[webkit-changes] [140069] trunk

Thu, 17 Jan 2013 16:21:00 -0800

Title: [140069] trunk
Revision
140069
Author
infe...@chromium.org
Date
2013-01-17 16:22:41 -0800 (Thu, 17 Jan 2013)

Log Message

Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
https://bugs.webkit.org/show_bug.cgi?id=90802

Reviewed by Julien Chaffraix.

Source/WebCore:

Test: fast/multicol/float-not-removed-crash.html

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::moveChildrenTo):
1. When fullRemoveInsert is True, make sure to clear the
floating objects from our list (similar to positioned objects).
Our children are getting moved to another block and we won't
get notified when they are going away.
2. Remove the redundant hasPositionedObjects check since it
is already done inside removePositionedObjects.

LayoutTests:

* fast/multicol/float-not-removed-crash-expected.txt: Added.
* fast/multicol/float-not-removed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (140068 => 140069)


--- trunk/LayoutTests/ChangeLog	2013-01-18 00:10:53 UTC (rev 140068)
+++ trunk/LayoutTests/ChangeLog	2013-01-18 00:22:41 UTC (rev 140069)
@@ -1,3 +1,13 @@
+2013-01-17  Abhishek Arya  <infe...@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
+        https://bugs.webkit.org/show_bug.cgi?id=90802
+
+        Reviewed by Julien Chaffraix.
+
+        * fast/multicol/float-not-removed-crash-expected.txt: Added.
+        * fast/multicol/float-not-removed-crash.html: Added.
+
 2013-01-17  Simon Fraser  <simon.fra...@apple.com>
 
         Make it possible for the root background to be painted into its own GraphicsLayer

Added: trunk/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt (0 => 140069)


--- trunk/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/float-not-removed-crash-expected.txt	2013-01-18 00:22:41 UTC (rev 140069)
@@ -0,0 +1,3 @@
+Test passes if it does not crash.
+PASS. WebKit didn't crash.
+

Added: trunk/LayoutTests/fast/multicol/float-not-removed-crash.html (0 => 140069)


--- trunk/LayoutTests/fast/multicol/float-not-removed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/multicol/float-not-removed-crash.html	2013-01-18 00:22:41 UTC (rev 140069)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<style>
+.class1:nth-child(-n+6) { float: left; padding-bottom: 100px; }
+.class2:nth-child(even) { -webkit-backface-visibility: hidden; -webkit-column-span: all; }
+.class3 { -webkit-column-count: 65536; }
+</style>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function crash() {
+    test1 = document.createElement('div');
+    test2 = document.createElement('div');
+    test3 = document.createElement('div');
+    test3.setAttribute('class', 'class3');
+    document.documentElement.appendChild(test3);
+    test4 = document.createElement('div');
+    test4.setAttribute('class', 'class2');
+    test5 = document.createElement('div');
+    test5.setAttribute('class', 'class1');
+    test6 = document.createElement('div');
+    test7 = document.createElement('i');
+    test8 = document.createTextNode("PASS. WebKit didn't crash.");
+    test6.appendChild(test8);
+    test6.appendChild(test7);
+    test1.appendChild(test6);
+    test3.appendChild(test1);
+    test7.appendChild(test5);
+    document.documentElement.offsetTop;
+    setTimeout('test3.appendChild(test4);', 0);
+    setTimeout('test2.appendChild(test7);', 2);
+    setTimeout('if (window.testRunner) testRunner.notifyDone();', 4);
+}
+
+window._onload_ = crash;
+</script>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/multicol/float-not-removed-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (140068 => 140069)


--- trunk/Source/WebCore/ChangeLog	2013-01-18 00:10:53 UTC (rev 140068)
+++ trunk/Source/WebCore/ChangeLog	2013-01-18 00:22:41 UTC (rev 140069)
@@ -1,3 +1,21 @@
+2013-01-17  Abhishek Arya  <infe...@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
+        https://bugs.webkit.org/show_bug.cgi?id=90802
+
+        Reviewed by Julien Chaffraix.
+
+        Test: fast/multicol/float-not-removed-crash.html
+
+        * rendering/RenderBoxModelObject.cpp:
+        (WebCore::RenderBoxModelObject::moveChildrenTo):
+        1. When fullRemoveInsert is True, make sure to clear the
+        floating objects from our list (similar to positioned objects).
+        Our children are getting moved to another block and we won't
+        get notified when they are going away.
+        2. Remove the redundant hasPositionedObjects check since it
+        is already done inside removePositionedObjects.
+
 2013-01-17  Simon Fraser  <simon.fra...@apple.com>
 
         Make it possible for the root background to be painted into its own GraphicsLayer

Modified: trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp (140068 => 140069)


--- trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-01-18 00:10:53 UTC (rev 140068)
+++ trunk/Source/WebCore/rendering/RenderBoxModelObject.cpp	2013-01-18 00:22:41 UTC (rev 140069)
@@ -2834,8 +2834,8 @@
     // or when fullRemoveInsert is false.
     if (fullRemoveInsert && isRenderBlock()) {
         RenderBlock* block = toRenderBlock(this);
-        if (block->hasPositionedObjects())
-            block->removePositionedObjects(0);
+        block->removePositionedObjects(0);
+        block->removeFloatingObjects(); 
     }
 
     ASSERT(!beforeChild || toBoxModelObject == beforeChild->parent());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to