Changeset 111439 in webkit

Timestamp:

Mar 20, 2012 2:31:46 PM (12 years ago)

Author:

robert@webkit.org

Message:

Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
​https://bugs.webkit.org/show_bug.cgi?id=81276

Reviewed by David Hyatt.

Source/WebCore:

Test: fast/css/relative-positioned-block-crash.html

​https://trac.webkit.org/changeset/108185/ allowed anonymous blocks to get their own layer (when they're
relatively positioned). This broke the dependency in addContinuationWithOutline() on the owner of the continuation
table and the renderer getting added to it always being in the same layer. When they're not in the same layer
there's no guarantee that the owner of the continuation table will get painted again and so avoid any stale pointers
in its continuation table should any of the renderers in there get destroyed.

Fix this for now by only adding renderers to the containing block's continuation table if we don't have our own layer.
This fix causes fast/inline/continuation-outlines-with-layers.html to regress as it uses blocks inside relatively positioned
inlines, so skip it on all platforms pending a medium-term fix.

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::paintObject):

LayoutTests:

• fast/css/relative-positioned-block-crash-expected.txt: Added.
• fast/css/relative-positioned-block-crash.html: Added.
• platform/chromium/test_expectations.txt: Skip fast/inline/continuation-outlines-with-layers.html for now.
• platform/gtk/Skipped: ditto
• platform/mac/Skipped: ditto
• platform/qt/Skipped: ditto
• platform/win/Skipped: ditto

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/relative-positioned-block-crash-expected.txt (added)
• LayoutTests/fast/css/relative-positioned-block-crash.html (added)
• LayoutTests/platform/chromium/test_expectations.txt (modified) (1 diff)
• LayoutTests/platform/gtk/Skipped (modified) (1 diff)
• LayoutTests/platform/mac/Skipped (modified) (1 diff)
• LayoutTests/platform/qt/Skipped (modified) (1 diff)
• LayoutTests/platform/win/Skipped (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBlock.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-03-20  Robert Hogan  <robert@webkit.org>
+
+        Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
+        https://bugs.webkit.org/show_bug.cgi?id=81276
+
+        Reviewed by David Hyatt.
+
+        * fast/css/relative-positioned-block-crash-expected.txt: Added.
+        * fast/css/relative-positioned-block-crash.html: Added.
+        * platform/chromium/test_expectations.txt: Skip fast/inline/continuation-outlines-with-layers.html for now.
+        * platform/gtk/Skipped: ditto
+        * platform/mac/Skipped: ditto
+        * platform/qt/Skipped: ditto
+        * platform/win/Skipped: ditto
+
 2012-03-20  Dan Bernstein  <mitz@apple.com>
 

trunk/LayoutTests/platform/chromium/test_expectations.txt

@@ -3950 +3950 @@
 
 BUGWK81638 SNOWLEOPARD DEBUG : editing/selection/iframe.html = IMAGE PASS
+
+// Allowed to regress to fix a crash. 
+BUGWK81276 WIN LINUX: fast/inline/continuation-outlines-with-layers.html = IMAGE

trunk/LayoutTests/platform/gtk/Skipped

@@ -1602 +1602 @@
 # https://bugs.webkit.org/show_bug.cgi?id=43022
 tables/mozilla_expected_failures/bugs/bug85016.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash. 
+fast/inline/continuation-outlines-with-layers.html

trunk/LayoutTests/platform/mac/Skipped

@@ -604 +604 @@
 fast/workers/storage/use-same-database-in-page-and-workers.html
 
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash. 
+fast/inline/continuation-outlines-with-layers.html

trunk/LayoutTests/platform/qt/Skipped

@@ -2765 +2765 @@
 editing/selection/move-by-word-visually-textarea.html
 editing/selection/move-by-word-visually-wrong-left-right.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash. 
+fast/inline/continuation-outlines-with-layers.html

trunk/LayoutTests/platform/win/Skipped

@@ -1857 +1857 @@
 # https://bugs.webkit.org/show_bug.cgi?id=43022
 tables/mozilla_expected_failures/bugs/bug85016.html
+
+# https://bugs.webkit.org/show_bug.cgi?id=81276
+# Allowed to regress to fix a crash. 
+fast/inline/continuation-outlines-with-layers.html

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-03-20  Robert Hogan  <robert@webkit.org>
+
+        Use-after-free of continuation in RenderBlock::paintContinuationOutlines()
+        https://bugs.webkit.org/show_bug.cgi?id=81276
+
+        Reviewed by David Hyatt.
+
+        Test: fast/css/relative-positioned-block-crash.html
+
+        https://trac.webkit.org/changeset/108185/ allowed anonymous blocks to get their own layer (when they're
+        relatively positioned). This broke the dependency in addContinuationWithOutline() on the owner of the continuation
+        table and the renderer getting added to it always being in the same layer. When they're not in the same layer
+        there's no guarantee that the owner of the continuation table will get painted again and so avoid any stale pointers
+        in its continuation table should any of the renderers in there get destroyed.
+
+        Fix this for now by only adding renderers to the containing block's continuation table if we don't have our own layer.
+        This fix causes fast/inline/continuation-outlines-with-layers.html to regress as it uses blocks inside relatively positioned
+        inlines, so skip it on all platforms pending a medium-term fix.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::paintObject):
+
 2012-03-20  Adele Peterson  <adele@apple.com>
 

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -2926 +2926 @@
     if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
         RenderInline* inlineCont = inlineElementContinuation();
-        if (inlineCont && inlineCont->hasOutline() && inlineCont->style()->visibility() == VISIBLE) {
+        // FIXME: For now, do not add continuations for outline painting by our containing block if we are a relative positioned
+        // anonymous block (i.e. have our own layer). This is because a block depends on renderers in its continuation table being
+        // in the same layer. 
+        if (inlineCont && inlineCont->hasOutline() && inlineCont->style()->visibility() == VISIBLE && !hasLayer()) {
             RenderInline* inlineRenderer = toRenderInline(inlineCont->node()->renderer());
             RenderBlock* cb = containingBlock();