Title: [274645] trunk
- Revision
- 274645
- Author
- commit-qu...@webkit.org
- Date
- 2021-03-18 07:44:01 -0700 (Thu, 18 Mar 2021)
Log Message
Nullptr crash in RenderStyle::shapeOutside()
https://bugs.webkit.org/show_bug.cgi?id=221382
Patch by Frédéric Wang <fw...@igalia.com> on 2021-03-18
Reviewed by Zalan Bujtas.
Source/WebCore:
Before bug 223041, it was possible to get dangling WeakPtr m_renderer on FloatingObject. This
patch adds debug ASSERT and more regression tests.
Tests: fast/block/float/float-pseudo-element-not-removed-crash.html
fast/block/float/float-pseudo-element-not-removed-2-crash.html
* rendering/FloatingObjects.h: add nullcheck ASSERT for debug builds.
LayoutTests:
Add regression tests.
* fast/block/float/float-pseudo-element-not-removed-crash-expected.txt: Added.
* fast/block/float/float-pseudo-element-not-removed-crash.html: Added.
* fast/block/float/float-pseudo-element-not-removed-crash2-expected.txt: Added.
* fast/block/float/float-pseudo-element-not-removed-crash2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (274644 => 274645)
--- trunk/LayoutTests/ChangeLog 2021-03-18 13:59:04 UTC (rev 274644)
+++ trunk/LayoutTests/ChangeLog 2021-03-18 14:44:01 UTC (rev 274645)
@@ -1,3 +1,17 @@
+2021-03-18 Frédéric Wang <fw...@igalia.com>
+
+ Nullptr crash in RenderStyle::shapeOutside()
+ https://bugs.webkit.org/show_bug.cgi?id=221382
+
+ Reviewed by Zalan Bujtas.
+
+ Add regression tests.
+
+ * fast/block/float/float-pseudo-element-not-removed-crash-expected.txt: Added.
+ * fast/block/float/float-pseudo-element-not-removed-crash.html: Added.
+ * fast/block/float/float-pseudo-element-not-removed-crash2-expected.txt: Added.
+ * fast/block/float/float-pseudo-element-not-removed-crash2.html: Added.
+
2021-03-18 Imanol Fernandez <ifernan...@igalia.com>
Implement WebXR Opaque Framebuffer
Added: trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash-expected.txt (0 => 274645)
--- trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash-expected.txt 2021-03-18 14:44:01 UTC (rev 274645)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash.html (0 => 274645)
--- trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-2-crash.html 2021-03-18 14:44:01 UTC (rev 274645)
@@ -0,0 +1,15 @@
+<style>
+ *::first-letter {
+ -webkit-initial-letter: 2;
+ }
+ * {
+ bottom: 0vh;
+ writing-mode: vertical-lr;
+ }
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.");
+ document.styleSheets[0].insertRule(`*::before { content: 'ab' url(); }`);
+</script>
Added: trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash-expected.txt (0 => 274645)
--- trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash-expected.txt 2021-03-18 14:44:01 UTC (rev 274645)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijkl
mnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */ *::first-letter { -webkit-initial-letter: 2; } * { bottom: 0vh; shape-outside: url(); vertical-align: -1px; writing-mode: vertical-lr; } if (window.testRunner) testRunner.dumpAsText(); console.log("This test passes if it do
es not crash."); _onload_ = () => { document.styleSheets[0].insertRule(`* { outline-offset: 1px; }`); document.styleSheets[0].insertRule(`* { -webkit-text-emphasis: "a"; }`); document.styleSheets[0].insertRule(`*::before { content: 'ab' url(); }`); document.styleSheets[0].insertRule(`* { all: initial; }`); };
Added: trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash.html (0 => 274645)
--- trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-pseudo-element-not-removed-crash.html 2021-03-18 14:44:01 UTC (rev 274645)
@@ -0,0 +1,32 @@
+<style>
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+ /** abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz */
+
+ *::first-letter {
+ -webkit-initial-letter: 2;
+ }
+ * {
+ bottom: 0vh;
+ shape-outside: url();
+ vertical-align: -1px;
+ writing-mode: vertical-lr;
+ }
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.");
+ _onload_ = () => {
+ document.styleSheets[0].insertRule(`* { outline-offset: 1px; }`);
+ document.styleSheets[0].insertRule(`* { -webkit-text-emphasis: "a"; }`);
+ document.styleSheets[0].insertRule(`*::before { content: 'ab' url(); }`);
+ document.styleSheets[0].insertRule(`* { all: initial; }`);
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (274644 => 274645)
--- trunk/Source/WebCore/ChangeLog 2021-03-18 13:59:04 UTC (rev 274644)
+++ trunk/Source/WebCore/ChangeLog 2021-03-18 14:44:01 UTC (rev 274645)
@@ -1,3 +1,18 @@
+2021-03-18 Frédéric Wang <fw...@igalia.com>
+
+ Nullptr crash in RenderStyle::shapeOutside()
+ https://bugs.webkit.org/show_bug.cgi?id=221382
+
+ Reviewed by Zalan Bujtas.
+
+ Before bug 223041, it was possible to get dangling WeakPtr m_renderer on FloatingObject. This
+ patch adds debug ASSERT and more regression tests.
+
+ Tests: fast/block/float/float-pseudo-element-not-removed-crash.html
+ fast/block/float/float-pseudo-element-not-removed-2-crash.html
+
+ * rendering/FloatingObjects.h: add nullcheck ASSERT for debug builds.
+
2021-03-18 Imanol Fernandez <ifernan...@igalia.com>
Implement WebXR Opaque Framebuffer
Modified: trunk/Source/WebCore/rendering/FloatingObjects.h (274644 => 274645)
--- trunk/Source/WebCore/rendering/FloatingObjects.h 2021-03-18 13:59:04 UTC (rev 274644)
+++ trunk/Source/WebCore/rendering/FloatingObjects.h 2021-03-18 14:44:01 UTC (rev 274645)
@@ -49,7 +49,7 @@
FloatingObject(RenderBox&, Type, const LayoutRect&, const LayoutSize&, bool shouldPaint, bool isDescendant);
Type type() const { return static_cast<Type>(m_type); }
- RenderBox& renderer() const { return *m_renderer; }
+ RenderBox& renderer() const { ASSERT(m_renderer); return *m_renderer; }
bool isPlaced() const { return m_isPlaced; }
void setIsPlaced(bool placed = true) { m_isPlaced = placed; }
@@ -174,7 +174,7 @@
LayoutUnit findNextFloatLogicalBottomBelowForBlock(LayoutUnit logicalHeight);
private:
- const RenderBlockFlow& renderer() const { return *m_renderer; }
+ const RenderBlockFlow& renderer() const { ASSERT(m_renderer); return *m_renderer; }
void computePlacedFloatsTree();
const FloatingObjectTree* placedFloatsTree();
void increaseObjectsCount(FloatingObject::Type);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
