Diff
Modified: trunk/Source/WebCore/ChangeLog (197715 => 197716)
--- trunk/Source/WebCore/ChangeLog 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/ChangeLog 2016-03-08 00:45:25 UTC (rev 197716)
@@ -1,3 +1,47 @@
+2016-03-07 Zalan Bujtas <[email protected]>
+
+ Crash in WebCore::RenderElement::containingBlockForObjectInFlow
+ https://bugs.webkit.org/show_bug.cgi?id=155109
+
+ Reviewed by Simon Fraser.
+
+ It's unsafe to call containingBlock() on RenderView.
+
+ Unable to reproduce.
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::styleWillChange):
+ (WebCore::RenderBlock::isSelfCollapsingBlock):
+ (WebCore::RenderBlock::selectionGaps):
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::borderBoxRectInRegion):
+ (WebCore::RenderBox::computePercentageLogicalHeight):
+ (WebCore::RenderBox::computeReplacedLogicalHeightUsing):
+ (WebCore::logicalWidthIsResolvable):
+ (WebCore::RenderBox::percentageLogicalHeightIsResolvableFromBlock):
+ * rendering/RenderBoxModelObject.cpp:
+ (WebCore::RenderBoxModelObject::hasAutoHeightOrContainingBlockWithAutoHeight):
+ * rendering/RenderFlowThread.cpp:
+ (WebCore::RenderFlowThread::adjustedPositionRelativeToOffsetParent):
+ (WebCore::RenderFlowThread::offsetFromLogicalTopOfFirstRegion):
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::hasCompositedLayerInEnclosingPaginationChain):
+ (WebCore::RenderLayer::updatePagination):
+ (WebCore::inContainingBlockChain):
+ * rendering/RenderMultiColumnFlowThread.cpp:
+ (WebCore::isValidColumnSpanner):
+ * rendering/RenderNamedFlowThread.cpp:
+ (WebCore::RenderNamedFlowThread::decorationsClipRectForBoxInNamedFlowFragment):
+ * rendering/RenderObject.cpp:
+ (WebCore::hasFixedPosInNamedFlowContainingBlock):
+ * rendering/RenderReplaced.cpp:
+ (WebCore::firstContainingBlockWithLogicalWidth):
+ * rendering/RenderView.cpp:
+ (WebCore::RenderView::subtreeSelectionBounds):
+ (WebCore::RenderView::repaintSubtreeSelection):
+ (WebCore::RenderView::clearSubtreeSelection):
+ (WebCore::RenderView::applySubtreeSelection):
+
2016-03-07 Daniel Bates <[email protected]>
Cleanup: Add convenience function URL::procotolIsBlob()
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -255,7 +255,8 @@
// Remove our absolutely positioned descendants from their current containing block.
// They will be inserted into our positioned objects list during layout.
auto containingBlock = parent();
- while (containingBlock && (containingBlock->style().position() == StaticPosition || (containingBlock->isInline() && !containingBlock->isReplaced())) && !containingBlock->isRenderView()) {
+ while (containingBlock && !is<RenderView>(*containingBlock)
+ && (containingBlock->style().position() == StaticPosition || (containingBlock->isInline() && !containingBlock->isReplaced()))) {
if (containingBlock->style().position() == RelativePosition && containingBlock->isInline() && !containingBlock->isReplaced()) {
containingBlock = containingBlock->containingBlock();
break;
@@ -836,7 +837,7 @@
bool hasAutoHeight = logicalHeightLength.isAuto();
if (logicalHeightLength.isPercentOrCalculated() && !document().inQuirksMode()) {
hasAutoHeight = true;
- for (RenderBlock* cb = containingBlock(); !cb->isRenderView(); cb = cb->containingBlock()) {
+ for (RenderBlock* cb = containingBlock(); cb && !is<RenderView>(*cb); cb = cb->containingBlock()) {
if (cb->style().logicalHeight().isFixed() || cb->isTableCell())
hasAutoHeight = false;
}
@@ -1842,7 +1843,7 @@
flippedBlockRect.moveBy(rootBlockPhysicalPosition);
clipOutPositionedObjects(paintInfo, flippedBlockRect.location(), positionedObjects());
if (isBody() || isDocumentElementRenderer()) { // The <body> must make sure to examine its containingBlock's positioned objects.
