Changeset 204620 in webkit

Timestamp:

Aug 18, 2016 6:01:47 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

Binding NULL pointer to reference in WebCore::RenderObject
​https://bugs.webkit.org/show_bug.cgi?id=160830

Patch by Jonathan Bedard <Jonathan Bedard> on 2016-08-18
Reviewed by Myles C. Maxfield.

No new tests needed, existing functionality not changed.

Fixes a dereferenced NULL pointer bound to a reference through a minor re-factor.

• rendering/InlineIterator.h:

(WebCore::InlineIterator::clear): Explicit clear occurs, instead of a call to moveTo.
(WebCore::InlineIterator::moveToStartOf): Swapped pointer for reference.
(WebCore::InlineIterator::moveTo): Swapped pointer for reference.
(WebCore::InlineIterator::increment): Explicitly call clear for clarity.

• rendering/line/BreakingContext.h:

(WebCore::BreakingContext::commitLineBreakClear): Commit a line break and clear the iterator.
(WebCore::BreakingContext::commitLineBreakAtCurrentWidth): Swapped pointer for reference.
(WebCore::BreakingContext::InlineIteratorHistory::moveTo): Swapped pointer for reference.
(WebCore::BreakingContext::increment): Explicitly call clear for clarity.
(WebCore::BreakingContext::handleBR): Swapped pointer for passed reference.
(WebCore::BreakingContext::handleReplaced): Explicitly call clear for clarity.
(WebCore::tryHyphenating): Swapped pointer for passed reference.
(WebCore::BreakingContext::handleText): Replaced all render object passing with references. Note that the caller explicitly checks if m_current.renderer() exists before calling this function.
(WebCore::BreakingContext::commitAndUpdateLineBreakIfNeeded): Explicitly call clear for clarity.
(WebCore::BreakingContext::handleEndOfLine): Explicitly call clear for clarity.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• rendering/InlineIterator.h (modified) (2 diffs)
• rendering/line/BreakingContext.h (modified) (14 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-18  Jonathan Bedard  <jbedard@apple.com>
+
+        Binding NULL pointer to reference in WebCore::RenderObject
+        https://bugs.webkit.org/show_bug.cgi?id=160830
+
+        Reviewed by Myles C. Maxfield.
+
+        No new tests needed, existing functionality not changed.
+
+        Fixes a dereferenced NULL pointer bound to a reference through a minor re-factor.
+
+        * rendering/InlineIterator.h:
+        (WebCore::InlineIterator::clear): Explicit clear occurs, instead of a call to moveTo.
+        (WebCore::InlineIterator::moveToStartOf): Swapped pointer for reference.
+        (WebCore::InlineIterator::moveTo): Swapped pointer for reference.
+        (WebCore::InlineIterator::increment): Explicitly call clear for clarity.
+        * rendering/line/BreakingContext.h:
+        (WebCore::BreakingContext::commitLineBreakClear): Commit a line break and clear the iterator.
+        (WebCore::BreakingContext::commitLineBreakAtCurrentWidth): Swapped pointer for reference.
+        (WebCore::BreakingContext::InlineIteratorHistory::moveTo): Swapped pointer for reference.
+        (WebCore::BreakingContext::increment): Explicitly call clear for clarity.
+        (WebCore::BreakingContext::handleBR): Swapped pointer for passed reference.
+        (WebCore::BreakingContext::handleReplaced): Explicitly call clear for clarity.
+        (WebCore::tryHyphenating): Swapped pointer for passed reference.
+        (WebCore::BreakingContext::handleText): Replaced all render object passing with references.  Note that the caller explicitly checks if m_current.renderer() exists before calling this function.
+        (WebCore::BreakingContext::commitAndUpdateLineBreakIfNeeded): Explicitly call clear for clarity.
+        (WebCore::BreakingContext::handleEndOfLine): Explicitly call clear for clarity.
+
 2016-08-18  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/rendering/InlineIterator.h

@@ -65 +65 @@
     }
 
-    void clear() { moveTo(nullptr, 0); }
-
-    void moveToStartOf(RenderObject* object)
+    void clear()
+    {
+        setRenderer(nullptr);
+        setOffset(0);
+        setNextBreakablePosition(-1);
+    }
+    void moveToStartOf(RenderObject& object)
     {
         moveTo(object, 0);
     }
 
