Title: [145885] trunk
- Revision
- 145885
- Author
- ta...@google.com
- Date
- 2013-03-15 01:24:19 -0700 (Fri, 15 Mar 2013)
Log Message
Crash at RenderStyle::inheritFrom reported by fuzzer
https://bugs.webkit.org/show_bug.cgi?id=112322
Reviewed by Hajime Morrita.
Source/WebCore:
pseudoStyleForElement should check whether a parent style of a given
element is available or not. If a given element's parent is
an insertion point whose reset-style-inheritance is true, the parent
style is not available. Need to use defaultStyleForElement.
Test: fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::styleForElement):
Removed cloneForParent. Instead, made m_state own parentStyle, i.e.
changed m_parentStyle in class State from RenderStyle* to
RefPtr<RenderStyle>.
(WebCore::StyleResolver::pseudoStyleForElement):
If an actual parent style of a given element is not available, use
defaultStyleForElement. This is the same logic as styleForElement.
* css/StyleResolver.h:
(WebCore::StyleResolver::State::setParentStyle):
Modified the parameter to use PassRefPtr<RenderStyle>.
(WebCore::StyleResolver::State::parentStyle):
(State):
LayoutTests:
* fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash-expected.txt: Added.
* fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (145884 => 145885)
--- trunk/LayoutTests/ChangeLog 2013-03-15 08:08:07 UTC (rev 145884)
+++ trunk/LayoutTests/ChangeLog 2013-03-15 08:24:19 UTC (rev 145885)
@@ -1,3 +1,13 @@
+2013-03-15 Takashi Sakamoto <ta...@google.com>
+
+ Crash at RenderStyle::inheritFrom reported by fuzzer
+ https://bugs.webkit.org/show_bug.cgi?id=112322
+
+ Reviewed by Hajime Morrita.
+
+ * fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash-expected.txt: Added.
+ * fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html: Added.
+
2013-03-15 Mihnea Ovidenie <mih...@adobe.com>
[CSS Regions] Selecting text inside an empty region causes selection outside the region area
Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash-expected.txt (0 => 145885)
--- trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash-expected.txt 2013-03-15 08:24:19 UTC (rev 145885)
@@ -0,0 +1,3 @@
+[bug 112322] https://bugs.webkit.org/show_bug.cgi?id=112322 This test ensures WebKit does not crash when checking whether distributed nodes have any pseudo element or not. If there is no crash, the test passes.
+
+PASS
Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html (0 => 145885)
--- trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html 2013-03-15 08:24:19 UTC (rev 145885)
@@ -0,0 +1,26 @@
+<!doctyle html>
+<head>
+<style>
+span::after {
+ -webkit-mask-box-image-source: url(does-not-exist.gif)
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function runTests() {
+ var host = document.getElementById("host");
+ var shadowRoot = host.webkitCreateShadowRoot();
+ shadowRoot.innerHTML = "<content id='content'>"
+ shadowRoot.getElementById("content").resetStyleInheritance = true;
+}
+</script>
+</head>
+<body _onload_="runTests()">
+ <p>[bug 112322] <a href="" This test ensures WebKit does not crash when checking whether distributed nodes have any pseudo element or not. If there is no crash, the test passes.</p>
+ <div id='host'>
+ <span>PASS</span>
+ </div>
+</body>
+
Modified: trunk/Source/WebCore/ChangeLog (145884 => 145885)
--- trunk/Source/WebCore/ChangeLog 2013-03-15 08:08:07 UTC (rev 145884)
+++ trunk/Source/WebCore/ChangeLog 2013-03-15 08:24:19 UTC (rev 145885)
@@ -1,3 +1,31 @@
+2013-03-15 Takashi Sakamoto <ta...@google.com>
+
+ Crash at RenderStyle::inheritFrom reported by fuzzer
+ https://bugs.webkit.org/show_bug.cgi?id=112322
+
+ Reviewed by Hajime Morrita.
+
+ pseudoStyleForElement should check whether a parent style of a given
+ element is available or not. If a given element's parent is
+ an insertion point whose reset-style-inheritance is true, the parent
+ style is not available. Need to use defaultStyleForElement.
