[webkit-changes] [122082] trunk

Sun, 08 Jul 2012 21:36:38 -0700

Title: [122082] trunk
Revision
122082
Author
[email protected]
Date
2012-07-08 21:36:09 -0700 (Sun, 08 Jul 2012)

Log Message

Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
https://bugs.webkit.org/show_bug.cgi?id=90480

Reviewed by Kent Tamura.

Source/WebCore:

If <select> has any insertion point, the attachment phase
unpextedly creates a renderer for distributed node and added to
the renderer of the <select>, which breaks an assumption and
results the crash.

This change tighten the childShouldCreateRenderer() to forbid
child renderers even from distributed nodes.

There is an exception as always: ValidationMessage can create a
ShadowRoot to <select>, which generates usually-forbidden child
renderers.  This change introduces HTMLFormControlElement::validationMessageContains()
to let these renderers in.

Test: fast/dom/shadow/insertion-point-list-menu-crash.html

* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::validationMessageContains):
(WebCore):
* html/HTMLFormControlElement.h:
(HTMLFormControlElement):
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::childShouldCreateRenderer):
* html/ValidationMessage.cpp:
(WebCore::ValidationMessage::contains):
(WebCore):
* html/ValidationMessage.h:
(WebCore):
(ValidationMessage):

LayoutTests:

* fast/dom/shadow/insertion-point-list-menu-crash-expected.txt: Added.
* fast/dom/shadow/insertion-point-list-menu-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (122081 => 122082)


--- trunk/LayoutTests/ChangeLog	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/LayoutTests/ChangeLog	2012-07-09 04:36:09 UTC (rev 122082)
@@ -1,3 +1,13 @@
+2012-07-05  MORITA Hajime  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
+        https://bugs.webkit.org/show_bug.cgi?id=90480
+
+        Reviewed by Kent Tamura.
+
+        * fast/dom/shadow/insertion-point-list-menu-crash-expected.txt: Added.
+        * fast/dom/shadow/insertion-point-list-menu-crash.html: Added.
+
 2012-07-08  Hayato Ito  <[email protected]>
 
         Unreviewed gardening.

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt (0 => 122082)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt	2012-07-09 04:36:09 UTC (rev 122082)
@@ -0,0 +1,2 @@
+PASS unless crash
+
Property changes on: trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html (0 => 122082)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html	2012-07-09 04:36:09 UTC (rev 122082)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+jsTestIsAsync = true;
+function boom() {
+    var div = document.createElement('div');
+
+    var older = new WebKitShadowRoot(div);
+    older.appendChild(document.createElement('div'));
+    document.documentElement.appendChild(div);
+
+    var younger = new WebKitShadowRoot(div);
+    var select = document.createElement('select');
+    var shadow = document.createElement('shadow');
+    select.appendChild(shadow);
+    younger.appendChild(select);
+
+    testPassed("unless crash");
+    finishJSTest();
+}
+window._onload_ = boom;
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (122081 => 122082)


--- trunk/Source/WebCore/ChangeLog	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/ChangeLog	2012-07-09 04:36:09 UTC (rev 122082)
@@ -1,3 +1,39 @@
+2012-07-05  MORITA Hajime  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
+        https://bugs.webkit.org/show_bug.cgi?id=90480
+
+        Reviewed by Kent Tamura.
+
+        If <select> has any insertion point, the attachment phase
+        unpextedly creates a renderer for distributed node and added to
+        the renderer of the <select>, which breaks an assumption and
+        results the crash.
+
+        This change tighten the childShouldCreateRenderer() to forbid
+        child renderers even from distributed nodes.
+
+        There is an exception as always: ValidationMessage can create a
+        ShadowRoot to <select>, which generates usually-forbidden child
+        renderers.  This change introduces HTMLFormControlElement::validationMessageContains()
+        to let these renderers in.
+
+        Test: fast/dom/shadow/insertion-point-list-menu-crash.html
+
+        * html/HTMLFormControlElement.cpp:
+        (WebCore::HTMLFormControlElement::validationMessageContains):
+        (WebCore):
+        * html/HTMLFormControlElement.h:
+        (HTMLFormControlElement):
+        * html/HTMLSelectElement.cpp:
+        (WebCore::HTMLSelectElement::childShouldCreateRenderer):
+        * html/ValidationMessage.cpp:
+        (WebCore::ValidationMessage::contains):
+        (WebCore):
+        * html/ValidationMessage.h:
+        (WebCore):
+        (ValidationMessage):
+
 2012-07-07  Kwang Yul Seo  <[email protected]>
 
