Changeset 274645 in webkit


Ignore:
Timestamp:
Mar 18, 2021 7:44:01 AM (3 years ago)
Author:
commit-queue@webkit.org
Message:

Nullptr crash in RenderStyle::shapeOutside()
https://bugs.webkit.org/show_bug.cgi?id=221382

Patch by Frédéric Wang <fwang@igalia.com> on 2021-03-18
Reviewed by Zalan Bujtas.

Source/WebCore:

Before bug 223041, it was possible to get dangling WeakPtr m_renderer on FloatingObject. This
patch adds debug ASSERT and more regression tests.

Tests: fast/block/float/float-pseudo-element-not-removed-crash.html

fast/block/float/float-pseudo-element-not-removed-2-crash.html

  • rendering/FloatingObjects.h: add nullcheck ASSERT for debug builds.

LayoutTests:

Add regression tests.

  • fast/block/float/float-pseudo-element-not-removed-crash-expected.txt: Added.
  • fast/block/float/float-pseudo-element-not-removed-crash.html: Added.
  • fast/block/float/float-pseudo-element-not-removed-crash2-expected.txt: Added.
  • fast/block/float/float-pseudo-element-not-removed-crash2.html: Added.
Location:
trunk
Files:
4 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r274644 r274645  
     12021-03-18  Frédéric Wang  <fwang@igalia.com>
     2
     3        Nullptr crash in RenderStyle::shapeOutside()
     4        https://bugs.webkit.org/show_bug.cgi?id=221382
     5
     6        Reviewed by Zalan Bujtas.
     7
     8        Add regression tests.
     9
     10        * fast/block/float/float-pseudo-element-not-removed-crash-expected.txt: Added.
     11        * fast/block/float/float-pseudo-element-not-removed-crash.html: Added.
     12        * fast/block/float/float-pseudo-element-not-removed-crash2-expected.txt: Added.
     13        * fast/block/float/float-pseudo-element-not-removed-crash2.html: Added.
     14
    1152021-03-18  Imanol Fernandez  <ifernandez@igalia.com>
    216

  • trunk/Source/WebCore/ChangeLog

    r274644 r274645  
     12021-03-18  Frédéric Wang  <fwang@igalia.com>
     2
     3        Nullptr crash in RenderStyle::shapeOutside()
     4        https://bugs.webkit.org/show_bug.cgi?id=221382
     5
     6        Reviewed by Zalan Bujtas.
     7
     8        Before bug 223041, it was possible to get dangling WeakPtr m_renderer on FloatingObject. This
     9        patch adds debug ASSERT and more regression tests.
     10
     11        Tests: fast/block/float/float-pseudo-element-not-removed-crash.html
     12               fast/block/float/float-pseudo-element-not-removed-2-crash.html
     13
     14        * rendering/FloatingObjects.h: add nullcheck ASSERT for debug builds.
     15
    1162021-03-18  Imanol Fernandez  <ifernandez@igalia.com>
    217

  • trunk/Source/WebCore/rendering/FloatingObjects.h

    r273210 r274645  
    5050
    5151    Type type() const { return static_cast<Type>(m_type); }
    52     RenderBox& renderer() const { return *m_renderer; }
     52    RenderBox& renderer() const { ASSERT(m_renderer); return *m_renderer; }
    5353
    5454    bool isPlaced() const { return m_isPlaced; }
     
    175175
    176176private:
    177     const RenderBlockFlow& renderer() const { return *m_renderer; }
     177    const RenderBlockFlow& renderer() const { ASSERT(m_renderer); return *m_renderer; }
    178178    void computePlacedFloatsTree();
    179179    const FloatingObjectTree* placedFloatsTree();
Note: See TracChangeset for help on using the changeset viewer.