+
+ Test: fast/dom/shadow/insertion-point-resetStyleInheritance-with-pseudo-element-crash.html
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::styleForElement):
+ Removed cloneForParent. Instead, made m_state own parentStyle, i.e.
+ changed m_parentStyle in class State from RenderStyle* to
+ RefPtr<RenderStyle>.
+ (WebCore::StyleResolver::pseudoStyleForElement):
+ If an actual parent style of a given element is not available, use
+ defaultStyleForElement. This is the same logic as styleForElement.
+ * css/StyleResolver.h:
+ (WebCore::StyleResolver::State::setParentStyle):
+ Modified the parameter to use PassRefPtr<RenderStyle>.
+ (WebCore::StyleResolver::State::parentStyle):
+ (State):
+
2013-03-15 Mihnea Ovidenie <mih...@adobe.com>
[CSS Regions] Selecting text inside an empty region causes selection outside the region area
Modified: trunk/Source/WebCore/css/StyleResolver.cpp (145884 => 145885)
--- trunk/Source/WebCore/css/StyleResolver.cpp 2013-03-15 08:08:07 UTC (rev 145884)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2013-03-15 08:24:19 UTC (rev 145885)
@@ -990,15 +990,12 @@
return sharedStyle;
}
- RefPtr<RenderStyle> cloneForParent;
-
if (state.parentStyle()) {
state.setStyle(RenderStyle::create());
state.style()->inheritFrom(state.parentStyle(), isAtShadowBoundary(element) ? RenderStyle::AtShadowBoundary : RenderStyle::NotAtShadowBoundary);
} else {
state.setStyle(defaultStyleForElement());
- cloneForParent = RenderStyle::clone(state.style());
- state.setParentStyle(cloneForParent.get());
+ state.setParentStyle(RenderStyle::clone(state.style()));
}
// contenteditable attribute (implemented by -webkit-user-modify) should
// be propagated from shadow host to distributed node.
@@ -1176,9 +1173,15 @@
initElement(e);
state.initForStyleResolve(document(), e, parentStyle);
- state.setStyle(RenderStyle::create());
- state.style()->inheritFrom(m_state.parentStyle());
+ if (m_state.parentStyle()) {
+ state.setStyle(RenderStyle::create());
+ state.style()->inheritFrom(m_state.parentStyle());
+ } else {
+ state.setStyle(defaultStyleForElement());
+ state.setParentStyle(RenderStyle::clone(state.style()));
+ }
+
// Since we don't use pseudo-elements in any of our quirk/print user agent rules, don't waste time walking
// those rules.
Modified: trunk/Source/WebCore/css/StyleResolver.h (145884 => 145885)
--- trunk/Source/WebCore/css/StyleResolver.h 2013-03-15 08:08:07 UTC (rev 145884)
+++ trunk/Source/WebCore/css/StyleResolver.h 2013-03-15 08:24:19 UTC (rev 145885)
@@ -455,8 +455,8 @@
PassRefPtr<RenderStyle> takeStyle() { return m_style.release(); }
const ContainerNode* parentNode() const { return m_parentNode; }
- void setParentStyle(RenderStyle* parentStyle) { m_parentStyle = parentStyle; }
- RenderStyle* parentStyle() const { return m_parentStyle; }
+ void setParentStyle(PassRefPtr<RenderStyle> parentStyle) { m_parentStyle = parentStyle; }
+ RenderStyle* parentStyle() const { return m_parentStyle.get(); }
RenderStyle* rootElementStyle() const { return m_rootElementStyle; }
const RenderRegion* regionForStyling() const { return m_regionForStyling; }
@@ -507,7 +507,7 @@
RefPtr<RenderStyle> m_style;
StyledElement* m_styledElement;
ContainerNode* m_parentNode;
- RenderStyle* m_parentStyle;
+ RefPtr<RenderStyle> m_parentStyle;
RenderStyle* m_rootElementStyle;
// Required to ASSERT in applyProperties.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