-    void moveTo(RenderObject* object, unsigned offset, Optional<unsigned> nextBreak = Nullopt)
-    {
-        setRenderer(object);
+    void moveTo(RenderObject& object, unsigned offset, Optional<unsigned> nextBreak = Optional<unsigned>())
+    {
+        setRenderer(&object);
         setOffset(offset);
         setNextBreakablePosition(nextBreak);
@@ -398 +402 @@
             return;
     }
-    // bidiNext can return nullptr, so use moveTo instead of moveToStartOf
-    moveTo(bidiNextSkippingEmptyInlines(*m_root, m_renderer, resolver), 0);
+    // bidiNext can return nullptr
+    RenderObject* bidiNext = bidiNextSkippingEmptyInlines(*m_root, m_renderer, resolver);
+    if (bidiNext)
+        moveToStartOf(*bidiNext);
+    else
+        clear();
 }
 

trunk/Source/WebCore/rendering/line/BreakingContext.h

@@ -167 +167 @@
     }
 
-    void commitLineBreakAtCurrentWidth(RenderObject& object, unsigned offset = 0, Optional<unsigned> nextBreak = Nullopt)
+    void commitLineBreakClear()
     {
         m_width.commit();
-        m_lineBreakHistory.moveTo(&object, offset, nextBreak);
+        m_lineBreakHistory.clear();
+        m_hangsAtEnd = false;
+    }
+
+    void commitLineBreakAtCurrentWidth(RenderObject& object, unsigned offset = 0, Optional<unsigned> nextBreak = Optional<unsigned>())
+    {
+        m_width.commit();
+        m_lineBreakHistory.moveTo(object, offset, nextBreak);
         m_hangsAtEnd = false;
     }
@@ -211 +218 @@
         size_t historyLength() const { return this->size(); }
 
-        void moveTo(RenderObject* object, unsigned offset, Optional<unsigned> nextBreak = Nullopt)
+        void moveTo(RenderObject& object, unsigned offset, Optional<unsigned> nextBreak = Nullopt)
         {
             push([&](InlineIterator& modifyMe) {
@@ -327 +334 @@
         m_currentCharacterIsSpace = false;
 
-    m_current.moveToStartOf(m_nextObject);
+    if (m_nextObject)
+        m_current.moveToStartOf(*m_nextObject);
+    else
+        m_current.clear();
     m_atStart = false;
 }
@@ -336 +346 @@
         RenderObject& br = *m_current.renderer();
         m_lineBreakHistory.push([&](InlineIterator& modifyMe) {
-            modifyMe.moveToStartOf(&br);
+            modifyMe.moveToStartOf(br);
             modifyMe.increment();
         });
@@ -534 +544 @@
     if (((m_autoWrap || RenderStyle::autoWrap(m_lastWS)) && (!m_current.renderer()->isImage() || m_allowImagesToBreak)
         && (!m_current.renderer()->isRubyRun() || downcast<RenderRubyRun>(m_current.renderer())->canBreakBefore(m_renderTextInfo.lineBreakIterator))) || replacedBox.isAnonymousInlineBlock()) {
-        commitLineBreakAtCurrentWidth(*m_current.renderer());
+        if (auto* renderer = m_current.renderer())
+            commitLineBreakAtCurrentWidth(*renderer);
+        else
+            commitLineBreakClear();
         if (m_width.committedWidth() && replacedBox.isAnonymousInlineBlock()) {
             // Always force a break before an anonymous inline block if there is content on the line
@@ -714 +727 @@
 #endif
 
-    lineBreak.moveTo(&text, lastSpace + prefixLength, nextBreakable);
+    lineBreak.moveTo(text, lastSpace + prefixLength, nextBreakable);
     hyphenated = true;
 }
@@ -750 +763 @@
         m_appliedStartWidth = false;
 
-    RenderText& renderText = downcast<RenderText>(*m_current.renderer());
+    RenderObject& renderObject = *m_current.renderer();
+    RenderText& renderText = downcast<RenderText>(renderObject);
 
     bool isSVGText = renderText.isSVGInlineText();
@@ -932 +946 @@
                         lineWasTooWide = true;
                         m_lineBreakHistory.push([&](InlineIterator& modifyMe) {
-                            modifyMe.moveTo(m_current.renderer(), m_current.offset(), m_current.nextBreakablePosition());
+                            modifyMe.moveTo(renderObject, m_current.offset(), m_current.nextBreakablePosition());
                             m_lineBreaker.skipTrailingWhitespace(modifyMe, m_lineInfo);
                         });
@@ -1009 +1023 @@
                 if (!stoppedIgnoringSpaces && m_current.offset())
                     ensureCharacterGetsLineBox(m_lineWhitespaceCollapsingState, m_current);
-                commitLineBreakAtCurrentWidth(*m_current.renderer(), m_current.offset(), m_current.nextBreakablePosition());
+                commitLineBreakAtCurrentWidth(renderObject, m_current.offset(), m_current.nextBreakablePosition());
                 m_lineBreakHistory.increment();
                 m_lineInfo.setPreviousLineBrokeCleanly(true);
@@ -1016 +1030 @@
 
             if (m_autoWrap && betweenWords) {
-                commitLineBreakAtCurrentWidth(*m_current.renderer(), m_current.offset(), m_current.nextBreakablePosition());
+                commitLineBreakAtCurrentWidth(renderObject, m_current.offset(), m_current.nextBreakablePosition());
                 wrapW = 0;
                 // Auto-wrapping text should not wrap in the middle of a word once it has had an
@@ -1026 +1040 @@
                 // Remember this as a breakable position in case
                 // adding the end width forces a break.
-                m_lineBreakHistory.moveTo(m_current.renderer(), m_current.offset(), m_current.nextBreakablePosition());
+                m_lineBreakHistory.moveTo(renderObject, m_current.offset(), m_current.nextBreakablePosition());
                 midWordBreak &= (breakWords || breakAll);
             }
@@ -1086 +1100 @@
         if (!m_currentCharacterIsWS && previousCharacterIsWS) {
             if (m_autoWrap && m_currentStyle->breakOnlyAfterWhiteSpace())
-                m_lineBreakHistory.moveTo(m_current.renderer(), m_current.offset(), m_current.nextBreakablePosition());
+                m_lineBreakHistory.moveTo(renderObject, m_current.offset(), m_current.nextBreakablePosition());
         }
 
@@ -1224 +1238 @@
     if (!m_current.renderer()->isFloatingOrOutOfFlowPositioned()) {
         m_lastObject = m_current.renderer();
-        if (m_lastObject->isReplaced() && m_autoWrap && !m_lastObject->isRubyRun() && (!m_lastObject->isImage() || m_allowImagesToBreak) && (!is<RenderListMarker>(*m_lastObject) || downcast<RenderListMarker>(*m_lastObject).isInside()))
-            commitLineBreakAtCurrentWidth(*m_nextObject);
+        if (m_lastObject->isReplaced() && m_autoWrap && !m_lastObject->isRubyRun() && (!m_lastObject->isImage() || m_allowImagesToBreak) && (!is<RenderListMarker>(*m_lastObject) || downcast<RenderListMarker>(*m_lastObject).isInside())) {
+            if (m_nextObject)
+                commitLineBreakAtCurrentWidth(*m_nextObject);
+            else
+                commitLineBreakClear();
+        }
     }
 }
@@ -1258 +1276 @@
         if (!m_lineBreakHistory.renderer() || !m_lineBreakHistory.renderer()->isBR()) {
             // we just add as much as possible
-            if (m_blockStyle.whiteSpace() == PRE && !m_current.offset())
-                commitLineBreakAtCurrentWidth(*m_lastObject, m_lastObject->isText() ? m_lastObject->length() : 0);
+            if (m_blockStyle.whiteSpace() == PRE && !m_current.offset()) {
+                if (m_lastObject)
+                    commitLineBreakAtCurrentWidth(*m_lastObject, m_lastObject->isText() ? m_lastObject->length() : 0);
+                else
+                    commitLineBreakClear();
+            }
             else if (m_lineBreakHistory.renderer()) {
                 // Don't ever break in the middle of a word if we can help it.