Changeset 115458 in webkit

Timestamp:

Apr 27, 2012 11:44:03 AM (12 years ago)

Author:

jchaffraix@webkit.org

Message:

NULL-deref in RenderBox::clippedOverflowRectForRepaint
​https://bugs.webkit.org/show_bug.cgi?id=84774

Reviewed by Tony Chang.

Source/WebCore:

Test: fast/inline/crash-new-continuation-with-outline.html

The bug comes from trying to repaint the :after content as part of updateBeforeAfterContent.
The repainting logic would query the yet-to-be-inserted continuation(). Then we would crash in
RenderBox::clippedOverflowRectForRepaint as we didn't have an enclosingLayer() (which any
RenderObject in the tree will have).

The fix is to check in RenderInline::clippedOverflowRectForRepaint that our continuation()
is properly inserted in the tree. We could check that it isRooted() but it's an overkill here.

• rendering/RenderInline.cpp:

(WebCore::RenderInline::clippedOverflowRectForRepaint):

LayoutTests:

• fast/inline/crash-new-continuation-with-outline-expected.txt: Added.
• fast/inline/crash-new-continuation-with-outline.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt (added)
• LayoutTests/fast/inline/crash-new-continuation-with-outline.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderInline.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-04-27  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        NULL-deref in RenderBox::clippedOverflowRectForRepaint
+        https://bugs.webkit.org/show_bug.cgi?id=84774
+
+        Reviewed by Tony Chang.
+
+        * fast/inline/crash-new-continuation-with-outline-expected.txt: Added.
+        * fast/inline/crash-new-continuation-with-outline.html: Added.
+
 2012-04-27  Dirk Pranke  <dpranke@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-04-27  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        NULL-deref in RenderBox::clippedOverflowRectForRepaint
+        https://bugs.webkit.org/show_bug.cgi?id=84774
+
+        Reviewed by Tony Chang.
+
+        Test: fast/inline/crash-new-continuation-with-outline.html
+
+        The bug comes from trying to repaint the :after content as part of updateBeforeAfterContent.
+        The repainting logic would query the yet-to-be-inserted continuation(). Then we would crash in
+        RenderBox::clippedOverflowRectForRepaint as we didn't have an enclosingLayer() (which any
+        RenderObject in the tree will have).
+
+        The fix is to check in RenderInline::clippedOverflowRectForRepaint that our continuation()
+        is properly inserted in the tree. We could check that it isRooted() but it's an overkill here.
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::clippedOverflowRectForRepaint):
+
 2012-04-27  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/rendering/RenderInline.cpp

@@ -1059 +1059 @@
         }
 
-        if (continuation() && !continuation()->isInline()) {
+        if (continuation() && !continuation()->isInline() && continuation()->parent()) {
             LayoutRect contRect = continuation()->rectWithOutlineForRepaint(repaintContainer, ow);
             r.unite(contRect);