Title: [165826] trunk
- Revision
- 165826
- Author
- [email protected]
- Date
- 2014-03-18 11:57:45 -0700 (Tue, 18 Mar 2014)
Log Message
Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
https://bugs.webkit.org/show_bug.cgi?id=129104
Reviewed by Simon Fraser.
Source/WebCore:
We should not cast the renderer of a RenderView's owner to RenderBox
unless we are sure it is one.
Test: plugins/crash-invalid-data-reference.html
* rendering/RenderView.cpp:
(WebCore::RenderView::repaintViewRectangle):
LayoutTests:
* plugins/crash-invalid-data-reference-expected.txt: Added.
* plugins/crash-invalid-data-reference.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (165825 => 165826)
--- trunk/LayoutTests/ChangeLog 2014-03-18 18:30:45 UTC (rev 165825)
+++ trunk/LayoutTests/ChangeLog 2014-03-18 18:57:45 UTC (rev 165826)
@@ -1,3 +1,13 @@
+2014-03-18 Renata Hodovan <[email protected]>
+
+ Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
+ https://bugs.webkit.org/show_bug.cgi?id=129104
+
+ Reviewed by Simon Fraser.
+
+ * plugins/crash-invalid-data-reference-expected.txt: Added.
+ * plugins/crash-invalid-data-reference.html: Added.
+
2014-03-18 Antti Koivisto <[email protected]>
Mutating rules returned by getMatchedCSSRules can result in crash
Added: trunk/LayoutTests/plugins/crash-invalid-data-reference-expected.txt (0 => 165826)
--- trunk/LayoutTests/plugins/crash-invalid-data-reference-expected.txt (rev 0)
+++ trunk/LayoutTests/plugins/crash-invalid-data-reference-expected.txt 2014-03-18 18:57:45 UTC (rev 165826)
@@ -0,0 +1 @@
+This test passes if it doesn't crash in debug. (Bug #129104)
Added: trunk/LayoutTests/plugins/crash-invalid-data-reference.html (0 => 165826)
--- trunk/LayoutTests/plugins/crash-invalid-data-reference.html (rev 0)
+++ trunk/LayoutTests/plugins/crash-invalid-data-reference.html 2014-03-18 18:57:45 UTC (rev 165826)
@@ -0,0 +1,14 @@
+<html>
+<head>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+ <object data=""
+ <div>
+ This test passes if it doesn't crash in debug. (Bug #129104)
+ </div>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (165825 => 165826)
--- trunk/Source/WebCore/ChangeLog 2014-03-18 18:30:45 UTC (rev 165825)
+++ trunk/Source/WebCore/ChangeLog 2014-03-18 18:57:45 UTC (rev 165826)
@@ -1,3 +1,18 @@
+2014-03-18 Renata Hodovan <[email protected]>
+
+ Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
+ https://bugs.webkit.org/show_bug.cgi?id=129104
+
+ Reviewed by Simon Fraser.
+
+ We should not cast the renderer of a RenderView's owner to RenderBox
+ unless we are sure it is one.
+
+ Test: plugins/crash-invalid-data-reference.html
+
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::repaintViewRectangle):
+
2014-03-18 Andreas Kling <[email protected]>
Micro-optimize element descendant iterator.
Modified: trunk/Source/WebCore/rendering/RenderView.cpp (165825 => 165826)
--- trunk/Source/WebCore/rendering/RenderView.cpp 2014-03-18 18:30:45 UTC (rev 165825)
+++ trunk/Source/WebCore/rendering/RenderView.cpp 2014-03-18 18:57:45 UTC (rev 165826)
@@ -545,9 +545,9 @@
return;
if (auto ownerElement = document().ownerElement()) {
- if (!ownerElement->renderer())
+ RenderBox* ownerBox = ownerElement->renderBox();
+ if (!ownerBox)
return;
- auto& ownerBox = toRenderBox(*ownerElement->renderer());
LayoutRect viewRect = this->viewRect();
#if PLATFORM(IOS)
// Don't clip using the visible rect since clipping is handled at a higher level on iPhone.
@@ -556,8 +556,8 @@
LayoutRect adjustedRect = intersection(repaintRect, viewRect);
#endif
adjustedRect.moveBy(-viewRect.location());
- adjustedRect.moveBy(ownerBox.contentBoxRect().location());
- ownerBox.repaintRectangle(adjustedRect);
+ adjustedRect.moveBy(ownerBox->contentBoxRect().location());
+ ownerBox->repaintRectangle(adjustedRect);
return;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
