Skip to site navigation (Press enter)

[webkit-changes] [258756] trunk

commit-queue Fri, 20 Mar 2020 02:29:02 -0700

Title: [258756] trunk

Revision: 258756
Author: [email protected]
Date: 2020-03-20 02:27:33 -0700 (Fri, 20 Mar 2020)

Log Message

Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
https://bugs.webkit.org/show_bug.cgi?id=209251
<rdar://problem/60103614>


Patch by Jack Lee <[email protected]> on 2020-03-20
Reviewed by Antti Koivisto.

Source/WebCore:

It’s perfectly fine to call AccessibilityRenderObject::nextSibling on the RenderView (empty document) and since the RenderView has no sibling, let’s just early return with nullptr.

Test: fast/frames/iframe-empty-doc-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::nextSibling const):

LayoutTests:

It’s perfectly fine to call AccessibilityRenderObject::nextSibling on the RenderView (empty document) and since the RenderView has no sibling, let’s just early return with nullptr.

* fast/frames/iframe-empty-doc-crash-expected.txt: Added.
* fast/frames/iframe-empty-doc-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Added Paths

trunk/LayoutTests/fast/frames/iframe-empty-doc-crash-expected.txt
trunk/LayoutTests/fast/frames/iframe-empty-doc-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (258755 => 258756)


--- trunk/LayoutTests/ChangeLog	2020-03-20 09:15:53 UTC (rev 258755)
+++ trunk/LayoutTests/ChangeLog	2020-03-20 09:27:33 UTC (rev 258756)
@@ -1,3 +1,16 @@
+2020-03-20  Jack Lee  <[email protected]>
+
+        Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
+        https://bugs.webkit.org/show_bug.cgi?id=209251
+        <rdar://problem/60103614>
+
+        Reviewed by Antti Koivisto.
+
+        It’s perfectly fine to call AccessibilityRenderObject::nextSibling on the RenderView (empty document) and since the RenderView has no sibling, let’s just early return with nullptr. 
+
+        * fast/frames/iframe-empty-doc-crash-expected.txt: Added.
+        * fast/frames/iframe-empty-doc-crash.html: Added.
+
 2020-03-19  Eric Carlson  <[email protected]>
 
         [ Mac WK1 ] REGRESSION (r240537) Layout Test media/video-background-tab-playback.html is a flaky failure

Added: trunk/LayoutTests/fast/frames/iframe-empty-doc-crash-expected.txt (0 => 258756)


--- trunk/LayoutTests/fast/frames/iframe-empty-doc-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/iframe-empty-doc-crash-expected.txt	2020-03-20 09:27:33 UTC (rev 258756)
@@ -0,0 +1,3 @@
+Test moving all elements in iframe. The test passes if WebKit doesn't crash or hit an assertion.
+
+

Added: trunk/LayoutTests/fast/frames/iframe-empty-doc-crash.html (0 => 258756)


--- trunk/LayoutTests/fast/frames/iframe-empty-doc-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/iframe-empty-doc-crash.html	2020-03-20 09:27:33 UTC (rev 258756)
@@ -0,0 +1,9 @@
+<span>Test moving all elements in iframe. The test passes if WebKit doesn't crash or hit an assertion.</span><div id=newParent role="text"><iframe id=subframe></iframe></div>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.body.offsetHeight;
+    subframe.contentWindow.document.execCommand("selectAll", false);
+    newParent.appendChild(subframe.contentWindow.document.getElementsByTagName("HTML")[0]);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (258755 => 258756)


--- trunk/Source/WebCore/ChangeLog	2020-03-20 09:15:53 UTC (rev 258755)
+++ trunk/Source/WebCore/ChangeLog	2020-03-20 09:27:33 UTC (rev 258756)
@@ -1,3 +1,18 @@
+2020-03-20  Jack Lee  <[email protected]>
+
+        Nullptr crash in RenderObject::RenderObjectBitfields::isBox when current renderer is the RenderView
+        https://bugs.webkit.org/show_bug.cgi?id=209251
+        <rdar://problem/60103614>
+
+        Reviewed by Antti Koivisto.
+
+        It’s perfectly fine to call AccessibilityRenderObject::nextSibling on the RenderView (empty document) and since the RenderView has no sibling, let’s just early return with nullptr.
+
+        Test: fast/frames/iframe-empty-doc-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::nextSibling const):
+
 2020-03-20  Mike Gorse  <[email protected]>
 
         Fix build with gstreamer 1.12

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (258755 => 258756)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2020-03-20 09:15:53 UTC (rev 258755)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2020-03-20 09:27:33 UTC (rev 258756)
@@ -352,7 +352,7 @@
 
 AccessibilityObject* AccessibilityRenderObject::nextSibling() const
 {
-    if (!m_renderer)
+    if (!m_renderer || is<RenderView>(*m_renderer))
         return nullptr;
 
     RenderObject* nextSibling = nullptr;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes