Title: [186411] releases/WebKitGTK/webkit-2.8
- Revision
- 186411
- Author
- [email protected]
- Date
- 2015-07-07 00:30:30 -0700 (Tue, 07 Jul 2015)
Log Message
Merge r185572 - RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
https://bugs.webkit.org/show_bug.cgi?id=145988
rdar://problem/20959137
Reviewed by David Hyatt.
This patch ensures that we find the right first inline box so that we can dirty the
the appropriate line boxes.
With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
Source/WebCore:
Test: fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html
* rendering/RenderInline.cpp:
(WebCore::RenderInline::culledInlineFirstLineBox):
(WebCore::RenderInline::culledInlineLastLineBox):
* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::setLineBreakInfo): Deleted. Remove misleading assert and comment.
LayoutTests:
* fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt: Added.
* fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (186410 => 186411)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 07:28:18 UTC (rev 186410)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 07:30:30 UTC (rev 186411)
@@ -1,3 +1,18 @@
+2015-06-15 Zalan Bujtas <[email protected]>
+
+ RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+ https://bugs.webkit.org/show_bug.cgi?id=145988
+ rdar://problem/20959137
+
+ Reviewed by David Hyatt.
+
+ This patch ensures that we find the right first inline box so that we can dirty the
+ the appropriate line boxes.
+ With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+ * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt: Added.
+ * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html: Added.
+
2015-06-11 Zalan Bujtas <[email protected]>
Do not crash when the descendant frame tree is destroyed during layout.
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt (0 => 186411)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt 2015-07-07 07:30:30 UTC (rev 186411)
@@ -0,0 +1,4 @@
+Pass if no crash or assert in Debug. bar
+
+
+
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html (0 => 186411)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html 2015-07-07 07:30:30 UTC (rev 186411)
@@ -0,0 +1,22 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+window._onload_ = function()
+{
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.firstChild.parentNode.removeChild(a.firstChild);
+}
+</script>
+<body>
+<div id="a">foo</div><div></div>
+<div>Pass if no crash or assert in Debug.
+<output>
+<oƕtput>bar</output>
+<span id="b">
+<span>
+<div style="display:inline-block"></div>
+<br><br><br>
+</span>
+</body>
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186410 => 186411)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 07:28:18 UTC (rev 186410)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 07:30:30 UTC (rev 186411)
@@ -1,3 +1,23 @@
+2015-06-15 Zalan Bujtas <[email protected]>
+
+ RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+ https://bugs.webkit.org/show_bug.cgi?id=145988
+ rdar://problem/20959137
+
+ Reviewed by David Hyatt.
+
+ This patch ensures that we find the right first inline box so that we can dirty the
+ the appropriate line boxes.
+ With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+ Test: fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::culledInlineFirstLineBox):
+ (WebCore::RenderInline::culledInlineLastLineBox):
+ * rendering/RootInlineBox.cpp:
+ (WebCore::RootInlineBox::setLineBreakInfo): Deleted. Remove misleading assert and comment.
+
2015-06-13 Chris Dumez <[email protected]>
[WK2] API::Navigation objects are leaked on history navigation to HistoryItems in PageCache
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp (186410 => 186411)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp 2015-07-07 07:28:18 UTC (rev 186410)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RenderInline.cpp 2015-07-07 07:30:30 UTC (rev 186411)
@@ -927,9 +927,11 @@
// We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
// direction (aligned to the root box's baseline).
- if (is<RenderBox>(*current))
- return downcast<RenderBox>(*current).inlineBoxWrapper();
- if (is<RenderLineBreak>(*current)) {
+ if (is<RenderBox>(*current)) {
+ const auto& renderBox = downcast<RenderBox>(*current);
+ if (renderBox.inlineBoxWrapper())
+ return renderBox.inlineBoxWrapper();
+ } else if (is<RenderLineBreak>(*current)) {
RenderLineBreak& renderBR = downcast<RenderLineBreak>(*current);
if (renderBR.inlineBoxWrapper())
return renderBR.inlineBoxWrapper();
@@ -954,9 +956,11 @@
// We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
// direction (aligned to the root box's baseline).
- if (is<RenderBox>(*current))
- return downcast<RenderBox>(*current).inlineBoxWrapper();
- if (is<RenderLineBreak>(*current)) {
+ if (is<RenderBox>(*current)) {
+ const auto& renderBox = downcast<RenderBox>(*current);
+ if (renderBox.inlineBoxWrapper())
+ return renderBox.inlineBoxWrapper();
+ } else if (is<RenderLineBreak>(*current)) {
RenderLineBreak& renderBR = downcast<RenderLineBreak>(*current);
if (renderBR.inlineBoxWrapper())
return renderBR.inlineBoxWrapper();
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RootInlineBox.cpp (186410 => 186411)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RootInlineBox.cpp 2015-07-07 07:28:18 UTC (rev 186410)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/rendering/RootInlineBox.cpp 2015-07-07 07:30:30 UTC (rev 186411)
@@ -794,13 +794,6 @@
void RootInlineBox::setLineBreakInfo(RenderObject* obj, unsigned breakPos, const BidiStatus& status)
{
- // When setting lineBreakObj, the RenderObject must not be a RenderInline
- // with no line boxes, otherwise all sorts of invariants are broken later.
- // This has security implications because if the RenderObject does not
- // point to at least one line box, then that RenderInline can be deleted
- // later without resetting the lineBreakObj, leading to use-after-free.
- ASSERT_WITH_SECURITY_IMPLICATION(!obj || is<RenderText>(*obj) || !(is<RenderInline>(*obj) && is<RenderBox>(*obj) && !downcast<RenderBox>(*obj).inlineBoxWrapper()));
-
m_lineBreakObj = obj;
m_lineBreakPos = breakPos;
m_lineBreakBidiStatusEor = status.eor;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
