[webkit-changes] [222990] trunk/Source/WebCore

[zalan]

Title: [222990] trunk/Source/WebCore

Revision

222990

Author

za...@apple.com

Date

2017-10-06 11:47:47 -0700 (Fri, 06 Oct 2017)

Log Message

RootInlineBox should not hold a raw pointer to RenderObject
https://bugs.webkit.org/show_bug.cgi?id=178018
<rdar://problem/34859256>

Reviewed by Simon Fraser.

Not resetting the line break object could lead to dereferencing a stale renderer.

Covered by existing tests.

* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::RootInlineBox):
(WebCore::RootInlineBox::setLineBreakInfo):
* rendering/RootInlineBox.h:
(WebCore::RootInlineBox::lineBreakObj const):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RootInlineBox.cpp
• trunk/Source/WebCore/rendering/RootInlineBox.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (222989 => 222990)

--- trunk/Source/WebCore/ChangeLog	2017-10-06 18:12:14 UTC (rev 222989)
+++ trunk/Source/WebCore/ChangeLog	2017-10-06 18:47:47 UTC (rev 222990)
@@ -1,3 +1,21 @@
+2017-10-06  Zalan Bujtas  <za...@apple.com>
+
+        RootInlineBox should not hold a raw pointer to RenderObject
+        https://bugs.webkit.org/show_bug.cgi?id=178018
+        <rdar://problem/34859256>
+
+        Reviewed by Simon Fraser.
+
+        Not resetting the line break object could lead to dereferencing a stale renderer.  
+
+        Covered by existing tests.
+
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::RootInlineBox):
+        (WebCore::RootInlineBox::setLineBreakInfo):
+        * rendering/RootInlineBox.h:
+        (WebCore::RootInlineBox::lineBreakObj const):
+
 2017-10-06  Youenn Fablet  <you...@apple.com>
 
         Removing some dead code in RTCPeerConnection

Modified: trunk/Source/WebCore/rendering/RootInlineBox.cpp (222989 => 222990)

--- trunk/Source/WebCore/rendering/RootInlineBox.cpp	2017-10-06 18:12:14 UTC (rev 222989)
+++ trunk/Source/WebCore/rendering/RootInlineBox.cpp	2017-10-06 18:47:47 UTC (rev 222990)
@@ -60,7 +60,6 @@
 RootInlineBox::RootInlineBox(RenderBlockFlow& block)
     : InlineFlowBox(block)
     , m_lineBreakPos(0)
-    , m_lineBreakObj(nullptr)
 {
     setIsHorizontal(block.isHorizontalWritingMode());
 }
@@ -810,7 +809,7 @@
 
 void RootInlineBox::setLineBreakInfo(RenderObject* object, unsigned breakPosition, const BidiStatus& status)
 {
-    m_lineBreakObj = object;
+    m_lineBreakObj = makeWeakPtr(object);
     m_lineBreakPos = breakPosition;
     m_lineBreakBidiStatusEor = status.eor;
     m_lineBreakBidiStatusLastStrong = status.lastStrong;

Modified: trunk/Source/WebCore/rendering/RootInlineBox.h (222989 => 222990)

--- trunk/Source/WebCore/rendering/RootInlineBox.h	2017-10-06 18:12:14 UTC (rev 222989)
+++ trunk/Source/WebCore/rendering/RootInlineBox.h	2017-10-06 18:47:47 UTC (rev 222990)
@@ -89,7 +89,7 @@
         m_lineBottomWithLeading = bottomWithLeading;
     }
 
-    RenderObject* lineBreakObj() const { return m_lineBreakObj; }
+    RenderObject* lineBreakObj() const { return m_lineBreakObj.get(); }
     BidiStatus lineBreakBidiStatus() const;
     void setLineBreakInfo(RenderObject*, unsigned breakPos, const BidiStatus&);
 
@@ -214,7 +214,7 @@
 
     // Where this line ended.  The exact object and the position within that object are stored so that
     // we can create an InlineIterator beginning just after the end of this line.
-    RenderObject* m_lineBreakObj;
+    WeakPtr<RenderObject> m_lineBreakObj;
     RefPtr<BidiContext> m_lineBreakContext;
 
     LayoutUnit m_lineTop;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes