extend-selection-forward-expected.txt: Added.
* editing/execCommand/crash-extend-selection-forward.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/style/ContentData.cpp

Added Paths

trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt
trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward.html

Diff

Modified: trunk/LayoutTests/ChangeLog (122292 => 122293)


--- trunk/LayoutTests/ChangeLog	2012-07-11 04:32:34 UTC (rev 122292)
+++ trunk/LayoutTests/ChangeLog	2012-07-11 04:34:54 UTC (rev 122293)
@@ -1,3 +1,15 @@
+2012-07-10  Shinya Kawanaka  <[email protected]>
+
+        Crash in nextLinePosition() due to accessing a removed root line box.
+        https://bugs.webkit.org/show_bug.cgi?id=90484
+
+        Reviewed by Abhishek Arya.
+
+        This testcase should not be triggered in ASAN.
+
+        * editing/execCommand/crash-extend-selection-forward-expected.txt: Added.
+        * editing/execCommand/crash-extend-selection-forward.html: Added.
+
 2012-07-10  Julien Chaffraix  <[email protected]>
 
         REGRESSION(r112113): absolutely positioned INPUT boxes with a table cell containing block have a 0px height

Added: trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt (0 => 122293)


--- trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward-expected.txt	2012-07-11 04:34:54 UTC (rev 122293)
@@ -0,0 +1,3 @@
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward.html (0 => 122293)


--- trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/crash-extend-selection-forward.html	2012-07-11 04:34:54 UTC (rev 122293)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function editingTest() {        
+    var s = window.getSelection();
+    d = document.getElementById("test1");
+    s.setPosition(d, 0);
+    extendSelectionForwardByLineCommand();
+
+    test1.innerHTML = "PASS. WebKit didn't crash.";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+<pre id="console"></pre>
+<div id=test1>(required to cause a crash)<object style='content: counters(c, ".") "-"; ' type=text/vbs></object></div>
+<script>
+runEditingTest();
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (122292 => 122293)


--- trunk/Source/WebCore/ChangeLog	2012-07-11 04:32:34 UTC (rev 122292)
+++ trunk/Source/WebCore/ChangeLog	2012-07-11 04:34:54 UTC (rev 122293)
@@ -1,3 +1,25 @@
+2012-07-10  Shinya Kawanaka  <[email protected]>
+
+        Crash in nextLinePosition() due to accessing a removed root line box.
+        https://bugs.webkit.org/show_bug.cgi?id=90484
+
+        Reviewed by Abhishek Arya.
+
+        When <object> element is reattached, the 'content' style is compared to the old style.
+        If it is not the same, a flag to recalc style is enabled. Because of this, the recalc style flag
+        is not cleared in updateLayoutIgnorePendingStyleSheets() in nextLinePosition(), and it causes
+        the second layout in isEditablePosition(p). Then 'RootInlineBox root' is invalidated, but
+        it's used after that.
+
+        When the content of the same <object> elements are compared, they should be the same.
+        However, operator== for ContentData is not implemented correctly (it compares a pointer instead of
+        content). So operator== does not hold for the content of the same <object> elements.
+
+        Test: editing/execCommand/crash-extend-selection-forward.html
+
+        * rendering/style/ContentData.cpp:
+        (WebCore::operator==): Compares the instance of data instead of pointer.
+
 2012-07-10  Joshua Bell  <[email protected]>
 
         IndexedDB: Ensure transaction abort events are deterministic in multiprocess ports

Modified: trunk/Source/WebCore/rendering/style/ContentData.cpp (122292 => 122293)


--- trunk/Source/WebCore/rendering/style/ContentData.cpp	2012-07-11 04:32:34 UTC (rev 122292)
+++ trunk/Source/WebCore/rendering/style/ContentData.cpp	2012-07-11 04:34:54 UTC (rev 122293)
@@ -69,11 +69,11 @@
     case CONTENT_NONE:
         return true;
     case CONTENT_OBJECT:
-        return static_cast<const ImageContentData*>(&a)->image() == static_cast<const ImageContentData*>(&b)->image();
+        return *static_cast<const ImageContentData*>(&a)->image() == *static_cast<const ImageContentData*>(&b)->image();
     case CONTENT_TEXT:
         return static_cast<const TextContentData*>(&a)->text() == static_cast<const TextContentData*>(&b)->text();
     case CONTENT_COUNTER:
-        return static_cast<const CounterContentData*>(&a)->counter() == static_cast<const CounterContentData*>(&b)->counter();
+        return *static_cast<const CounterContentData*>(&a)->counter() == *static_cast<const CounterContentData*>(&b)->counter();
     case CONTENT_QUOTE:
         return static_cast<const QuoteContentData*>(&a)->quote() == static_cast<const QuoteContentData*>(&b)->quote();
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes