[webkit-changes] [256124] releases/WebKitGTK/webkit-2.28

Mon, 10 Feb 2020 05:24:57 -0800

Title: [256124] releases/WebKitGTK/webkit-2.28
Revision
256124
Author
carlo...@webkit.org
Date
2020-02-10 05:23:16 -0800 (Mon, 10 Feb 2020)

Log Message

Merge r255976 - Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
https://bugs.webkit.org/show_bug.cgi?id=207241

When the pseudo element's host element does not initiate a renderer
(e.g. display: contents) we need to look further in the DOM tree
for a previous-sibling-or-parent-element candidate.

Patch by Jack Lee <shihchieh_...@apple.com> on 2020-02-06
Reviewed by Zalan Bujtas.

Source/WebCore:

Test: fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html

* rendering/RenderCounter.cpp:
(WebCore::previousSiblingOrParentElement):

LayoutTests:

* fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt: Added.
* fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (256123 => 256124)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog	2020-02-10 13:23:11 UTC (rev 256123)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog	2020-02-10 13:23:16 UTC (rev 256124)
@@ -1,3 +1,17 @@
+2020-02-06  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
+        https://bugs.webkit.org/show_bug.cgi?id=207241
+
+        When the pseudo element's host element does not initiate a renderer
+        (e.g. display: contents) we need to look further in the DOM tree 
+        for a previous-sibling-or-parent-element candidate.
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt: Added.
+        * fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html: Added.
+
 2020-02-06  Sukolsak Sakshuwong  <sukol...@gmail.com> and Alexey Shvayka  <shvaikal...@gmail.com>
 
         _javascript_ string corruption using RegExp with unicode character

Added: releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt (0 => 256124)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash-expected.txt	2020-02-10 13:23:16 UTC (rev 256124)
@@ -0,0 +1 @@
+Tests CSS counter of a pseudo element that has display: contents host. The test passes if WebKit doesn't crash or hit an assertion.

Added: releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html (0 => 256124)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html	2020-02-10 13:23:16 UTC (rev 256124)
@@ -0,0 +1,18 @@
+<style>
+html, body {
+  counter-reset: counter;
+}
+
+#outer {
+  display: contents;
+}
+
+#outer::before {
+  content: "text";
+}
+</style><span id=outer><span id=inner>Tests CSS counter of a pseudo element that has display: contents host. The test passes if WebKit doesn't crash or hit an assertion.</span></span><script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.body.offsetHeight;
+    inner.style.counterIncrement = "counter";
+</script>

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (256123 => 256124)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-10 13:23:11 UTC (rev 256123)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-10 13:23:16 UTC (rev 256124)
@@ -1,3 +1,19 @@
+2020-02-06  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.
+        https://bugs.webkit.org/show_bug.cgi?id=207241
+
+        When the pseudo element's host element does not initiate a renderer
+        (e.g. display: contents) we need to look further in the DOM tree 
+        for a previous-sibling-or-parent-element candidate.
+
+        Reviewed by Zalan Bujtas.
+
+        Test: fast/css/counters/findPlaceForCounter-pseudo-element-display-content-host-crash.html
+
+        * rendering/RenderCounter.cpp:
+        (WebCore::previousSiblingOrParentElement):
+
 2020-02-06  Ali Juma  <aj...@chromium.org>
 
         Crash in RenderTableCol::willBeRemovedFromTree()

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/RenderCounter.cpp (256123 => 256124)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/RenderCounter.cpp	2020-02-10 13:23:11 UTC (rev 256123)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/RenderCounter.cpp	2020-02-10 13:23:16 UTC (rev 256124)
@@ -75,23 +75,28 @@
     return renderer.element() ? renderer.element()->parentElement() : nullptr;
 }
 
-static Element* previousSiblingOrParentElement(const Element* element)
+static Element* previousSiblingOrParentElement(const Element& element)
 {
-    auto* previous = ElementTraversal::pseudoAwarePreviousSibling(*element);
-    while (previous && !previous->renderer())
-        previous = ElementTraversal::pseudoAwarePreviousSibling(*previous);
+    if (auto* previous = ElementTraversal::pseudoAwarePreviousSibling(element)) {
+        while (previous && !previous->renderer())
+            previous = ElementTraversal::pseudoAwarePreviousSibling(*previous);
 
-    if (previous)
-        return previous;
+        if (previous)
+            return previous;
+    }
 
-    auto* renderer = element->renderer();
-    if (renderer && renderer->isPseudoElement())
-        return renderer->generatingElement();
-
-    previous = element->parentElement();
-    if (previous && !previous->renderer())
-        previous = previousSiblingOrParentElement(previous);
-    return previous;
+    if (is<PseudoElement>(element)) {
+        auto* hostElement = downcast<PseudoElement>(element).hostElement();
+        ASSERT(hostElement);
+        if (hostElement->renderer())
+            return hostElement;
+        return previousSiblingOrParentElement(*hostElement);
+    }
+    
+    auto* parent = element.parentElement();
+    if (parent && !parent->renderer())
+        parent = previousSiblingOrParentElement(*parent);
+    return parent;
 }
 
 // This function processes the renderer tree in the order of the DOM tree
@@ -100,7 +105,7 @@
 {
     ASSERT(renderer.element());
 
-    auto* previous = previousSiblingOrParentElement(renderer.element());
+    auto* previous = previousSiblingOrParentElement(*renderer.element());
     return previous ? previous->renderer() : nullptr;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to