Title: [186841] branches/safari-600.8-branch
- Revision
- 186841
- Author
- matthew_han...@apple.com
- Date
- 2015-07-15 09:04:12 -0700 (Wed, 15 Jul 2015)
Log Message
Merge r186746. rdar://problem/21716391
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.8-branch/LayoutTests/ChangeLog (186840 => 186841)
--- branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-15 16:02:39 UTC (rev 186840)
+++ branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-15 16:04:12 UTC (rev 186841)
@@ -1,3 +1,26 @@
+2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r186746. rdar://problem/21716391
+
+ 2015-07-12 David Kilzer <ddkil...@apple.com>
+
+ Merge r185572. rdar://problem/21716531
+
+ 2015-06-15 Zalan Bujtas <za...@apple.com>
+
+ RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+ https://bugs.webkit.org/show_bug.cgi?id=145988
+ rdar://problem/20959137
+
+ Reviewed by David Hyatt.
+
+ This patch ensures that we find the right first inline box so that we can dirty the
+ the appropriate line boxes.
+ With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+ * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt: Added.
+ * fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html: Added.
+
2015-07-09 Matthew Hanson <matthew_han...@apple.com>
Merge r186577. rdar://problem/21533109
Added: branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt (0 => 186841)
--- branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt 2015-07-15 16:04:12 UTC (rev 186841)
@@ -0,0 +1,4 @@
+Pass if no crash or assert in Debug. bar
+
+
+
Added: branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html (0 => 186841)
--- branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html 2015-07-15 16:04:12 UTC (rev 186841)
@@ -0,0 +1,22 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+window._onload_ = function()
+{
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.firstChild.parentNode.removeChild(a.firstChild);
+}
+</script>
+<body>
+<div id="a">foo</div><div></div>
+<div>Pass if no crash or assert in Debug.
+<output>
+<oƕtput>bar</output>
+<span id="b">
+<span>
+<div style="display:inline-block"></div>
+<br><br><br>
+</span>
+</body>
Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (186840 => 186841)
--- branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-15 16:02:39 UTC (rev 186840)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-15 16:04:12 UTC (rev 186841)
@@ -1,3 +1,31 @@
+2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r186746. rdar://problem/21716391
+
+ 2015-07-12 David Kilzer <ddkil...@apple.com>
+
+ Merge r185572. rdar://problem/21716531
+
+ 2015-06-15 Zalan Bujtas <za...@apple.com>
+
+ RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
+ https://bugs.webkit.org/show_bug.cgi?id=145988
+ rdar://problem/20959137
+
+ Reviewed by David Hyatt.
+
+ This patch ensures that we find the right first inline box so that we can dirty the
+ the appropriate line boxes.
+ With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.
+
+ Test: fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::culledInlineFirstLineBox):
+ (WebCore::RenderInline::culledInlineLastLineBox):
+ * rendering/RootInlineBox.cpp:
+ (WebCore::RootInlineBox::setLineBreakInfo): Deleted. Remove misleading assert and comment.
+
2015-07-09 Matthew Hanson <matthew_han...@apple.com>
Merge r186508. rdar://problem/21707887
Modified: branches/safari-600.8-branch/Source/WebCore/rendering/RenderInline.cpp (186840 => 186841)
--- branches/safari-600.8-branch/Source/WebCore/rendering/RenderInline.cpp 2015-07-15 16:02:39 UTC (rev 186840)
+++ branches/safari-600.8-branch/Source/WebCore/rendering/RenderInline.cpp 2015-07-15 16:04:12 UTC (rev 186841)
@@ -925,9 +925,11 @@
// We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
// direction (aligned to the root box's baseline).
- if (curr->isBox())
- return toRenderBox(curr)->inlineBoxWrapper();
- if (curr->isLineBreak()) {
+ if (curr->isBox()) {
+ const RenderBox* renderBox = toRenderBox(curr);
+ if (renderBox->inlineBoxWrapper())
+ return renderBox->inlineBoxWrapper();
+ } else if (curr->isLineBreak()) {
RenderLineBreak* renderBR = toRenderLineBreak(curr);
if (renderBR->inlineBoxWrapper())
return renderBR->inlineBoxWrapper();
@@ -953,9 +955,11 @@
// We want to get the margin box in the inline direction, and then use our font ascent/descent in the block
// direction (aligned to the root box's baseline).
- if (curr->isBox())
- return toRenderBox(curr)->inlineBoxWrapper();
- if (curr->isLineBreak()) {
+ if (curr->isBox()) {
+ const RenderBox* renderBox = toRenderBox(curr);
+ if (renderBox->inlineBoxWrapper())
+ return renderBox->inlineBoxWrapper();
+ } else if (curr->isLineBreak()) {
RenderLineBreak* renderBR = toRenderLineBreak(curr);
if (renderBR->inlineBoxWrapper())
return renderBR->inlineBoxWrapper();
Modified: branches/safari-600.8-branch/Source/WebCore/rendering/RootInlineBox.cpp (186840 => 186841)
--- branches/safari-600.8-branch/Source/WebCore/rendering/RootInlineBox.cpp 2015-07-15 16:02:39 UTC (rev 186840)
+++ branches/safari-600.8-branch/Source/WebCore/rendering/RootInlineBox.cpp 2015-07-15 16:04:12 UTC (rev 186841)
@@ -790,13 +790,6 @@
void RootInlineBox::setLineBreakInfo(RenderObject* obj, unsigned breakPos, const BidiStatus& status)
{
- // When setting lineBreakObj, the RenderObject must not be a RenderInline
- // with no line boxes, otherwise all sorts of invariants are broken later.
- // This has security implications because if the RenderObject does not
- // point to at least one line box, then that RenderInline can be deleted
- // later without resetting the lineBreakObj, leading to use-after-free.
- ASSERT_WITH_SECURITY_IMPLICATION(!obj || obj->isText() || !(obj->isRenderInline() && obj->isBox() && !toRenderBox(obj)->inlineBoxWrapper()));
-
m_lineBreakObj = obj;
m_lineBreakPos = breakPos;
m_lineBreakBidiStatusEor = status.eor;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