- for (RenderBlock* cb = containingBlock(); cb && !cb->isRenderView(); cb = cb->containingBlock())
+ for (RenderBlock* cb = containingBlock(); cb && !is<RenderView>(*cb); cb = cb->containingBlock())
clipOutPositionedObjects(paintInfo, LayoutPoint(cb->x(), cb->y()), cb->positionedObjects()); // FIXME: Not right for flipped writing modes.
}
clipOutFloatingObjects(rootBlock, paintInfo, rootBlockPhysicalPosition, offsetFromRootBlock);
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -246,6 +246,8 @@
break;
currentBox = currentBox->containingBlock();
+ if (!currentBox)
+ break;
region = currentBox->clampToStartAndEndRegions(region);
currentBoxInfo = currentBox->renderBoxRegionInfo(region);
}
@@ -2950,7 +2952,7 @@
const RenderBox* containingBlockChild = this;
LayoutUnit rootMarginBorderPaddingHeight = 0;
bool isHorizontal = isHorizontalWritingMode();
- while (!cb->isRenderView() && skipContainingBlockForPercentHeightCalculation(cb, isHorizontal != cb->isHorizontalWritingMode())) {
+ while (cb && !is<RenderView>(*cb) && skipContainingBlockForPercentHeightCalculation(cb, isHorizontal != cb->isHorizontalWritingMode())) {
if (cb->isBody() || cb->isDocumentElementRenderer())
rootMarginBorderPaddingHeight += cb->marginBefore() + cb->marginAfter() + cb->borderAndPaddingLogicalHeight();
skippedAutoHeightContainingBlock = true;
@@ -3103,7 +3105,7 @@
case Calculated:
{
auto cb = isOutOfFlowPositioned() ? container() : containingBlock();
- while (cb->isAnonymous() && !is<RenderView>(*cb)) {
+ while (cb && cb->isAnonymous() && !is<RenderView>(*cb)) {
cb = cb->containingBlock();
downcast<RenderBlock>(*cb).addPercentHeightDescendant(const_cast<RenderBox&>(*this));
}
@@ -3133,7 +3135,7 @@
// table cells using percentage heights.
// FIXME: This needs to be made block-flow-aware. If the cell and image are perpendicular block-flows, this isn't right.
// https://bugs.webkit.org/show_bug.cgi?id=46997
- while (cb && !cb->isRenderView() && (cb->style().logicalHeight().isAuto() || cb->style().logicalHeight().isPercentOrCalculated())) {
+ while (cb && !is<RenderView>(*cb) && (cb->style().logicalHeight().isAuto() || cb->style().logicalHeight().isPercentOrCalculated())) {
if (cb->isTableCell()) {
// Don't let table cells squeeze percent-height replaced elements
// <http://bugs.webkit.org/show_bug.cgi?id=15359>
@@ -4637,7 +4639,7 @@
static bool logicalWidthIsResolvable(const RenderBox& renderBox)
{
const RenderBox* box = &renderBox;
- while (!box->isRenderView() && !box->isOutOfFlowPositioned()
+ while (box && !is<RenderView>(*box) && !box->isOutOfFlowPositioned()
#if ENABLE(CSS_GRID_LAYOUT)
&& !box->hasOverrideContainingBlockLogicalWidth()
#endif
@@ -4682,7 +4684,7 @@
const RenderBlock* cb = containingBlock;
bool inQuirksMode = cb->document().inQuirksMode();
bool skippedAutoHeightContainingBlock = false;
- while (!cb->isRenderView() && !cb->isBody() && !cb->isTableCell() && !cb->isOutOfFlowPositioned() && cb->style().logicalHeight().isAuto()) {
+ while (cb && !is<RenderView>(*cb) && !cb->isBody() && !cb->isTableCell() && !cb->isOutOfFlowPositioned() && cb->style().logicalHeight().isAuto()) {
if (!inQuirksMode && !cb->isAnonymousBlock())
break;
#if ENABLE(CSS_GRID_LAYOUT)
Modified: trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -240,7 +240,7 @@
// Anonymous block boxes are ignored when resolving percentage values that would refer to it:
// the closest non-anonymous ancestor box is used instead.
