- Revision
- 233696
- Author
- za...@apple.com
- Date
- 2018-07-10 13:35:28 -0700 (Tue, 10 Jul 2018)
Log Message
FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers.
https://bugs.webkit.org/show_bug.cgi?id=187249
<rdar://problem/41725869>
Reviewed by Simon Fraser.
Source/WebCore:
Test: fast/multicol/crash-in-vertical-writing-mode.html
* rendering/RenderFragmentedFlow.cpp:
(WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
* rendering/RenderFragmentedFlow.h:
(WTF::ValueToString<WeakPtr<WebCore::RenderFragmentContainer>>::string):
LayoutTests:
* fast/multicol/crash-in-vertical-writing-mode-expected.txt: Added.
* fast/multicol/crash-in-vertical-writing-mode.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (233695 => 233696)
--- trunk/LayoutTests/ChangeLog 2018-07-10 20:09:28 UTC (rev 233695)
+++ trunk/LayoutTests/ChangeLog 2018-07-10 20:35:28 UTC (rev 233696)
@@ -1,3 +1,14 @@
+2018-07-10 Zalan Bujtas <za...@apple.com>
+
+ FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers.
+ https://bugs.webkit.org/show_bug.cgi?id=187249
+ <rdar://problem/41725869>
+
+ Reviewed by Simon Fraser.
+
+ * fast/multicol/crash-in-vertical-writing-mode-expected.txt: Added.
+ * fast/multicol/crash-in-vertical-writing-mode.html: Added.
+
2018-07-10 John Wilander <wilan...@apple.com>
Resource Load Statistics: Make testRunner.statisticsResetToConsistentState() take a completion handler
Modified: trunk/LayoutTests/TestExpectations (233695 => 233696)
--- trunk/LayoutTests/TestExpectations 2018-07-10 20:09:28 UTC (rev 233695)
+++ trunk/LayoutTests/TestExpectations 2018-07-10 20:35:28 UTC (rev 233696)
@@ -2202,3 +2202,5 @@
webkit.org/b/172864 imported/blink/storage/indexeddb/blob-delete-objectstore-db.html [ Pass Timeout ]
webkit.org/b/187183 http/tests/security/pasteboard-file-url.html [ Skip ]
+
+[ Debug ] fast/multicol/crash-in-vertical-writing-mode.html [ Skip ]
Added: trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt (0 => 233696)
--- trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt 2018-07-10 20:35:28 UTC (rev 233696)
@@ -0,0 +1,2 @@
+PASS if no
+crash
Added: trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html (0 => 233696)
--- trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html 2018-07-10 20:35:28 UTC (rev 233696)
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style id=style>
+html {
+ position: fixed;
+ column-count: 2;
+}
+
+summary {
+ column-span: all;
+}
+
+details {
+ content: url();
+}
+
+table {
+ writing-mode: vertical-rl;
+}
+
+span {
+ display: grid;
+}
+</style>
+</head>
+<body>
+<details>
+ <summary>PASS if no</summary>
+</details>
+
+<span>
+ <table>
+ <caption>crash</caption>
+ </table>
+</span>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.offsetHeight;
+style.appendChild(document.createElement("span"));
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (233695 => 233696)
--- trunk/Source/WebCore/ChangeLog 2018-07-10 20:09:28 UTC (rev 233695)
+++ trunk/Source/WebCore/ChangeLog 2018-07-10 20:35:28 UTC (rev 233696)
@@ -1,3 +1,18 @@
+2018-07-10 Zalan Bujtas <za...@apple.com>
+
+ FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers.
+ https://bugs.webkit.org/show_bug.cgi?id=187249
+ <rdar://problem/41725869>
+
+ Reviewed by Simon Fraser.
+
+ Test: fast/multicol/crash-in-vertical-writing-mode.html
+
+ * rendering/RenderFragmentedFlow.cpp:
+ (WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
+ * rendering/RenderFragmentedFlow.h:
+ (WTF::ValueToString<WeakPtr<WebCore::RenderFragmentContainer>>::string):
+
2018-07-10 Ryosuke Niwa <rn...@webkit.org>
Disable cross-origin-window-policy by default
Modified: trunk/Source/WebCore/rendering/RenderFragmentedFlow.cpp (233695 => 233696)
--- trunk/Source/WebCore/rendering/RenderFragmentedFlow.cpp 2018-07-10 20:09:28 UTC (rev 233695)
+++ trunk/Source/WebCore/rendering/RenderFragmentedFlow.cpp 2018-07-10 20:35:28 UTC (rev 233696)
@@ -791,7 +791,7 @@
fragment->setFragmentedFlowPortionRect(isHorizontalWritingMode() ? fragmentRect : fragmentRect.transposedRect());
- m_fragmentIntervalTree.add(FragmentIntervalTree::createInterval(logicalHeight, logicalHeight + fragmentLogicalHeight, fragment));
+ m_fragmentIntervalTree.add(FragmentIntervalTree::createInterval(logicalHeight, logicalHeight + fragmentLogicalHeight, makeWeakPtr(fragment)));
logicalHeight += fragmentLogicalHeight;
}
Modified: trunk/Source/WebCore/rendering/RenderFragmentedFlow.h (233695 => 233696)
--- trunk/Source/WebCore/rendering/RenderFragmentedFlow.h 2018-07-10 20:09:28 UTC (rev 233695)
+++ trunk/Source/WebCore/rendering/RenderFragmentedFlow.h 2018-07-10 20:35:28 UTC (rev 233696)
@@ -234,14 +234,13 @@
bool m_rangeInvalidated;
};
- typedef PODInterval<LayoutUnit, RenderFragmentContainer*> FragmentInterval;
- typedef PODIntervalTree<LayoutUnit, RenderFragmentContainer*> FragmentIntervalTree;
+ typedef PODInterval<LayoutUnit, WeakPtr<RenderFragmentContainer>> FragmentInterval;
+ typedef PODIntervalTree<LayoutUnit, WeakPtr<RenderFragmentContainer>> FragmentIntervalTree;
class FragmentSearchAdapter {
public:
FragmentSearchAdapter(LayoutUnit offset)
: m_offset(offset)
- , m_result(nullptr)
{
}
@@ -249,11 +248,11 @@
const LayoutUnit& highValue() const { return m_offset; }
void collectIfNeeded(const FragmentInterval&);
- RenderFragmentContainer* result() const { return m_result; }
+ RenderFragmentContainer* result() const { return m_result.get(); }
private:
LayoutUnit m_offset;
- RenderFragmentContainer* m_result;
+ WeakPtr<RenderFragmentContainer> m_result;
};
// Map a line to its containing fragment.
@@ -288,6 +287,10 @@
static String string(const WebCore::RenderFragmentContainer* value) { return String::format("%p", value); }
};
+template <> struct ValueToString<WeakPtr<WebCore::RenderFragmentContainer>> {
+ static String string(const WeakPtr<WebCore::RenderFragmentContainer> value) { return value.get() ? ValueToString<WebCore::RenderFragmentContainer*>::string(value.get()) : String(); }
+};
+
} // namespace WTF
#endif