         Remove unnecessary member HTMLTreeBuilder::m_lastScriptElementStartPosition

Modified: trunk/Source/WebCore/html/HTMLFormControlElement.cpp (122081 => 122082)


--- trunk/Source/WebCore/html/HTMLFormControlElement.cpp	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/html/HTMLFormControlElement.cpp	2012-07-09 04:36:09 UTC (rev 122082)
@@ -475,6 +475,11 @@
     setNeedsValidityCheck();
 }
 
+bool HTMLFormControlElement::validationMessageShadowTreeContains(Node* node) const
+{
+    return m_validationMessage && m_validationMessage->shadowTreeContains(node);
+}
+
 void HTMLFormControlElement::dispatchBlurEvent(PassRefPtr<Node> newFocusedNode)
 {
     HTMLElement::dispatchBlurEvent(newFocusedNode);

Modified: trunk/Source/WebCore/html/HTMLFormControlElement.h (122081 => 122082)


--- trunk/Source/WebCore/html/HTMLFormControlElement.h	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/html/HTMLFormControlElement.h	2012-07-09 04:36:09 UTC (rev 122082)
@@ -132,6 +132,8 @@
     void setNeedsWillValidateCheck();
     virtual bool recalcWillValidate() const;
 
+    bool validationMessageShadowTreeContains(Node*) const;
+
 private:
     virtual void refFormAssociatedElement() { ref(); }
     virtual void derefFormAssociatedElement() { deref(); }

Modified: trunk/Source/WebCore/html/HTMLSelectElement.cpp (122081 => 122082)


--- trunk/Source/WebCore/html/HTMLSelectElement.cpp	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/html/HTMLSelectElement.cpp	2012-07-09 04:36:09 UTC (rev 122082)
@@ -347,7 +347,11 @@
 
 bool HTMLSelectElement::childShouldCreateRenderer(const NodeRenderingContext& childContext) const
 {
-    return childContext.isOnUpperEncapsulationBoundary() && HTMLFormControlElementWithState::childShouldCreateRenderer(childContext);
+    if (!HTMLFormControlElementWithState::childShouldCreateRenderer(childContext))
+        return false;
+    if (!usesMenuList())
+        return true;
+    return validationMessageShadowTreeContains(childContext.node());
 }
 
 HTMLCollection* HTMLSelectElement::selectedOptions()

Modified: trunk/Source/WebCore/html/ValidationMessage.cpp (122081 => 122082)


--- trunk/Source/WebCore/html/ValidationMessage.cpp	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/html/ValidationMessage.cpp	2012-07-09 04:36:09 UTC (rev 122082)
@@ -182,6 +182,13 @@
     m_timer->startOneShot(0);
 }
 
+bool ValidationMessage::shadowTreeContains(Node* node) const
+{
+    if (!m_bubble)
+        return false;
+    return m_bubble->treeScope() == node->treeScope();
+}
+
 void ValidationMessage::deleteBubbleTree(Timer<ValidationMessage>*)
 {
     if (m_bubble) {

Modified: trunk/Source/WebCore/html/ValidationMessage.h (122081 => 122082)


--- trunk/Source/WebCore/html/ValidationMessage.h	2012-07-09 04:30:08 UTC (rev 122081)
+++ trunk/Source/WebCore/html/ValidationMessage.h	2012-07-09 04:36:09 UTC (rev 122082)
@@ -41,6 +41,7 @@
 
 class FormAssociatedElement;
 class HTMLElement;
+class Node;
 
 class ValidationMessage {
     WTF_MAKE_NONCOPYABLE(ValidationMessage);
@@ -50,6 +51,7 @@
     String message() const { return m_message; }
     void setMessage(const String&);
     void requestToHideMessage();
+    bool shadowTreeContains(Node*) const;
 
 private:
     ValidationMessage(FormAssociatedElement*);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to