RenderBlock* cb = containingBlock();
- while (cb->isAnonymous() && !cb->isRenderView())
+ while (cb && !is<RenderView>(*cb) && cb->isAnonymous())
cb = cb->containingBlock();
// Matching RenderBox::percentageLogicalHeightIsResolvableFromBlock() by
Modified: trunk/Source/WebCore/rendering/RenderFlowThread.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -443,7 +443,7 @@
// and if so, drop the object's top position (which was computed relative to its containing block
// and is no longer valid) and recompute it using the region in which it flows as reference.
bool wasComputedRelativeToOtherRegion = false;
- while (objContainingBlock && !objContainingBlock->isRenderNamedFlowThread()) {
+ while (objContainingBlock && !is<RenderView>(*objContainingBlock) && !objContainingBlock->isRenderNamedFlowThread()) {
// Check if this object is in a different region.
RenderRegion* parentStartRegion = nullptr;
RenderRegion* parentEndRegion = nullptr;
@@ -1225,7 +1225,7 @@
// As a last resort, take the slow path.
LayoutRect blockRect(0, 0, currentBlock->width(), currentBlock->height());
- while (currentBlock && !currentBlock->isRenderFlowThread()) {
+ while (currentBlock && !is<RenderView>(*currentBlock) && !currentBlock->isRenderFlowThread()) {
RenderBlock* containerBlock = currentBlock->containingBlock();
ASSERT(containerBlock);
if (!containerBlock)
Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -1056,8 +1056,7 @@
// Otherwise we have to go up the containing block chain. Find the first enclosing
// containing block layer ancestor, and check that.
- RenderView* renderView = &renderer().view();
- for (RenderBlock* containingBlock = renderer().containingBlock(); containingBlock && containingBlock != renderView; containingBlock = containingBlock->containingBlock()) {
+ for (const auto* containingBlock = renderer().containingBlock(); containingBlock && !is<RenderView>(*containingBlock); containingBlock = containingBlock->containingBlock()) {
if (containingBlock->hasLayer())
return containingBlock->layer()->hasCompositedLayerInEnclosingPaginationChain();
}
@@ -1093,9 +1092,7 @@
// For the new columns code, we want to walk up our containing block chain looking for an enclosing layer. Once
// we find one, then we just check its pagination status.
- RenderView* renderView = &renderer().view();
- RenderBlock* containingBlock;
- for (containingBlock = renderer().containingBlock(); containingBlock && containingBlock != renderView; containingBlock = containingBlock->containingBlock()) {
+ for (const auto* containingBlock = renderer().containingBlock(); containingBlock && !is<RenderView>(*containingBlock); containingBlock = containingBlock->containingBlock()) {
if (containingBlock->hasLayer()) {
// Content inside a transform is not considered to be paginated, since we simply
// paint the transform multiple times in each column, so we don't have to use
@@ -3804,9 +3801,7 @@
{
if (startLayer == endLayer)
return true;
-
- RenderView* view = &startLayer->renderer().view();
- for (RenderBlock* currentBlock = startLayer->renderer().containingBlock(); currentBlock && currentBlock != view; currentBlock = currentBlock->containingBlock()) {
+ for (const auto* currentBlock = startLayer->renderer().containingBlock(); currentBlock && !is<RenderView>(*currentBlock); currentBlock = currentBlock->containingBlock()) {
if (currentBlock->layer() == endLayer)
return true;
}
Modified: trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -255,7 +255,7 @@
return false;
// This looks like a spanner, but if we're inside something unbreakable, it's not to be treated as one.
- for (RenderBox* ancestor = downcast<RenderBox>(*descendant).containingBlock(); ancestor; ancestor = ancestor->containingBlock()) {
+ for (RenderBox* ancestor = downcast<RenderBox>(*descendant).containingBlock(); ancestor && !is<RenderView>(*ancestor); ancestor = ancestor->containingBlock()) {
if (ancestor->isRenderFlowThread()) {
// Don't allow any intervening non-multicol fragmentation contexts. The spec doesn't say
// anything about disallowing this, but it's just going to be too complicated to
Modified: trunk/Source/WebCore/rendering/RenderNamedFlowThread.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderNamedFlowThread.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderNamedFlowThread.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -298,7 +298,7 @@
// Take the scrolled offset of this object's parents into consideration.
IntSize scrolledContentOffset;
RenderBlock* containingBlock = box.containingBlock();
- while (containingBlock) {
+ while (containingBlock && !is<RenderView>(*containingBlock)) {
if (containingBlock->isRenderNamedFlowThread()) {
// We've reached the flow thread, take the scrolled offset of the region into consideration.
ASSERT(containingBlock == this);
Modified: trunk/Source/WebCore/rendering/RenderObject.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderObject.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderObject.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -525,7 +525,7 @@
ASSERT(renderer->flowThreadState() != RenderObject::NotInsideFlowThread);
RenderObject* curr = const_cast<RenderObject*>(renderer);
- while (curr) {
+ while (curr && !is<RenderView>(*curr)) {
if (curr->fixedPositionedWithNamedFlowContainingBlock())
return true;
curr = curr->containingBlock();
Modified: trunk/Source/WebCore/rendering/RenderReplaced.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderReplaced.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderReplaced.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -251,7 +251,7 @@
if (!containingBlock)
return 0;
- for (; !containingBlock->isRenderView() && !containingBlock->isBody(); containingBlock = containingBlock->containingBlock()) {
+ for (; containingBlock && !is<RenderView>(*containingBlock) && !containingBlock->isBody(); containingBlock = containingBlock->containingBlock()) {
if (containingBlock->style().logicalWidth().isSpecified())
return containingBlock;
}
Modified: trunk/Source/WebCore/rendering/RenderView.cpp (197715 => 197716)
--- trunk/Source/WebCore/rendering/RenderView.cpp 2016-03-08 00:34:44 UTC (rev 197715)
+++ trunk/Source/WebCore/rendering/RenderView.cpp 2016-03-08 00:45:25 UTC (rev 197716)
@@ -764,7 +764,7 @@
// Blocks are responsible for painting line gaps and margin gaps. They must be examined as well.
selectedObjects.set(os, std::make_unique<RenderSelectionInfo>(*os, clipToVisibleContent));
RenderBlock* cb = os->containingBlock();
- while (cb && !cb->isRenderView()) {
+ while (cb && !is<RenderView>(*cb)) {
std::unique_ptr<RenderSelectionInfo>& blockInfo = selectedObjects.add(cb, nullptr).iterator->value;
if (blockInfo)
break;
@@ -817,7 +817,7 @@
RenderSelectionInfo(*o, true).repaint();
// Blocks are responsible for painting line gaps and margin gaps. They must be examined as well.
- for (RenderBlock* block = o->containingBlock(); block && !block->isRenderView(); block = block->containingBlock()) {
+ for (RenderBlock* block = o->containingBlock(); block && !is<RenderView>(*block); block = block->containingBlock()) {
if (!processedBlocks.add(block).isNewEntry)
break;
RenderSelectionInfo(*block, true).repaint();
@@ -953,7 +953,7 @@
oldSelectionData.selectedObjects.set(os, std::make_unique<RenderSelectionInfo>(*os, true));
if (blockRepaintMode == RepaintNewXOROld) {
RenderBlock* cb = os->containingBlock();
- while (cb && !cb->isRenderView()) {
+ while (cb && !is<RenderView>(*cb)) {
std::unique_ptr<RenderBlockSelectionInfo>& blockInfo = oldSelectionData.selectedBlocks.add(cb, nullptr).iterator->value;
if (blockInfo)
break;
@@ -1018,7 +1018,7 @@
newSelectedObjects.set(currentRenderer, WTFMove(selectionInfo));
RenderBlock* containingBlock = currentRenderer->containingBlock();
- while (containingBlock && !containingBlock->isRenderView()) {
+ while (containingBlock && !is<RenderView>(*containingBlock)) {
std::unique_ptr<RenderBlockSelectionInfo>& blockInfo = newSelectedBlocks.add(containingBlock, nullptr).iterator->value;
if (blockInfo)
break;
