Changeset 160979 in webkit

Timestamp:

Dec 22, 2013 10:15:41 AM (10 years ago)

Author:

mihnea@adobe.com

Message:

[CSSRegions] Crash when trying to select content from invalid region
​https://bugs.webkit.org/show_bug.cgi?id=126113

Reviewed by Antti Koivisto.

Source/WebCore:

After fix for ​https://bugs.webkit.org/show_bug.cgi?id=120769, positionForPoint for a region attempts to use the associated named flow to perform its task.
However, this should happen only when the region is valid. If the region is invalid, part of a dependency cycle, positionForPoint should behave as usual
for a block instead of a region, otherwise it may run into an infinite loop due to cyclic dependencies and a crash will occur.

This patch ensures that positionForPoint region specifie behaviour is followed only if the region is valid - not part of a dependency cycle.

Test: fast/regions/selection/invalid-region-selection-crash.html

• rendering/RenderRegion.cpp:

(WebCore::RenderRegion::positionForPoint):

LayoutTests:

• fast/regions/selection/invalid-region-selection-crash-expected.txt: Added.
• fast/regions/selection/invalid-region-selection-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/regions/selection/invalid-region-selection-crash-expected.txt (added)
• LayoutTests/fast/regions/selection/invalid-region-selection-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderRegion.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-12-22  Mihnea Ovidenie  <mihnea@adobe.com>
+
+        [CSSRegions] Crash when trying to select content from invalid region
+        https://bugs.webkit.org/show_bug.cgi?id=126113
+
+        Reviewed by Antti Koivisto.
+
+        * fast/regions/selection/invalid-region-selection-crash-expected.txt: Added.
+        * fast/regions/selection/invalid-region-selection-crash.html: Added.
+
 2013-12-22  Mihnea Ovidenie  <mihnea@adobe.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-12-22  Mihnea Ovidenie  <mihnea@adobe.com>
+
+        [CSSRegions] Crash when trying to select content from invalid region
+        https://bugs.webkit.org/show_bug.cgi?id=126113
+
+        Reviewed by Antti Koivisto.
+
+        After fix for https://bugs.webkit.org/show_bug.cgi?id=120769, positionForPoint for a region attempts to use the associated named flow to perform its task.
+        However, this should happen only when the region is valid. If the region is invalid, part of a dependency cycle, positionForPoint should behave as usual
+        for a block instead of a region, otherwise it may run into an infinite loop due to cyclic dependencies and a crash will occur.
+
+        This patch ensures that positionForPoint region specifie behaviour is followed only if the region is valid - not part of a dependency cycle.
+
+        Test: fast/regions/selection/invalid-region-selection-crash.html
+
+        * rendering/RenderRegion.cpp:
+        (WebCore::RenderRegion::positionForPoint):
+
 2013-12-21  Dirk Schulze  <krit@webkit.org>
 

trunk/Source/WebCore/rendering/RenderRegion.cpp

@@ -113 +113 @@
 VisiblePosition RenderRegion::positionForPoint(const LayoutPoint& point)
 {
-    if (!m_flowThread->firstChild()) // checking for empty region blocks.
+    ASSERT(m_flowThread);
+    if (!isValid() || !m_flowThread->firstChild()) // checking for empty region blocks.
         return RenderBlock::positionForPoint(point);