[webkit-changes] [186746] branches/safari-600.1.4.17-branch

Sun, 12 Jul 2015 21:08:22 -0700

Title: [186746] branches/safari-600.1.4.17-branch

Diff

Modified: branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog (186745 => 186746)


--- branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog	2015-07-13 02:16:17 UTC (rev 186745)
+++ branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog	2015-07-13 04:07:54 UTC (rev 186746)
@@ -1,5 +1,24 @@
 2015-07-12  David Kilzer  <[email protected]>
 
+        Merge r185572. rdar://problem/21716531
+
+    2015-06-15  Zalan Bujtas  <[email protected]>
+
+        RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+        https://bugs.webkit.org/show_bug.cgi?id=145988
+        rdar://problem/20959137
+
+        Reviewed by David Hyatt.
+
+        This patch ensures that we find the right first inline box so that we can dirty the
+        the appropriate line boxes.
+        With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+        * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt: Added.
+        * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html: Added.
+
+2015-07-12  David Kilzer  <[email protected]>
+
         Merge r184434, and a small part of r173173. rdar://problem/21716506
 
         * http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt:

Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt (0 => 186746)


--- branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt	                        (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt	2015-07-13 04:07:54 UTC (rev 186746)
@@ -0,0 +1,4 @@
+Pass if no crash or assert in Debug.   bar
+
+
+

Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html (0 => 186746)


--- branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html	                        (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html	2015-07-13 04:07:54 UTC (rev 186746)
@@ -0,0 +1,22 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+window._onload_ = function()
+{
+    document.body.offsetTop;
+    b.lastChild.parentNode.removeChild(b.lastChild);
+    document.body.offsetTop;
+    a.firstChild.parentNode.removeChild(a.firstChild);
+}
+</script>
+<body>
+<div id="a">foo</div><div></div>
+<div>Pass if no crash or assert in Debug.    
+<output>
+<o&#x0195;tput>bar</output>
+<span id="b">
+<span>
+<div style="display:inline-block"></div>
+<br><br><br>
+</span>
+</body>

Modified: branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog (186745 => 186746)


--- branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog	2015-07-13 02:16:17 UTC (rev 186745)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog	2015-07-13 04:07:54 UTC (rev 186746)
@@ -1,5 +1,29 @@
 2015-07-12  David Kilzer  <[email protected]>
 
+        Merge r185572. rdar://problem/21716531
+
+    2015-06-15  Zalan Bujtas  <[email protected]>
+
+        RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+        https://bugs.webkit.org/show_bug.cgi?id=145988
+        rdar://problem/20959137
+
+        Reviewed by David Hyatt.
+
+        This patch ensures that we find the right first inline box so that we can dirty the
+        the appropriate line boxes.
+        With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+        Test: fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::culledInlineFirstLineBox):
+        (WebCore::RenderInline::culledInlineLastLineBox):
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::setLineBreakInfo): Deleted. Remove misleading assert and comment.
+
+2015-07-12  David Kilzer  <[email protected]>
+
         Merge r184434, and a small part of r173173. rdar://problem/21716506
 
     2015-05-15  Antti Koivisto  <[email protected]>

Modified: branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RenderInline.cpp (186745 => 186746)


--- branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RenderInline.cpp	2015-07-13 02:16:17 UTC (rev 186745)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RenderInline.cpp	2015-07-13 04:07:54 UTC (rev 186746)
@@ -926,9 +926,11 @@
             
         // We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
         // direction (aligned to the root box's baseline).
-        if (curr->isBox())
-            return toRenderBox(curr)->inlineBoxWrapper();
-        if (curr->isLineBreak()) {
+        if (curr->isBox()) {
+            const RenderBox* renderBox = toRenderBox(curr);
+            if (renderBox->inlineBoxWrapper())
+                return renderBox->inlineBoxWrapper();
+        } else if (curr->isLineBreak()) {
             RenderLineBreak* renderBR = toRenderLineBreak(curr);
             if (renderBR->inlineBoxWrapper())
                 return renderBR->inlineBoxWrapper();
@@ -954,9 +956,11 @@
             
         // We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
         // direction (aligned to the root box's baseline).
-        if (curr->isBox())
-            return toRenderBox(curr)->inlineBoxWrapper();
-        if (curr->isLineBreak()) {
+        if (curr->isBox()) {
+            const RenderBox* renderBox = toRenderBox(curr);
+            if (renderBox->inlineBoxWrapper())
+                return renderBox->inlineBoxWrapper();
+        } else if (curr->isLineBreak()) {
             RenderLineBreak* renderBR = toRenderLineBreak(curr);
             if (renderBR->inlineBoxWrapper())
                 return renderBR->inlineBoxWrapper();

Modified: branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RootInlineBox.cpp (186745 => 186746)


--- branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RootInlineBox.cpp	2015-07-13 02:16:17 UTC (rev 186745)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/rendering/RootInlineBox.cpp	2015-07-13 04:07:54 UTC (rev 186746)
@@ -796,13 +796,6 @@
 
 void RootInlineBox::setLineBreakInfo(RenderObject* obj, unsigned breakPos, const BidiStatus& status)
 {
-    // When setting lineBreakObj, the RenderObject must not be a RenderInline
-    // with no line boxes, otherwise all sorts of invariants are broken later.
-    // This has security implications because if the RenderObject does not
-    // point to at least one line box, then that RenderInline can be deleted
-    // later without resetting the lineBreakObj, leading to use-after-free.
-    ASSERT_WITH_SECURITY_IMPLICATION(!obj || obj->isText() || !(obj->isRenderInline() && obj->isBox() && !toRenderBox(obj)->inlineBoxWrapper()));
-
     m_lineBreakObj = obj;
     m_lineBreakPos = breakPos;
     m_lineBreakBidiStatusEor = status.eor;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to